[Samba] Winbind rid + SID History creating duplicate per-user groups
Josh Kelley
joshkel at gmail.com
Mon Jul 28 07:29:20 MDT 2014
Since upgrading from Ubuntu 12.04 (Samba 3.6.3) to Ubuntu 14.04 (Samba
4.1.6), I've noticed some strange problems with our group mappings:
First, each of our Active Directory users now has a corresponding
group in Linux. I don't remember ever noticing this in Ubuntu 12.04 /
Samba 3.6.3. Is this feature new? Is it documented anywhere? (I
tried searching online and couldn't find anything relevant.)
Second, duplicate per-user groups are being created, and this is
causing us lots of problems. For example, my username jkelley is
assigned a uid of 14504 (based on its RID in AD), and so a jkelley
group with gid 14504 is also created, but the jkelley user is actually
a member of a second jkelley group with a different gid.
By poking around with wbinfo, I determined that the duplicate groups
are being created by SID history; one gid corresponds to the SID in
the sIDHistory attribute, while the other corresponds to the current
SID in the Active Directory domain. Is there a way to fix this
without simply deleting the sIDHistory attributes from Active
Directory?
Winbind config from smb.conf:
idmap backend = rid
idmap uid = 10000-30000
idmap gid = 10000-30000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN
--
Josh Kelley
More information about the samba
mailing list