getgroups() gives wrong result with nss_winbind

Andreas andreas at
Thu Sep 16 21:09:35 GMT 2004

I'm having some strange errors with group membership in samba-3.0.7 (not
sure about other version).

There is this user (marcia) belonging to over 200 groups. However, when she calls
getgroups(2), only 64 are returned.

This user is a member of a lot of groups:
[DOMAIN\marcia at pandora ~]$ getent group | grep marcia|wc -l

getgroups(0,NULL), however, returns only 64:
[DOMAIN\marcia at pandora ~]$ /tmp/getgroups

(/tmp/getgroups just prints the output of getgroups(0,NULL)).

"id" also has a funny behaviour. When called as that user without arguments, lists
only 64 groups (strace shows that is uses getgroups()). Now, if called, again as
this same user, but supplying the username as argument, all groups are correctly listed:
(I'm not listing all 200 groups here, just a piped output to wc showing that the results

[DOMAIN\marcia at pandora ~]$ id|wc
      1       7    1815
[DOMAIN\marcia at pandora ~]$ id DOMAIN\\marcia|wc
      1       7    5970

And I also have strange results elsewhere:

[DOMAIN\marcia at pandora ~]$ l teste.txt
-rw-rw----  1 DOMAIN\Administrador DOMAIN\grp879 4 Sep 16 16:31 teste.txt

- Only the admin and members of grp879 can read/write teste.txt

[DOMAIN\marcia at pandora ~]$ getent group DOMAIN\\grp879

- marcia is a member of that group. But:

[DOMAIN\marcia at pandora ~]$ cat teste.txt
cat: teste.txt: Permission denied

- ops :)

Regarding the "cat" test case above, the grp879 group is only listed in the id output when
the username is supplied (i.e., "id DOMAIN\\marcia"). Only "id" (when run as DOMAIN\\marcia)
doesn't show this group.

I repeated these teste with a local user and 100 local groups. Everything works as expected,
so I assume it's a problem with winbind somewhere.

More information about the samba-technical mailing list