getgroups() gives wrong result with nss_winbind
Andreas
andreas at conectiva.com.br
Fri Sep 17 14:07:41 GMT 2004
On Fri, Sep 17, 2004 at 11:59:04PM +1000, tridge at samba.org wrote:
> I'd be interested in seeing what arguments are being passed to
> _nss_winbind_initgroups_dyn() for your test program.
I was about to debug that with some printf's
>
> That function looks like this:
>
> NSS_STATUS
> _nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
> long int *size, gid_t **groups, long int limit,
> int *errnop);
>
> notice the "limit" and "*size" arguments? Those are what limits this
> function to a particular number of groups. Maybe glibc is calling it
> with a small limit first, and expecting some specific error code or
> other indicator in order to continue?
As I recall, NSS functions return an NSS_TRY_AGAIN in the case of, for
example, not enough memory allocated for the task. Browsing glibc code, I
see that it calls initgroups_dyn with a size of 64 (I'm about to confirm
that with those printf's):
grp/initgroups.c:249 (glibc code)
long int limit = __sysconf (_SC_NGROUPS_MAX);
if (limit > 0)
/* We limit the size of the intially allocated array. */
size = MIN (limit, 64);
else
/* No fixed limit on groups. Pick a starting buffer size. */
size = 16;
Below are two strace outputs: one for the windows "marcia" user and the other
for the local "testando" user:
initgroups.testando:
21643 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 3
21643 read(3, "65536\n", 31) = 6
21643 close(3) = 0
21643 setgroups32(101, [502, 10001, 10002, 10003, 10004, 10005, 10006, 10007, 10008, 10009, 10010, 10011, 10012,
(...)
initgroups.marcia:
21640 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 3
21640 read(3, "65536\n", 31) = 6
21640 close(3) = 0
21640 setgroups32(64, [16777216, 16777217, 16777218, 16777219, 16777220, 16777221, 16777222, 16777223, 16777224,
(...)
In both cases it seems to be traversing that glibc code, but for some reason setgroups is being
called with just 64 groups in the "marcia" case.
I suspect winbind should return NSS_TRY_AGAIN in this case so that glibc could increase the buffer
size and call this function again.
> At this stage I'd start adding debug code to
> _nss_winbind_initgroups_dyn() in source/nsswitch/winbind_nss_linux.c
> and see if you can spot whats going on.
>
> hmm, I just did some tests with my libnss_compat.so and it certainly
> looks like winbind treats "limit" and "*size" differently to the
> compat implementation. We should probably look inside the
> implementation of the compat module in glibc and see exactly what
> rules it uses for those two parameters. If we fix those in the
> winbindd nss module, then I suspect it will fix your problem.
>
> Cheers, Tridge
>
>
More information about the samba-technical
mailing list