[Samba] Conflicts between RIDs from historical domain SIDs
Christof Schmitt
cs at samba.org
Mon Sep 15 17:06:52 MDT 2014
On Thu, Sep 11, 2014 at 02:48:27PM -0400, David Maltz wrote:
> Samba version: 4.1.9
> Using the idmap_rid backend
>
>
> Case:
> A Windows AD security group has a historical SID (sidHistory) whose RID matches the RID of a user in the "current domain"
>
> For example: (Note the different domain portions of the SID)
> Current SID of group G: S-1-5-21-1405700021-3363460546-1698178416-30661
> Historical SID of group G: S-1-5-21-2389300033-4596500334-3403203421-43872
>
>
> Current SID of user U: S-1-5-21-1405700021-3363460546-1698178416-43872
>
>
> Since the RID portion of the historical group SID (43872) matches the RID portion of the current user SID,
> there are multiple mappings for the resultant unix ID (e.g. 543872) in the winbindd cache.
>
> This seems to cause the user not to have access to folders to which they should have access.
>
> Running a "net cache flush" cleans out the winbindd cache and temporarily resolves the issue.
>
> Any ideas on what might be happening here?
There is a codepath that combines the domain sid from a current domain
wit the rid of a previous domain. I posted a patch to avoid at least
this particular case:
https://lists.samba.org/archive/samba-technical/2014-September/102456.html
Christof
More information about the samba
mailing list