SID History id-mapping

Uri Simchoni uri at
Tue Feb 21 10:49:20 UTC 2017

On 02/21/2017 11:58 AM, Michael Adam wrote:
> Great analysis, Uri!
> I was always a little uncertain what we expect to get
> back when asking for the name of a history SID.
> I think they only return the NEW name of the mapped object
> once the old domain has been removed - right? ...
Right. Even before removing the old domain. My testing hasn't been with
cross-forest trusts but by doing move-adobject from DOMA to DOMB which
are in the same forest. Right afterwards the DOMB servers will say the
old SID is DOMB\user.

Come to think of it, I never actually tested what happens when the
domain is gone (I'm told the most complete way to do it is to demote all
DC's), nor do I have winbindd logs from customer sites which cover this
case (the old domain there was in the tdc cache, but not reachable).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list