[Samba] SID history secondary group set bloat
Rowland penny
rpenny at samba.org
Thu Jun 10 08:32:27 UTC 2021
On 10/06/2021 09:05, Rowland penny via samba wrote:
> On 10/06/2021 08:59, Ralph Boehme wrote:
>> Am 10.06.21 um 09:55 schrieb Rowland penny via samba:
>>> Where he is getting multiple RIDs for the same group from.
>>
>> look at the Windows tokens he posted. He gets multiple UNIX ids
>> because he has multiple SIDs for the same name which is result of the
>> SID History Windows feature.
>>
>> Samba just mapps all those SIDs to UNIX ids.
>>
>> -slow
>>
>
> The more I learn about Active Directory, the less I know about it,
> looks like I need to read up on SID history 😁
>
> Rowland
>
>
>
OK Ralph, from a brief bout of reading, it seems if you move an object
from one domain to another, it gets a new SID and the old SID is stored
in an attribute called 'sIDHistory'.
I think there are a couple of ways to sort this out, make windbind
ignore the 'sIDHistory' attribute, or just remove all those attributes
from AD.
Rowland
More information about the samba
mailing list