getgroups() gives wrong result with nss_winbind

[tridge at samba.org]

Andreas,

 > Could be, but all those tests worked when I used local user and groups. They
 > only failed with users coming from winbind, but of course it could still be
 > a bug in glibc.

I'd guess that for local users glibc is using libnss_files.so.2 or
libnss_compat.so.2. You could use nsstest to test those separately.

One thing to look for is that libnss_files.so.2 may not have a
initgroups method (it doesn't on my system), in which case glibc will
fall back to the horrendously inefficient "scan all groups" method of
finding groups for a user. The nsstest code will tell you if the
libnss module you test against does not have an initgroups method.

It is possible that glibc only has a bug when using a nss module that
does have a initgroups method, and has more than 64 groups for a
user. That would be consistent with what you've seen. If your
libnss_files.so doesn't have a initgroups call, then please test the
libnss_compat.so.2 module, and if that does (it should) then change
/etc/nsswitch.conf to choose "compat" instead of "files" and see if
your local tests then break. If they do then you will have reproduced
the bug without any Samba code, so you can say its definately a glibc
bug.

 > Well, it gets all 200+ groups from this user (marcia). So, not a winbind problem
 > after all?

seems likely. Please test as above.

 > It only failed with the users from the BUILTIN domain:
 > Testing group BUILTIN\System Operators
 > getgrent: BUILTIN\System Operators:x:16778329:
 > ERROR: can't getgrnam

Looks like a separate winbindd bug to do with BUILTIN support. I doubt
this has anything to do with the getgroups() problem.

Cheers, Tridge