[Samba] SID history secondary group set bloat

[Weiser, Michael]

Hi slow,

> > root at debian:/var/cache/samba# id EXAMPLE\\secretuser
> > uid=301142(EXAMPLE\secretuser) gid=300513(EXAMPLE\domain users) groups=300513(EXAMPLE\domain users),301142(EXAMPLE\secretuser),472199(EXAMPLE\secret),572198(EXAMPLE\secret),301141(EXAMPLE\secret),301132(EXAMPLE\cae)

> from skimming over your mail, this look pretty much as expected I would say.

Thinking about it, I can see how autorid's behaviour would make sense for the actual SID history use-case, i.e. keeping the SID history SID to gid mapping stable during a migration.

> What did you expect? What is not working?

My question remains if there's a way to prevent SID history SIDs from being mapped once they're no longer needed on a particular samba server, to prevent unnecessary bloating of the secondary group list, i.e. if there's a way to tell autorid (or nss) to recognize that 472199(EXAMPLE\secret), 572198(EXAMPLE\secret) and 301141(EXAMPLE\secret) are all the same group and only add gid 301141 to the UNIX token.

Thanks,
Michael
________________________________________
From: Ralph Boehme <slow at samba.org>
Sent: 09 June 2021 16:56:59
To: Weiser, Michael
Cc: Laubender, Guido; samba at lists.samba.org
Subject: Re: [Samba] SID history secondary group set bloat

Am 09.06.21 um 16:42 schrieb Weiser, Michael:
>> Have you tried net cache flush and restarted winbind so the
>> winbind cache gets flushed too?
>
> Yes, I've gone full rm -f on all but secrets.tdb and the IDs totally
> differ from the previous test case as well. No nscd running either.
> autorid really seems to be doing the mapping itself because it can't
> tell that the SIDs really are sIDHistory.

from skimming over your mail, this look pretty much as expected I would say.

What did you expect? What is not working?

Cheers!
-slow

--
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46