[PATCH] Duplicate GIDs in supplementary groups

Klinger, John (N-CSC) john.klinger at lmco.com
Tue Feb 3 16:29:26 GMT 2004 

Samba 3.0.1, security=ads, idmap backend=ldap:ldap:...

This patch was needed because we had mapped a large number of
Active Directory groups to a single Unix group. We did this by 
allowing the OpenLDAP backend (2.1.23) to populate via 
"getent group" and "getent passwd", then modifying the OpenLDAP 
SID=>gid mappings to map to a specific gid. The Samba daemons 
were then stopped, the tdb caches removed, and the daemons 
restarted.

Without this patch, if a user belonged to 16 groups that mapped 
to the same gid, they would have every one of those groups in 
their supplementary group list, with the same gid repeated for 
each one. With this path, the gid will appear in the 
supplementary group list only once.

Example:
Before the patch "id -a user" could return the following:
  uid=10000(user) gid=20000(primary) groups=20001(G1),20001(G1),20001(G1)

After the patch "id -a user" would return the following:
  uid=10000(user) gid=20000(primary) groups=20001(G1)

Unfortunately, after about 10 minutes of no activity while 
under this SID=>gid mapping setup, any other access to the 
OpenLDAP results in a SEGFAULT, as detailed in bug 997 (https://bugzilla.samba.org/show_bug.cgi?id=997). The SEGFAULT 
occurs with or without this patch, so I'm submitting this patch 
anyway. (see the bug report for more details)

Diff based off of 3.0.1 release.

==================

--- 3.0.1/nsswitch/winbind_nss_linux.c	Thu Dec  4 21:38:37 2003
+++ 3.0.1+/nsswitch/winbind_nss_linux.c	Tue Jan 27 16:56:17 2004
@@ -809,6 +809,9 @@
 	struct winbindd_request request;
 	struct winbindd_response response;
 	int i;
+	int j;
+	int duplicate;
+	int start_ndx = *start;
 
 #ifdef DEBUG_NSS
 	fprintf(stderr, "[%5d]: initgroups %s (%d)\n", getpid(),
@@ -831,9 +834,13 @@
 
 		for (i = 0; i < num_gids; i++) {
 
-			/* Skip primary group */
+			/* Skip any group ids that are already identified */
 
-			if (gid_list[i] == group) continue;
+			duplicate = (gid_list[i] == group);
+			for (j = start_ndx; !duplicate && j < limit; j++) {
+				duplicate = (gid_list[i] == (*groups)[j]);
+			}
+			if (duplicate) continue;
 
 			/* Add to buffer */

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dup_groups.zip
Type: application/x-zip-compressed
Size: 562 bytes
Desc: dup_groups.zip
Url : http://lists.samba.org/archive/samba-technical/attachments/20040203/61e187ef/dup_groups.bin

More information about the samba-technical mailing list