Group "Domain Users"

Michael Steffens michael_steffens at
Mon Nov 11 12:41:01 GMT 2002


recently David Shapiro complained about getent group not working
in large domain groups, in particular "Domain Users":

I was facing the same problem, which I found annoying because it
always blocks winbindd without producing anything, while applications
like "ls" just wanted to determine group names. Which occurs frequently,
because "Domain Users" has been selected as default primary group.

And it will hardly ever succeed, as large domains quickly exceed
buffer sizes provided by applications or libc for getgrgid()
or getgrgid_r().

Resolved the problem in my local version by modifying winbindd_group.c
such that domain groups "Domain Users" will never get members filled
in the result. This is somewhat anologous to the habit not to
list primary group members in /etc/group in order not to exceed
maximum group sizes on systems with many local users.

Not ideal, not elegant, but it happens to produce the desired result :)

In the attached patches I also disabled enumeration of domain
users and groups in winbindd_list_users() and winbindd_list_groups()
depending on parameters "winbind enum users" and "winbind enum groups".

It's done the same way as in winbindd_setpwent() and winbindd_setgrent().

Reason: processing these requests take extremely long in our environment
(hours to days), while winbindd will block other requests. And it won't
stop when a user of, for example, "wbinfo -u" aborts his request by
killing wbinfo. You would need to kill winbindd and restart it for
domain users to be able to log on again.


-------------- next part --------------
Index: source/nsswitch/winbindd_group.c
RCS file: /cvsroot/samba/source/nsswitch/winbindd_group.c,v
retrieving revision
diff -u -r1.3.4.25 winbindd_group.c
--- source/nsswitch/winbindd_group.c	14 Oct 2002 03:00:14 -0000
+++ source/nsswitch/winbindd_group.c	11 Nov 2002 11:40:25 -0000
@@ -77,6 +77,17 @@
                 goto done;
+	/* Always skip members of "Domain Users" */
+	if (group_rid == DOMAIN_GROUP_RID_USERS) {
+		DEBUG(10, ("skip enumerating members of %s\\Domain Users\n", 
+			  domain->name));
+		*gr_mem_len = 0;
+		*gr_mem = NULL;
+		result = True;
+		goto done;
+	}
 	/* Lookup group members */
 	status = domain->methods->lookup_groupmem(domain, mem_ctx, group_rid, &num_names, 
 						  &rid_mem, &names, &name_types);
@@ -690,6 +701,11 @@
 	int extra_data_len = 0, i;
 	DEBUG(3, ("[%5d]: list groups\n", state->pid));
+	/* Check user has enabled this */
+	if (!lp_winbind_enum_groups())
 	/* Enumerate over trusted domains */
-------------- next part --------------
Index: source/nsswitch/winbindd_user.c
RCS file: /cvsroot/samba/source/nsswitch/winbindd_user.c,v
retrieving revision
diff -u -r1.3.4.17 winbindd_user.c
--- source/nsswitch/winbindd_user.c	14 Oct 2002 03:00:14 -0000
+++ source/nsswitch/winbindd_user.c	11 Nov 2002 11:41:11 -0000
@@ -556,6 +556,11 @@
 	DEBUG(3, ("[%5d]: list users\n", state->pid));
+	/* Check user has enabled this */
+	if (!lp_winbind_enum_users())
 	if (!(mem_ctx = talloc_init_named("winbindd_list_users")))

More information about the samba-technical mailing list