[Samba] SID history secondary group set bloat

Weiser, Michael michael.weiser at atos.net
Thu Jun 10 08:14:06 UTC 2021

Hi slow,

> ah, now I get it. :)

Thanks for bearing with me. :)

> No, that's not supported, but it might be possible to add such a feature
> with some development effort.

Okay, I thought as much. I was already thinking of a generic SID filter config option that could be used to tell the ID mapping layer to ignore all SIDs starting with a particular domain SID, similar to winbind:ignore domains:

winbind:ignore domain sids = S-1-5-21-2623811102-3361044346-30300840 S-1-5-21-1623811102-3361044346-30300840
(or extending winbind:ignore domains to accept SIDs if the net outcome would be the same anyway)


idmap config S-1-5-21-2623811102-3361044346-30300840 : ignore = true
idmap config S-1-5-21-1623811102-3361044346-30300840 : ignore = true

Would that make sense and be feasible? Or where would you put it?

Getting back to my problematic idmap_nss setup: How bad, workaround-wise, is my idea to prefill winbind_idmap.tdb with mappings for the SID history SIDs all pointing to the same gid like so:

[root at fedora33 ~]# tdbtool /var/lib/samba/winbindd_idmap.tdb
tdb> delete S-1-5-21-1623811102-3361044346-30300840-72199\00
tdb> delete GID\20100006\00
tdb> store S-1-5-21-1623811102-3361044346-30300840-72199\00 GID\20100007\00
[root at fedora33 ~]# net cache flush

Michael Weiser
Senior Solutions Architect
T +49 30 2007 697 22
science + computing ag
Am Studio 16
D-12489 Berlin

From: Ralph Boehme <slow at samba.org>
Sent: 10 June 2021 09:32:56
To: Weiser, Michael
Cc: Laubender, Guido; samba at lists.samba.org
Subject: Re: [Samba] SID history secondary group set bloat

Am 10.06.21 um 08:27 schrieb Weiser, Michael:
> My question remains if there's a way to prevent SID history SIDs from
> being mapped once they're no longer needed on a particular samba
> server, to prevent unnecessary bloating of the secondary group list,
> i.e. if there's a way to tell autorid (or nss) to recognize that
> 472199(EXAMPLE\secret), 572198(EXAMPLE\secret) and
> 301141(EXAMPLE\secret) are all the same group and only add gid 301141
> to the UNIX token.

ah, now I get it. :)

No, that's not supported, but it might be possible to add such a feature
with some development effort.


Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

More information about the samba mailing list