getgroups() gives wrong result with nss_winbind

Andreas andreas at conectiva.com.br
Fri Sep 17 14:07:41 GMT 2004 

On Fri, Sep 17, 2004 at 11:59:04PM +1000, tridge at samba.org wrote:
> I'd be interested in seeing what arguments are being passed to 
> _nss_winbind_initgroups_dyn() for your test program. 

I was about to debug that with some printf's

> 
> That function looks like this:
> 
> NSS_STATUS
> _nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
> 			    long int *size, gid_t **groups, long int limit,
> 			    int *errnop);
> 
> notice the "limit" and "*size" arguments? Those are what limits this
> function to a particular number of groups. Maybe glibc is calling it
> with a small limit first, and expecting some specific error code or
> other indicator in order to continue?

As I recall, NSS functions return an NSS_TRY_AGAIN in the case of, for
example, not enough memory allocated for the task. Browsing glibc code, I
see that it calls initgroups_dyn with a size of 64 (I'm about to confirm
that with those printf's):

grp/initgroups.c:249 (glibc code)
 long int limit = __sysconf (_SC_NGROUPS_MAX);

  if (limit > 0)
    /* We limit the size of the intially allocated array.  */
    size = MIN (limit, 64);
  else
    /* No fixed limit on groups.  Pick a starting buffer size.  */
    size = 16;

Below are two strace outputs: one for the windows "marcia" user and the other
for the local "testando" user:

initgroups.testando:
21643 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 3
21643 read(3, "65536\n", 31)            = 6
21643 close(3)                          = 0
21643 setgroups32(101, [502, 10001, 10002, 10003, 10004, 10005, 10006, 10007, 10008, 10009, 10010, 10011, 10012,
(...)

initgroups.marcia:
21640 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 3
21640 read(3, "65536\n", 31)            = 6
21640 close(3)                          = 0
21640 setgroups32(64, [16777216, 16777217, 16777218, 16777219, 16777220, 16777221, 16777222, 16777223, 16777224,
(...)

In both cases it seems to be traversing that glibc code, but for some reason setgroups is being
called with just 64 groups in the "marcia" case.

I suspect winbind should return NSS_TRY_AGAIN in this case so that glibc could increase the buffer
size and call this function again.

> At this stage I'd start adding debug code to
> _nss_winbind_initgroups_dyn() in source/nsswitch/winbind_nss_linux.c
> and see if you can spot whats going on.
> 
> hmm, I just did some tests with my libnss_compat.so and it certainly
> looks like winbind treats "limit" and "*size" differently to the
> compat implementation. We should probably look inside the
> implementation of the compat module in glibc and see exactly what
> rules it uses for those two parameters. If we fix those in the
> winbindd nss module, then I suspect it will fix your problem.
> 
> Cheers, Tridge
> 
>

More information about the samba-technical mailing list