[PATCH] Duplicate GIDs in supplementary groups
Klinger, John (N-CSC)
john.klinger at lmco.com
Tue Feb 3 16:29:26 GMT 2004
Samba 3.0.1, security=ads, idmap backend=ldap:ldap:...
This patch was needed because we had mapped a large number of
Active Directory groups to a single Unix group. We did this by
allowing the OpenLDAP backend (2.1.23) to populate via
"getent group" and "getent passwd", then modifying the OpenLDAP
SID=>gid mappings to map to a specific gid. The Samba daemons
were then stopped, the tdb caches removed, and the daemons
restarted.
Without this patch, if a user belonged to 16 groups that mapped
to the same gid, they would have every one of those groups in
their supplementary group list, with the same gid repeated for
each one. With this path, the gid will appear in the
supplementary group list only once.
Example:
Before the patch "id -a user" could return the following:
uid=10000(user) gid=20000(primary) groups=20001(G1),20001(G1),20001(G1)
After the patch "id -a user" would return the following:
uid=10000(user) gid=20000(primary) groups=20001(G1)
Unfortunately, after about 10 minutes of no activity while
under this SID=>gid mapping setup, any other access to the
OpenLDAP results in a SEGFAULT, as detailed in bug 997 (https://bugzilla.samba.org/show_bug.cgi?id=997). The SEGFAULT
occurs with or without this patch, so I'm submitting this patch
anyway. (see the bug report for more details)
Diff based off of 3.0.1 release.
==================
--- 3.0.1/nsswitch/winbind_nss_linux.c Thu Dec 4 21:38:37 2003
+++ 3.0.1+/nsswitch/winbind_nss_linux.c Tue Jan 27 16:56:17 2004
@@ -809,6 +809,9 @@
struct winbindd_request request;
struct winbindd_response response;
int i;
+ int j;
+ int duplicate;
+ int start_ndx = *start;
#ifdef DEBUG_NSS
fprintf(stderr, "[%5d]: initgroups %s (%d)\n", getpid(),
@@ -831,9 +834,13 @@
for (i = 0; i < num_gids; i++) {
- /* Skip primary group */
+ /* Skip any group ids that are already identified */
- if (gid_list[i] == group) continue;
+ duplicate = (gid_list[i] == group);
+ for (j = start_ndx; !duplicate && j < limit; j++) {
+ duplicate = (gid_list[i] == (*groups)[j]);
+ }
+ if (duplicate) continue;
/* Add to buffer */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dup_groups.zip
Type: application/x-zip-compressed
Size: 562 bytes
Desc: dup_groups.zip
Url : http://lists.samba.org/archive/samba-technical/attachments/20040203/61e187ef/dup_groups.bin
More information about the samba-technical
mailing list