getgroups() gives wrong result with nss_winbind

tridge at tridge at
Fri Sep 17 13:59:04 GMT 2004


 > It doesn't break "unfortunately":
 > [root at pandora 1]# grep compat /etc/nsswitch.conf
 > #       compat                  Use NIS on compat mode
 > passwd:     compat winbind
 > shadow:     compat winbind
 > group:      compat winbind
 > [root at pandora 1]# su - testando
 > [testando at pandora ~]$ /tmp/getgroups
 > Result=101

ok, so that indicates that the initgroups method in
is managing some trick that the one in isn't.

I'd be interested in seeing what arguments are being passed to 
_nss_winbind_initgroups_dyn() for your test program. 

That function looks like this:

_nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
			    long int *size, gid_t **groups, long int limit,
			    int *errnop);

notice the "limit" and "*size" arguments? Those are what limits this
function to a particular number of groups. Maybe glibc is calling it
with a small limit first, and expecting some specific error code or
other indicator in order to continue?

At this stage I'd start adding debug code to
_nss_winbind_initgroups_dyn() in source/nsswitch/winbind_nss_linux.c
and see if you can spot whats going on.

hmm, I just did some tests with my and it certainly
looks like winbind treats "limit" and "*size" differently to the
compat implementation. We should probably look inside the
implementation of the compat module in glibc and see exactly what
rules it uses for those two parameters. If we fix those in the
winbindd nss module, then I suspect it will fix your problem.

Cheers, Tridge

More information about the samba-technical mailing list