samba - Jun 2021 - SID history secondary group set bloat

Am 10.06.21 um 08:27 schrieb Weiser, Michael:
> My question remains if there's a way to prevent SID history SIDs from
> being mapped once they're no longer needed on a particular samba
> server, to prevent unnecessary bloating of the secondary group list,
> i.e. if there's a way to tell autorid (or nss) to recognize that
> 472199(EXAMPLE\secret), 572198(EXAMPLE\secret) and
> 301141(EXAMPLE\secret) are all the same group and only add gid 301141
> to the UNIX token.
ah, now I get it. :)

No, that's not supported, but it might be possible to add such a feature
with some development effort.

Cheers!
-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210610/6fa1b0ad/OpenPGP_signature.sig>

On 10/06/2021 08:32, Ralph Boehme via samba wrote:
> Am 10.06.21 um 08:27 schrieb Weiser, Michael:
>> My question remains if there's a way to prevent SID history SIDs
from
>> being mapped once they're no longer needed on a particular samba
>> server, to prevent unnecessary bloating of the secondary group list,
>> i.e. if there's a way to tell autorid (or nss) to recognize that
>> 472199(EXAMPLE\secret), 572198(EXAMPLE\secret) and
>> 301141(EXAMPLE\secret) are all the same group and only add gid 301141
>> to the UNIX token.
>
> ah, now I get it. :)

Hi Ralph, you might get it, but I don't, care to explain it ?

Rowland

Hi slow,
> ah, now I get it. :)
Thanks for bearing with me. :)
> No, that's not supported, but it might be possible to add such a
feature
> with some development effort.
Okay, I thought as much. I was already thinking of a generic SID filter config
option that could be used to tell the ID mapping layer to ignore all SIDs
starting with a particular domain SID, similar to winbind:ignore domains:

winbind:ignore domain sids = S-1-5-21-2623811102-3361044346-30300840
S-1-5-21-1623811102-3361044346-30300840
(or extending winbind:ignore domains to accept SIDs if the net outcome would be
the same anyway)

or

idmap config S-1-5-21-2623811102-3361044346-30300840 : ignore = true
idmap config S-1-5-21-1623811102-3361044346-30300840 : ignore = true

Would that make sense and be feasible? Or where would you put it?

Getting back to my problematic idmap_nss setup: How bad, workaround-wise, is my
idea to prefill winbind_idmap.tdb with mappings for the SID history SIDs all
pointing to the same gid like so:

[root at fedora33 ~]# tdbtool /var/lib/samba/winbindd_idmap.tdb
tdb> delete S-1-5-21-1623811102-3361044346-30300840-72199\00
tdb> delete GID\20100006\00
tdb> store S-1-5-21-1623811102-3361044346-30300840-72199\00 GID\20100007\00
tdb>
[root at fedora33 ~]# net cache flush

Thanks,
--
Michael Weiser
Senior Solutions Architect
T +49 30 2007 697 22
science + computing ag
Am Studio 16
D-12489 Berlin
https://atos.net/de/deutschland/sc

________________________________________
From: Ralph Boehme <slow at samba.org>
Sent: 10 June 2021 09:32:56
To: Weiser, Michael
Cc: Laubender, Guido; samba at lists.samba.org
Subject: Re: [Samba] SID history secondary group set bloat

Am 10.06.21 um 08:27 schrieb Weiser, Michael:
> My question remains if there's a way to prevent SID history SIDs from
> being mapped once they're no longer needed on a particular samba
> server, to prevent unnecessary bloating of the secondary group list,
> i.e. if there's a way to tell autorid (or nss) to recognize that
> 472199(EXAMPLE\secret), 572198(EXAMPLE\secret) and
> 301141(EXAMPLE\secret) are all the same group and only add gid 301141
> to the UNIX token.
ah, now I get it. :)

No, that's not supported, but it might be possible to add such a feature
with some development effort.

Cheers!
-slow

--
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46