samba - Jun 2021 - SID history secondary group set bloat

Am 09.06.21 um 11:43 schrieb Weiser, Michael:
> Is idmap_autorid only supported as default backend? This would nicely
> sidestep my issue because, of course, the SID history SIDs could then
> also be found there.
yes. I wonder why the manpage does't state this explicitly. But the code 
has this in the init function:

         if (!strequal(dom->name, "*")) {
                 DEBUG(0, ("idmap_autorid_initialize: Error: autorid 
configured "
                           "for domain '%s'. But autorid can only
be
used for "
                           "the default idmap configuration.\n", 
dom->name));
                 return NT_STATUS_INVALID_PARAMETER;
         }

-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210609/cc7cb5a7/OpenPGP_signature.sig>

Hi slow,
> > Is idmap_autorid only supported as default backend? This would nicely
> > sidestep my issue because, of course, the SID history SIDs could then
> > also be found there.
> yes. I wonder why the manpage does't state this explicitly. But the
code
> has this in the init function:
Yeah, I find that message in log.winbinds-idmap now:

root at debian:~# grep autorid.*config.*default /var/log/samba/log.winbindd*
/var/log/samba/log.winbindd-idmap:  idmap_autorid_initialize: Error: autorid
configured for domain 'example'. But autorid can only be used for the
default idmap configuration.
/var/log/samba/log.winbindd-idmap:  idmap_autorid_initialize: Error: autorid
configured for domain 'example'. But autorid can only be used for the
default idmap configuration.
/var/log/samba/log.winbindd-idmap:  idmap_autorid_initialize: Error: autorid
configured for domain 'example'. But autorid can only be used for the
default idmap configuration.

But even as default backend it shows a similar issue with SID history as
idmap_nss (see end of my previous mail for full details):

root at debian:/var/cache/samba# id EXAMPLE\\secretuser
uid=301142(EXAMPLE\secretuser) gid=300513(EXAMPLE\domain users)
groups=300513(EXAMPLE\domain
users),301142(EXAMPLE\secretuser),472199(EXAMPLE\secret),572198(EXAMPLE\secret),301141(EXAMPLE\secret),301132(EXAMPLE\cae)

Any idea why?

Thanks!
Michael

________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Ralph Boehme
via samba <samba at lists.samba.org>
Sent: 09 June 2021 12:10
To: Weiser, Michael; samba at lists.samba.org
Cc: Laubender, Guido
Subject: Re: [Samba] SID history secondary group set bloat

Am 09.06.21 um 11:43 schrieb Weiser, Michael:
> Is idmap_autorid only supported as default backend? This would nicely
> sidestep my issue because, of course, the SID history SIDs could then
> also be found there.
yes. I wonder why the manpage does't state this explicitly. But the code
has this in the init function:

         if (!strequal(dom->name, "*")) {
                 DEBUG(0, ("idmap_autorid_initialize: Error: autorid
configured "
                           "for domain '%s'. But autorid can only
be
used for "
                           "the default idmap configuration.\n",
dom->name));
                 return NT_STATUS_INVALID_PARAMETER;
         }

-slow

--
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46