[Samba] 'allow trusted domains = no' and sidhistory = bad

Nick t31 at 2thebatcave.com
Fri Nov 13 17:45:13 MST 2009

We are in an environment where several AD domains are being
consolidated into one larger domain using sidhistory.  The samba
winbind configuration is using 'allow trusted domains = no' as we do
not care about what is in the other domains (as well as the problem
that many of them are unreachable from other locations meaning winbind
will choke completely if we don't disallow them).

The symptom I am having is that when running "groups"  as an AD user
results in several errors "id: cannot find name for group ID ...".
Upon some investigation, I found that those IDs references sids in the
old domains (kept in the new domain with the sidhistory function).
There are several errors in the logs "Could not find domain for sid
...", which makes sense since it can't contact those old domains.

Is there anyway to completely disable samba looking at the sidhistory
(at least when 'allow trusted domains = no')?  While part of the
problem could be fixed by having samba properly do the reverse id
resolution for the sids to the name on the new domain, that is
problematic for us since we are using idmap_rid which would allow some
id collisions due to the fact that there are multiple domains
involved.  There are a huge number of objects so I don't want to use
idmap_hash or divide up the id pool within idmap_rid.

Just for testing I tried using idmap_hash and it does not get rid of
the errors.  I'm assuming that setting 'allow trusted domains = yes'
would allow resolution of those groups as long as the old domains were
still available, however I cannot even test this since the majority of
the trusted domains are unreachable and cause winbind to stop
functioning altogether.

I thought about hacking through the source code to remove sids from
different domains when processing the supplementary groups and 'allow
trusted domains = no', but it would be better if there was an official
solution for this so I don't end up with some crazy unmaintainable

More information about the samba mailing list