getgroups() gives wrong result with nss_winbind

Andreas andreas at conectiva.com.br
Fri Sep 17 13:31:48 GMT 2004 

On Fri, Sep 17, 2004 at 11:12:00PM +1000, tridge at samba.org wrote:
> One thing to look for is that libnss_files.so.2 may not have a
> initgroups method (it doesn't on my system), in which case glibc will

Right, it doesn't:
so_path=/lib/libnss_files.so.2 nss_name=files

Testing user root
getpwent:   root:x:0:0:root:/root:/bin/bash
getpwuid:   root:x:0:0:root:/root:/bin/bash
getpwnam:   root:x:0:0:root:/root:/bin/bash
initgroups: Can't find function _nss_files_initgroups_dyn : /lib/libnss_files.so.2: undefined symbol: _nss_files
_initgroups_dyn
No initgroups fn

> It is possible that glibc only has a bug when using a nss module that
> does have a initgroups method, and has more than 64 groups for a
> user. That would be consistent with what you've seen. If your
> libnss_files.so doesn't have a initgroups call, then please test the
> libnss_compat.so.2 module, and if that does (it should) then change

It does have initgroups indeed:
so_path=/lib/libnss_compat.so.2 nss_name=compat

Testing user root
getpwent:   root:x:0:0:root:/root:/bin/bash
getpwuid:   root:x:0:0:root:/root:/bin/bash
getpwnam:   root:x:0:0:root:/root:/bin/bash
initgroups: 0, 1, 2, 3, 4, 6, 10

> /etc/nsswitch.conf to choose "compat" instead of "files" and see if
> your local tests then break. If they do then you will have reproduced
> the bug without any Samba code, so you can say its definately a glibc
> bug.

It doesn't break "unfortunately":
[root at pandora 1]# grep compat /etc/nsswitch.conf
#       compat                  Use NIS on compat mode
passwd:     compat winbind
shadow:     compat winbind
group:      compat winbind

[root at pandora 1]# su - testando
[testando at pandora ~]$ /tmp/getgroups
Result=101

[root at pandora 1]# ./test testando
Number of groups for testando: 101

["test" does initgroups for the specified user and then does getgroups(0,NULL)].

("testando" is a local user which is a member of 100 local supplementary groups)
["/tmp/getgroups" just does getgroups(0,NULL)]

Both programs still show 64 groups for DOMAIN\marcia.

There is another thing which may or not may be important. All these 200+ groups I
created for the "marcia" user were created with "net ads group add" (it would be very
boring to create them with point&click). Then I added "marcia" to these groups with the 
win2k AD tool ("User and Computers").

More information about the samba-technical mailing list