get_domain_user_groups() improvement.

Andrew Bartlett abartlet at
Mon Oct 4 03:50:15 GMT 2004

On Mon, 2004-10-04 at 03:06, Volker.Lendecke at SerNet.DE wrote:
> On Fri, Sep 24, 2004 at 07:00:08AM +1000, Andrew Bartlett wrote:
> > My feeling is that we can push all NSS calls that regard groups into
> > such a mechanism, without difficulty.  Other calls are more marginal -
> > we should look at the pointy-end (large numbers of users/groups)
> > performance implications of each call.
> If I understand the problem at hand correctly, this all revolves around the
> lack of a nss_givemealluserswiththisprimarygid() call, right? If this is
> correct, why not throw away nss_ldap and have winbind handle that. nss_ldap
> can't be that complicated, and we have ldap code in winbind anyway. Then from
> smbd we could scan nss with winbindd_off() and directly ask winbind for the
> rest, this time with a direct and more explicit call.

As much as I argued for this option for so, so long, I don't think it's
viable here, in short term.  In the short term we are just trying to
make Samba 'not suck', while being accurate since your changes... ;-)

One other point that needs to be watched on this patch is that we can't
assume the primaryGroupID is present, and I would prefer to be sceptical
about it's accuracy.  I think the search should be on the unix GID,
guarded by a suitable option.  (And make the primaryGroupID default off
the unix primary group again, guarded by the same option).

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Authentication Developer, Samba Team  
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list