Bug 10753 - winbind sIDHistory results in duplicate groups
Summary: winbind sIDHistory results in duplicate groups
Status: RESOLVED DUPLICATE of bug 12702
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.1.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2014-07-29 21:12 UTC by Josh Kelley
Modified: 2017-05-15 16:15 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Josh Kelley 2014-07-29 21:12:06 UTC
winbind with users with sIDHistory can result in duplicate groups.

When determining group membership for a user, the user's SID and any SIDs from the user's SID history are all listed (within the tokenGroup attribute of the LDAP query, if I understand correctly).  Thanks to the ID_TYPE_BOTH "user private groups" feature (added in Samba 4.0.5), these all get turned into groups.  When using the rid backend, this results in groups with the same name and different gids.

For example, my jkelley account is assigned uid 14504 by the idmap_rid backend.  There's also a jkelley group with gid 14504 (which I can see by doing "getent group jkelley", "wbinfo --group-info jkelley", and "getent group 14504").  However, thanks to my sIDHistory, there's also a jkelley group with gid 11128.  "id jkelley" and "wbinfo --user-groups jkelley" show that the jkelley user is a member of group 11128, not group 14504.

Interestingly, the existence (or at least the ability to retrieve) the 11128 group depends on what other operations have been done and cached.  For example, "wbinfo --gid-info 11128" returns nothing at first, but after "wbinfo --user-groups jkelley" has been done, "wbinfo --gid-info 11128" finds the jkelley group.

This is related to https://bugzilla.samba.org/show_bug.cgi?id=10217.

Observed in Samba 4.1.6 on Ubuntu 14.04.  I've also reproduced the symptoms using wbinfo (I haven't tested any of the NSS stuff) in Samba 4.0.5 and other 4.0.x versions.
Comment 1 Kenny K 2015-03-19 22:31:45 UTC
This issue can also cause problems with the rid idmap backend. 

sidhistory: S-YYYYYYYY4-1111
mapped uid: 70001

Sidhistory: S-YYYYYYYY1-0002
mapped uid: 70002

When user1's information is retrieved (eg "id user1") everything looks fine, except for the odd group named "user1" (because of the sidHistory)

User2's information looks similar. However because user2's sidhistory group maps to the same value as user1's uid, winbind forgets that it's  mapped to user1.

This causes any actions to lookup user1's uid to fail. Winbind essentially forgets their user mapping.

Something to look for is SIDs of "groups" that return the domain user when queried. The groups look like they should be private user groups, but in fact are "user aliases"

Samba and Winbind versions 4.1.6-ubuntu. (Package 4.1.6+dfsg-1ubuntu2.14.04.7)
Comment 2 Stefan Metzmacher 2015-03-20 12:00:05 UTC
(In reply to Kenny K from comment #1)

Are you using "winbind use default domain = yes" ?
Comment 3 Stefan Metzmacher 2015-03-20 12:00:51 UTC
(In reply to Stefan (metze) Metzmacher from comment #2)

what does wbinfo --sid-to-name return for all of the sids?
Comment 4 Stefan Metzmacher 2015-03-20 12:01:20 UTC
(In reply to Stefan (metze) Metzmacher from comment #3)

What domain controller are you using?
Comment 5 Uri Simchoni 2017-05-15 05:22:25 UTC
That seems to be a duplicate of bug 12702 (which should be resolved with Samba 4.6.4)
Comment 6 Uri Simchoni 2017-05-15 16:14:03 UTC

*** This bug has been marked as a duplicate of bug 12702 ***
Comment 7 Uri Simchoni 2017-05-15 16:15:12 UTC
I haven't noticed that this bug exists when opening bug 12702, but the fix went to the other bug.

The fix will be released in next Samba 4.6.x version.