[Samba] SID history secondary group set bloat

Weiser, Michael michael.weiser at atos.net
Wed Jun 9 14:05:34 UTC 2021 

Hi slow,

> > Is idmap_autorid only supported as default backend? This would nicely
> > sidestep my issue because, of course, the SID history SIDs could then
> > also be found there.

> yes. I wonder why the manpage does't state this explicitly. But the code
> has this in the init function:

Yeah, I find that message in log.winbinds-idmap now:

root at debian:~# grep autorid.*config.*default /var/log/samba/log.winbindd*
/var/log/samba/log.winbindd-idmap:  idmap_autorid_initialize: Error: autorid configured for domain 'example'. But autorid can only be used for the default idmap configuration.
/var/log/samba/log.winbindd-idmap:  idmap_autorid_initialize: Error: autorid configured for domain 'example'. But autorid can only be used for the default idmap configuration.
/var/log/samba/log.winbindd-idmap:  idmap_autorid_initialize: Error: autorid configured for domain 'example'. But autorid can only be used for the default idmap configuration.

But even as default backend it shows a similar issue with SID history as idmap_nss (see end of my previous mail for full details):

root at debian:/var/cache/samba# id EXAMPLE\\secretuser
uid=301142(EXAMPLE\secretuser) gid=300513(EXAMPLE\domain users) groups=300513(EXAMPLE\domain users),301142(EXAMPLE\secretuser),472199(EXAMPLE\secret),572198(EXAMPLE\secret),301141(EXAMPLE\secret),301132(EXAMPLE\cae)

Any idea why?

Thanks!
Michael

________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Ralph Boehme via samba <samba at lists.samba.org>
Sent: 09 June 2021 12:10
To: Weiser, Michael; samba at lists.samba.org
Cc: Laubender, Guido
Subject: Re: [Samba] SID history secondary group set bloat

Am 09.06.21 um 11:43 schrieb Weiser, Michael:
> Is idmap_autorid only supported as default backend? This would nicely
> sidestep my issue because, of course, the SID history SIDs could then
> also be found there.

yes. I wonder why the manpage does't state this explicitly. But the code
has this in the init function:

         if (!strequal(dom->name, "*")) {
                 DEBUG(0, ("idmap_autorid_initialize: Error: autorid
configured "
                           "for domain '%s'. But autorid can only be
used for "
                           "the default idmap configuration.\n",
dom->name));
                 return NT_STATUS_INVALID_PARAMETER;
         }

-slow

--
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

More information about the samba mailing list