[Samba] 'allow trusted domains = no' and sidhistory = bad

Nick t31 at 2thebatcave.com
Sat Nov 14 10:50:19 MST 2009

After a fair amount of playing around with the config file, I seem to
have found something that will work.

My original configuration was:

idmap backend = rid:MYDOMAIN=100000-2147483640
idmap uid = 100000-2147483640
idmap gid = 100000-2147483640

The new config is:
idmap backend = nss
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 100000-2147483640

After some testing I found that the foreign sids in the main domain
were actually treated like they were on a separate domain, but due to
my configuration they were getting pulled from the same pool.  By
splitting out the main domain into a separate idmap config section, I
am making sure that only the sids from the main domain will be given
numbers within that pool.  The annoying part was trying to find a way
to get the foreign sids to be completely ignored.  I found that using
tdb or tdb2 for idmap backend would not allow users to be resolved
unless I specified the idmap uid/gid parameters, and in that
configuration the foreign sids were still being assigned numbers,
which is not desirable.  I found that using the nss or adex backends
seemed to do find in that they don't assign ids to the foreign sids,
but still allow the lookup process to complete.  At this point I
prefer not to use the ad/adex backends since our domain is not setup
consistently, and some users have gidNumber attributes where others do
not (and I want to completely ignore these gidNumber attributes in
favor of the ids generated by idmap_rid).

Now, if only I could get
https://bugzilla.samba.org/show_bug.cgi?id=6766 fixed I would be all

On Fri, Nov 13, 2009 at 4:45 PM, Nick <t31 at 2thebatcave.com> wrote:
> We are in an environment where several AD domains are being
> consolidated into one larger domain using sidhistory.  The samba
> winbind configuration is using 'allow trusted domains = no' as we do
> not care about what is in the other domains (as well as the problem
> that many of them are unreachable from other locations meaning winbind
> will choke completely if we don't disallow them).
> The symptom I am having is that when running "groups"  as an AD user
> results in several errors "id: cannot find name for group ID ...".
> Upon some investigation, I found that those IDs references sids in the
> old domains (kept in the new domain with the sidhistory function).
> There are several errors in the logs "Could not find domain for sid
> ...", which makes sense since it can't contact those old domains.
> Is there anyway to completely disable samba looking at the sidhistory
> (at least when 'allow trusted domains = no')?  While part of the
> problem could be fixed by having samba properly do the reverse id
> resolution for the sids to the name on the new domain, that is
> problematic for us since we are using idmap_rid which would allow some
> id collisions due to the fact that there are multiple domains
> involved.  There are a huge number of objects so I don't want to use
> idmap_hash or divide up the id pool within idmap_rid.
> Just for testing I tried using idmap_hash and it does not get rid of
> the errors.  I'm assuming that setting 'allow trusted domains = yes'
> would allow resolution of those groups as long as the old domains were
> still available, however I cannot even test this since the majority of
> the trusted domains are unreachable and cause winbind to stop
> functioning altogether.
> I thought about hacking through the source code to remove sids from
> different domains when processing the supplementary groups and 'allow
> trusted domains = no', but it would be better if there was an official
> solution for this so I don't end up with some crazy unmaintainable
> patch.

More information about the samba mailing list