Hi slow,
> > root at debian:/var/cache/samba# id EXAMPLE\\secretuser
> > uid=301142(EXAMPLE\secretuser) gid=300513(EXAMPLE\domain users)
groups=300513(EXAMPLE\domain
users),301142(EXAMPLE\secretuser),472199(EXAMPLE\secret),572198(EXAMPLE\secret),301141(EXAMPLE\secret),301132(EXAMPLE\cae)
> from skimming over your mail, this look pretty much as expected I would
say.
Thinking about it, I can see how autorid's behaviour would make sense for
the actual SID history use-case, i.e. keeping the SID history SID to gid mapping
stable during a migration.
> What did you expect? What is not working?
My question remains if there's a way to prevent SID history SIDs from being
mapped once they're no longer needed on a particular samba server, to
prevent unnecessary bloating of the secondary group list, i.e. if there's a
way to tell autorid (or nss) to recognize that 472199(EXAMPLE\secret),
572198(EXAMPLE\secret) and 301141(EXAMPLE\secret) are all the same group and
only add gid 301141 to the UNIX token.
Thanks,
Michael
________________________________________
From: Ralph Boehme <slow at samba.org>
Sent: 09 June 2021 16:56:59
To: Weiser, Michael
Cc: Laubender, Guido; samba at lists.samba.org
Subject: Re: [Samba] SID history secondary group set bloat
Am 09.06.21 um 16:42 schrieb Weiser, Michael:>> Have you tried net cache flush and restarted winbind so the
>> winbind cache gets flushed too?
>
> Yes, I've gone full rm -f on all but secrets.tdb and the IDs totally
> differ from the previous test case as well. No nscd running either.
> autorid really seems to be doing the mapping itself because it can't
> tell that the SIDs really are sIDHistory.
from skimming over your mail, this look pretty much as expected I would say.
What did you expect? What is not working?
Cheers!
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46