REPOST: Finding group members - fix to winbindd_ads.c

Michael Steffens michael.steffens at
Mon Feb 10 12:19:46 GMT 2003

Ken Cross wrote:
> Currently, if you do WINBINDD_GETGRNAM to an NT domain using RPC, you
> get *all* the members of a group, whether primary or supplemental.  
> The same call to an AD using LDAP just returns supplemental members.
> My patch causes the call to either an NT domain or AD to return the same
> thing.  
> There was some discussion about making it a separate call, but I think
> that'd be a mistake.  It seems like they should be consistent.

Would like to add my two cents to the discussion, too :)

I think there are good reasons for the habit of not including
primary group members in /etc/group, which would also apply to
winbind getgrnam/getgrgid calls.

Many (if not most) invocations of getgrnam/getgrgid are for
GID <-> name conversions, where the list of group members
is just unnecessary load. Which can be reduced by omitting
primary group members.

It's a pity there are no widespread standard Unix calls for
these conversions without querying group members, but that's
a boundary condition which winbind can hardly get around.
Every "ls -l" gathers group member lists just to ignore
them, for example.

Furthermore, some platforms do have an implicit limitation
of group sizes, by providing a default fixed result buffer size,
which most callers of getgrnam/getgrgid (better: their reentrant
counterparts getgrnam_r/getgrgid_r) adhere to. Omitting primary
members makes hitting such limits less likely.


More information about the samba-technical mailing list