[Samba] Winbind rid + SID History creating duplicate per-user groups

Josh Kelley joshkel at gmail.com
Mon Jul 28 07:29:20 MDT 2014

Since upgrading from Ubuntu 12.04 (Samba 3.6.3) to Ubuntu 14.04 (Samba
4.1.6), I've noticed some strange problems with our group mappings:

First, each of our Active Directory users now has a corresponding
group in Linux. I don't remember ever noticing this in Ubuntu 12.04 /
Samba 3.6.3.  Is this feature new?  Is it documented anywhere?  (I
tried searching online and couldn't find anything relevant.)

Second, duplicate per-user groups are being created, and this is
causing us lots of problems.  For example, my username jkelley is
assigned a uid of 14504 (based on its RID in AD), and so a jkelley
group with gid 14504 is also created, but the jkelley user is actually
a member of a second jkelley group with a different gid.

By poking around with wbinfo, I determined that the duplicate groups
are being created by SID history; one gid corresponds to the SID in
the sIDHistory attribute, while the other corresponds to the current
SID in the Active Directory domain.  Is there a way to fix this
without simply deleting the sIDHistory attributes from Active

Winbind config from smb.conf:

idmap backend = rid
idmap uid = 10000-30000
idmap gid = 10000-30000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN

Josh Kelley

More information about the samba mailing list