idmap fails to lookup group SID in AD
The customer has a complex AD environment, and in this environment there are a few AD groups that idmap fails to resolve to a group ID (GID). It should be able to either find a Unix GID from AD via IDMU (where that exists) or allocate an ephemeral ID (where no Unix GID attribute is present). For most groups that all works fine, but for a few groups idmap fails to map a GID by either method, and that should not happen.
Updated by Gordon Ross about 1 year ago
The "problem" SIDs appear to be "SID History" SIDs. the LDAP search that the AD lookup performs only searches the 'objectSid' attribute, not the 'sIDHistory' attribute. The fix modifies the LDAP Filter used in lookup to search both objectSid and sIDHistory.
The reason these lookups fail, rather than resolve to ephemeral IDs, is because 'use_lsa' is set to true. The lsa_lookupsids2 function performs a global search for the specified SID, including in sIDHistory, and so it's able to map the SID to a winname; a check later in the call stack only maps unresolved SIDs to ephemeral IDs if the SID could not be mapped to a winname.
This fix can be tested by creating an AD object with non-NULL sIDHistory attribute (I recommend looking into DSInternals' Add-ADDBSidHistory function: https://github.com/MichaelGrafnetter/DSInternals/releases, which is what I used to reproduce this), then running
idmap show -c -V sid:<SID in sidhistory>
Updated by Electric Monk about 1 year ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit a01d29c934f6c146f2cc5bacb5d1d388c27a1257 Author: Matt Barden <firstname.lastname@example.org> Date: 2019-06-01T16:44:37.000Z 10995 idmap fails to lookup group SID in AD Reviewed by: Gordon Ross <email@example.com> Approved by: Richard Lowe <firstname.lastname@example.org>