[Samba] Winbind rid + SID History creating duplicate per-user groups
Rowland Penny
rowlandpenny at googlemail.com
Mon Jul 28 08:00:45 MDT 2014
On 28/07/14 14:29, Josh Kelley wrote:
> Since upgrading from Ubuntu 12.04 (Samba 3.6.3) to Ubuntu 14.04 (Samba
> 4.1.6), I've noticed some strange problems with our group mappings:
>
> First, each of our Active Directory users now has a corresponding
> group in Linux. I don't remember ever noticing this in Ubuntu 12.04 /
> Samba 3.6.3. Is this feature new? Is it documented anywhere? (I
> tried searching online and couldn't find anything relevant.)
>
> Second, duplicate per-user groups are being created, and this is
> causing us lots of problems. For example, my username jkelley is
> assigned a uid of 14504 (based on its RID in AD), and so a jkelley
> group with gid 14504 is also created, but the jkelley user is actually
> a member of a second jkelley group with a different gid.
>
> By poking around with wbinfo, I determined that the duplicate groups
> are being created by SID history; one gid corresponds to the SID in
> the sIDHistory attribute, while the other corresponds to the current
> SID in the Active Directory domain. Is there a way to fix this
> without simply deleting the sIDHistory attributes from Active
> Directory?
>
> Winbind config from smb.conf:
>
> idmap backend = rid
> idmap uid = 10000-30000
> idmap gid = 10000-30000
> winbind enum groups = yes
> winbind enum users = yes
> winbind use default domain = yes
> winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN
>
Hi, the type of winbind that you posted was depreciated before samba
3.6.3 and even if it wasn't, there isn't enough lines there, any chance
you could post your entire (sanitized) smb.conf
Could you also tell us how you are creating users, something you are
doing (and probably shouldn't be) is creating user groups, these are
usually not used with AD.
Rowland
More information about the samba
mailing list