[Samba] Conflicts between RIDs from historical domain SIDs

Rowland Penny rowlandpenny at googlemail.com
Thu Sep 11 13:04:38 MDT 2014


On 11/09/14 19:48, David Maltz wrote:
> Samba version: 4.1.9
> Using the idmap_rid backend
>
>
> Case:
>      A Windows AD security group has a historical SID (sidHistory) whose RID matches the RID of a user in the "current domain"
>
>      For example: (Note the different domain portions of the SID)
>           Current SID of group G:     S-1-5-21-1405700021-3363460546-1698178416-30661
>           Historical SID of group G:  S-1-5-21-2389300033-4596500334-3403203421-43872
>
>
>      Current SID of user U:   S-1-5-21-1405700021-3363460546-1698178416-43872
>
>
>      Since the RID portion of the historical group SID (43872) matches the RID portion of the current user SID,
>      there are multiple mappings for the resultant unix ID (e.g. 543872) in the winbindd cache.
>
>     This seems to cause the user not to have access to folders to which they should have access.
>
>     Running a "net cache flush" cleans out the winbindd cache and temporarily resolves the issue.
>
>     Any ideas on what might be happening here?
>
>
> Thanks
Not a clue, though providing a bit more info like how did you upgrade, 
how are you running samba, showing us your smb.conf etc ;-)

Rowland


More information about the samba mailing list