We are in an environment where several AD domains are being consolidated into one larger domain using sidhistory. The samba winbind configuration is using 'allow trusted domains = no' as we do not care about what is in the other domains (as well as the problem that many of them are unreachable from other locations meaning winbind will choke completely if we don't disallow them).
The symptom I am having is that when running "groups" as an AD user results in several errors "id: cannot find name for group ID ...". Upon some investigation, I found that those IDs references sids in the old domains (kept in the new domain with the sidhistory function). There are several errors in the logs "Could not find domain for sid ...", which makes sense since it can't contact those old domains. Is there anyway to completely disable samba looking at the sidhistory (at least when 'allow trusted domains = no')? While part of the problem could be fixed by having samba properly do the reverse id resolution for the sids to the name on the new domain, that is problematic for us since we are using idmap_rid which would allow some id collisions due to the fact that there are multiple domains involved. There are a huge number of objects so I don't want to use idmap_hash or divide up the id pool within idmap_rid. Just for testing I tried using idmap_hash and it does not get rid of the errors. I'm assuming that setting 'allow trusted domains = yes' would allow resolution of those groups as long as the old domains were still available, however I cannot even test this since the majority of the trusted domains are unreachable and cause winbind to stop functioning altogether. I thought about hacking through the source code to remove sids from different domains when processing the supplementary groups and 'allow trusted domains = no', but it would be better if there was an official solution for this so I don't end up with some crazy unmaintainable patch. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
