Bug 10753 - winbind sIDHistory results in duplicate groups
winbind sIDHistory results in duplicate groups
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.1.6
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-29 21:12 UTC by Josh Kelley
Modified: 2015-07-31 08:32 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Josh Kelley 2014-07-29 21:12:06 UTC
winbind with users with sIDHistory can result in duplicate groups.

When determining group membership for a user, the user's SID and any SIDs from the user's SID history are all listed (within the tokenGroup attribute of the LDAP query, if I understand correctly).  Thanks to the ID_TYPE_BOTH "user private groups" feature (added in Samba 4.0.5), these all get turned into groups.  When using the rid backend, this results in groups with the same name and different gids.

For example, my jkelley account is assigned uid 14504 by the idmap_rid backend.  There's also a jkelley group with gid 14504 (which I can see by doing "getent group jkelley", "wbinfo --group-info jkelley", and "getent group 14504").  However, thanks to my sIDHistory, there's also a jkelley group with gid 11128.  "id jkelley" and "wbinfo --user-groups jkelley" show that the jkelley user is a member of group 11128, not group 14504.

Interestingly, the existence (or at least the ability to retrieve) the 11128 group depends on what other operations have been done and cached.  For example, "wbinfo --gid-info 11128" returns nothing at first, but after "wbinfo --user-groups jkelley" has been done, "wbinfo --gid-info 11128" finds the jkelley group.

This is related to https://bugzilla.samba.org/show_bug.cgi?id=10217.

Observed in Samba 4.1.6 on Ubuntu 14.04.  I've also reproduced the symptoms using wbinfo (I haven't tested any of the NSS stuff) in Samba 4.0.5 and other 4.0.x versions.
Comment 1 Kenny K 2015-03-19 22:31:45 UTC
This issue can also cause problems with the rid idmap backend. 


user1:
SID: S-XXXXXXXX1-0001
sidhistory: S-YYYYYYYY4-1111
mapped uid: 70001

user2:
SID: S-XXXXXXXX1-0002
Sidhistory: S-YYYYYYYY1-0002
mapped uid: 70002



When user1's information is retrieved (eg "id user1") everything looks fine, except for the odd group named "user1" (because of the sidHistory)

User2's information looks similar. However because user2's sidhistory group maps to the same value as user1's uid, winbind forgets that it's  mapped to user1.

This causes any actions to lookup user1's uid to fail. Winbind essentially forgets their user mapping.



Something to look for is SIDs of "groups" that return the domain user when queried. The groups look like they should be private user groups, but in fact are "user aliases"


Samba and Winbind versions 4.1.6-ubuntu. (Package 4.1.6+dfsg-1ubuntu2.14.04.7)
Comment 2 Stefan Metzmacher 2015-03-20 12:00:05 UTC
(In reply to Kenny K from comment #1)

Are you using "winbind use default domain = yes" ?
Comment 3 Stefan Metzmacher 2015-03-20 12:00:51 UTC
(In reply to Stefan (metze) Metzmacher from comment #2)

what does wbinfo --sid-to-name return for all of the sids?
Comment 4 Stefan Metzmacher 2015-03-20 12:01:20 UTC
(In reply to Stefan (metze) Metzmacher from comment #3)

What domain controller are you using?