[Samba] idmap rid finds deleted groups for some users

Jon Gerdes gerdesj at blueloop.net
Fri Jun 16 11:51:17 UTC 2017


All

I am using the following config on a PC with Samba 4.6.5 (Arch), joined
to a 2012 R2 domain/forest.

idmap config * : backend = tdb
idmap config * : range   = 1000000-1999999
idmap config MYDOM : backend = rid
idmap config MYDOM : range   = 10000 - 19999

# id <username>

returns a list of groups fine for most users but for some, it includes
deleted groups and misses groups that have been recently added.

If I create a new user and a few groups, I can add and remove
memberships fine and by flushing the cache as required, id works fine. 
For one particular user at least there are several extra entries
returned by id.  Deleted groups show a gid but no name.  A recently
added group does not appear in the list.

These all work correctly:
# net ads user info <user> -U <me> -S dc2
# net rpc user info <user> -U <me> -S dc2

I have rebooted all DCs (Winupdates 8), restarted my PC, flushed
caches, deleted tdb files, run LDP and ADSI edit to see if there are
any funny attributes on the user object, cleared all deleted objects in
AD via Powershell.

Running with "log level = 0 winbind:10 idmap:10" shows the "ghost" SIDs
failing to be looked up but doesn't seem to show me how the SIDs were
found in the first place to cause a lookup.

I've run:

C:\> wmic group get domain,name,sid (gets you a list of all groups in
the domain and their SIDs)

and looked for the offending RIDs but they are not there.

I'm not sure what I can try next.  If anyone could tell me how idmap
rid finds a list of SIDs for groups belonging to a user that might send
me down the right path.

I've just checked a pair of 4.5.x Sambas and they work OK.  I've read
all the bugs that I could find in Bugzilla but none look appropriate.

Cheers
Jon


More information about the samba mailing list