[Samba] SID history secondary group set bloat

Andrew Walker walker.aj325 at gmail.com
Thu Jun 10 12:00:22 UTC 2021

On Thu, Jun 10, 2021 at 4:33 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> OK Ralph, from a brief bout of reading, it seems if you move an object
> from one domain to another, it gets a new SID and the old SID is stored
> in an attribute called 'sIDHistory'.
> I think there are a couple of ways to sort this out, make windbind
> ignore the 'sIDHistory' attribute, or just remove all those attributes
> from AD.

Chesterton's Fence situation. :) Caution does need to be exercised with how
you map SIDs from SID history. Times I've seen this be an issue is windows
domain migrating from Windows NT4 to Windows AD. You don't want to have to
necessarily redo ACLs on everything, but during migration users received
new SIDs and SID history was populated. (I didn't perform migration, just
observed results). If you generate a unix token with the IDs from the SID
history and have things configured correctly, then users can continue to
access data (this is conjecture and I haven't had coffee yet). If this
presumption is correct and you change samba to ignore SID history, then you
potentially break some users.

In older samba (I think pre-4.7) SID history was handled incorrectly in a
way that could result in ID collisions between SIDs in the SID history and
domain SIDs when using idmap_rid, but my memory is fuzzy on this matter.

More information about the samba mailing list