[Samba] SID history secondary group set bloat
rpenny at samba.org
Thu Jun 10 06:43:52 UTC 2021
On 10/06/2021 07:27, Weiser, Michael via samba wrote:
> Hi slow,
>>> root at debian:/var/cache/samba# id EXAMPLE\\secretuser
>>> uid=301142(EXAMPLE\secretuser) gid=300513(EXAMPLE\domain users) groups=300513(EXAMPLE\domain users),301142(EXAMPLE\secretuser),472199(EXAMPLE\secret),572198(EXAMPLE\secret),301141(EXAMPLE\secret),301132(EXAMPLE\cae)
>> from skimming over your mail, this look pretty much as expected I would say.
> Thinking about it, I can see how autorid's behaviour would make sense for the actual SID history use-case, i.e. keeping the SID history SID to gid mapping stable during a migration.
>> What did you expect? What is not working?
> My question remains if there's a way to prevent SID history SIDs from being mapped once they're no longer needed on a particular samba server, to prevent unnecessary bloating of the secondary group list, i.e. if there's a way to tell autorid (or nss) to recognize that 472199(EXAMPLE\secret), 572198(EXAMPLE\secret) and 301141(EXAMPLE\secret) are all the same group and only add gid 301141 to the UNIX token.
This shouldn't happen and has never happened for myself. Both the 'rid'
and 'autorid' backends calculate the Unix ID from the objects RID in AD.
This means that there should only be one Unix ID for each user and
group, the calculation should always produce the same number.
I fell your problems all stem from the way you were running Samba.
More information about the samba