[Samba] Conflicts between RIDs from historical domain SIDs

David Maltz dmaltz at nasuni.com
Thu Sep 11 12:48:27 MDT 2014

Samba version: 4.1.9
Using the idmap_rid backend

    A Windows AD security group has a historical SID (sidHistory) whose RID matches the RID of a user in the "current domain"

    For example: (Note the different domain portions of the SID)
         Current SID of group G:     S-1-5-21-1405700021-3363460546-1698178416-30661
         Historical SID of group G:  S-1-5-21-2389300033-4596500334-3403203421-43872

    Current SID of user U:   S-1-5-21-1405700021-3363460546-1698178416-43872

    Since the RID portion of the historical group SID (43872) matches the RID portion of the current user SID,
    there are multiple mappings for the resultant unix ID (e.g. 543872) in the winbindd cache.

   This seems to cause the user not to have access to folders to which they should have access.

   Running a "net cache flush" cleans out the winbindd cache and temporarily resolves the issue.

   Any ideas on what might be happening here?


More information about the samba mailing list