[Samba] SID history secondary group set bloat
michael.weiser at atos.net
Thu Jun 10 06:27:44 UTC 2021
> > root at debian:/var/cache/samba# id EXAMPLE\\secretuser
> > uid=301142(EXAMPLE\secretuser) gid=300513(EXAMPLE\domain users) groups=300513(EXAMPLE\domain users),301142(EXAMPLE\secretuser),472199(EXAMPLE\secret),572198(EXAMPLE\secret),301141(EXAMPLE\secret),301132(EXAMPLE\cae)
> from skimming over your mail, this look pretty much as expected I would say.
Thinking about it, I can see how autorid's behaviour would make sense for the actual SID history use-case, i.e. keeping the SID history SID to gid mapping stable during a migration.
> What did you expect? What is not working?
My question remains if there's a way to prevent SID history SIDs from being mapped once they're no longer needed on a particular samba server, to prevent unnecessary bloating of the secondary group list, i.e. if there's a way to tell autorid (or nss) to recognize that 472199(EXAMPLE\secret), 572198(EXAMPLE\secret) and 301141(EXAMPLE\secret) are all the same group and only add gid 301141 to the UNIX token.
From: Ralph Boehme <slow at samba.org>
Sent: 09 June 2021 16:56:59
To: Weiser, Michael
Cc: Laubender, Guido; samba at lists.samba.org
Subject: Re: [Samba] SID history secondary group set bloat
Am 09.06.21 um 16:42 schrieb Weiser, Michael:
>> Have you tried net cache flush and restarted winbind so the
>> winbind cache gets flushed too?
> Yes, I've gone full rm -f on all but secrets.tdb and the IDs totally
> differ from the previous test case as well. No nscd running either.
> autorid really seems to be doing the mapping itself because it can't
> tell that the SIDs really are sIDHistory.
from skimming over your mail, this look pretty much as expected I would say.
What did you expect? What is not working?
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
More information about the samba