samba - Jun 2021 - SID history secondary group set bloat

Hi slow,
> > root at debian:/var/cache/samba# id EXAMPLE\\secretuser
> > uid=301142(EXAMPLE\secretuser) gid=300513(EXAMPLE\domain users)
groups=300513(EXAMPLE\domain
users),301142(EXAMPLE\secretuser),472199(EXAMPLE\secret),572198(EXAMPLE\secret),301141(EXAMPLE\secret),301132(EXAMPLE\cae)
> >
> > Any idea why?
> Have you tried net cache flush and restarted winbind so the winbind
> cache gets flushed too?
Yes, I've gone full rm -f on all but secrets.tdb and the IDs totally differ
from the previous test case as well. No nscd running either. autorid really
seems to be doing the mapping itself because it can't tell that the SIDs
really are sIDHistory.

root at debian:/var/cache/samba# systemctl stop smbd
root at debian:/var/cache/samba# systemctl stop winbind
root at debian:/var/cache/samba# find /var/lib/samba /run/samba /var/cache/samba
-type f | grep -v secrets.tdb | xargs rm -f
root at debian:/var/cache/samba# find /var/lib/samba /run/samba /var/cache/samba
-type f
/var/lib/samba/private/secrets.tdb
root at debian:/var/cache/samba# systemctl start winbind

root at debian:/var/cache/samba# getent group EXAMPLE\\secret
EXAMPLE\secret:x:301141:
root at debian:/var/cache/samba# getent group 472199
EXAMPLE\secret:x:472199:
root at debian:/var/cache/samba# getent group 572198
EXAMPLE\secret:x:572198:
root at debian:/var/cache/samba# getent group 301141
EXAMPLE\secret:x:301141:

autorid apparently also treats SID history as SIDs from separate, existing
domains and assigns separate gids accordingly:

root at debian:/var/cache/samba# tdbdump /var/lib/samba/autorid.tdb
[...]
{
key(40) = "S-1-5-21-1623811102-3361044346-30300840\00"
data(4) = "\02\00\00\00"
}
[...]
{
key(40) = "S-1-5-21-2623811102-3361044346-30300840\00"
data(4) = "\03\00\00\00"
}
[...]
{
key(42) = "S-1-5-21-4131831116-1822871472-1861548575\00"
data(4) = "\01\00\00\00"
}
[...]

log.smbd:
[2021/06/09 11:34:27.402131,  5, pid=1944, effective(0, 0), real(0, 0)]
../../libcli/security/security_token.c:56(security_token_debug)
  Security token SIDs (22):
    SID[  0]: S-1-5-21-4131831116-1822871472-1861548575-1142
    SID[  1]: S-1-5-21-4131831116-1822871472-1861548575-513
    SID[  2]: S-1-5-21-4131831116-1822871472-1861548575-1132
    SID[  3]: S-1-5-21-4131831116-1822871472-1861548575-1141
    SID[  4]: S-1-5-21-2623811102-3361044346-30300840-72198
    SID[  5]: S-1-5-21-1623811102-3361044346-30300840-72199
    SID[  6]: S-1-18-1
    SID[  7]: S-1-1-0
    SID[  8]: S-1-5-2
    SID[  9]: S-1-5-11
    SID[ 10]: S-1-5-32-545
    SID[ 11]: S-1-22-1-301142
    SID[ 12]: S-1-22-2-300513
    SID[ 13]: S-1-22-2-301142
    SID[ 14]: S-1-22-2-301132
    SID[ 15]: S-1-22-2-301141
    SID[ 16]: S-1-22-2-572198
    SID[ 17]: S-1-22-2-472199
    SID[ 18]: S-1-22-2-299999
    SID[ 19]: S-1-22-2-299990
    SID[ 20]: S-1-22-2-299982
    SID[ 21]: S-1-22-2-200001
   Privileges (0x               0):
   Rights (0x               0):
[2021/06/09 11:34:27.402174,  5, pid=1944, effective(0, 0), real(0, 0)]
../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 301142
  Primary group is 300513 and contains 10 supplementary groups
  Group[  0]: 301142
  Group[  1]: 300513
  Group[  2]: 301132
  Group[  3]: 301141
  Group[  4]: 572198
  Group[  5]: 472199
  Group[  6]: 299999
  Group[  7]: 299990
  Group[  8]: 299982
  Group[  9]: 200001

Thanks,
Michael
________________________________________
From: Ralph Boehme <slow at samba.org>
Sent: 09 June 2021 16:32:03
To: Weiser, Michael
Cc: Laubender, Guido; samba at lists.samba.org
Subject: Re: [Samba] SID history secondary group set bloat

Am 09.06.21 um 16:05 schrieb Weiser, Michael:
> Yeah, I find that message in log.winbinds-idmap now:
>
> root at debian:~# grep autorid.*config.*default
/var/log/samba/log.winbindd*
> /var/log/samba/log.winbindd-idmap:  idmap_autorid_initialize: Error:
autorid configured for domain 'example'. But autorid can only be used
for the default idmap configuration.
> /var/log/samba/log.winbindd-idmap:  idmap_autorid_initialize: Error:
autorid configured for domain 'example'. But autorid can only be used
for the default idmap configuration.
> /var/log/samba/log.winbindd-idmap:  idmap_autorid_initialize: Error:
autorid configured for domain 'example'. But autorid can only be used
for the default idmap configuration.
>
> But even as default backend it shows a similar issue with SID history as
idmap_nss (see end of my previous mail for full details):
sorry, much too busy to fully read all that.
> root at debian:/var/cache/samba# id EXAMPLE\\secretuser
> uid=301142(EXAMPLE\secretuser) gid=300513(EXAMPLE\domain users)
groups=300513(EXAMPLE\domain
users),301142(EXAMPLE\secretuser),472199(EXAMPLE\secret),572198(EXAMPLE\secret),301141(EXAMPLE\secret),301132(EXAMPLE\cae)
>
> Any idea why?
caching?

Have you tried net cache flush and restarted winbind so the winbind
cache gets flushed too?

Cheers!
-slow

--
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

Am 09.06.21 um 16:42 schrieb Weiser, Michael:
>> Have you tried net cache flush and restarted winbind so the
>> winbind cache gets flushed too?
> 
> Yes, I've gone full rm -f on all but secrets.tdb and the IDs totally
> differ from the previous test case as well. No nscd running either.
> autorid really seems to be doing the mapping itself because it can't
> tell that the SIDs really are sIDHistory.
from skimming over your mail, this look pretty much as expected I would say.

What did you expect? What is not working?

Cheers!
-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210609/20b44371/OpenPGP_signature.sig>