getgroups() gives wrong result with nss_winbind

[Andreas]

On Fri, Sep 17, 2004 at 11:48:28PM +0200, Henrik Nordstrom wrote:
> On Fri, 17 Sep 2004, Andreas wrote:
> 
> >Which ends up being 64 in my case and then calls 
> >_nss_winbind_initgroups_dyn with
> >these parameters. I'm trying to make _nss_winbind_initgroups_dyn return 
> >with
> >errnop = ERANGE and NSS_TRYAGAIN but it isn't working.
> 
> Should work.
> 
> What does your code look like?

Like this:
--- winbind_nss_linux.c.orig    2004-09-17 21:26:06.620692592 -0300
+++ winbind_nss_linux.c 2004-09-17 21:27:03.803999408 -0300
@@ -823,6 +823,13 @@

        ret = winbindd_request(WINBINDD_GETGROUPS, &request, &response);

+       if ((ret == NSS_STATUS_SUCCESS) &&
+           (response.data.num_entries > (int)(*size))) {
+               *errnop = ERANGE;
+               errno = ERANGE;
+               return NSS_STATUS_TRYAGAIN;
+       }
+
        if (ret == NSS_STATUS_SUCCESS) {
                int num_gids = response.data.num_entries;
                gid_t *gid_list = (gid_t *)response.extra_data;


But it doesn't work. NSS_STATUS_TRYAGAIN is returned but this function is never
called again with a bigger buffer as I expected. With this code in place, this
winbind user ends up without any supplementary groups, just the primary group.
I thought glibc would make the call again, but it seems this task is up to winbind.
I looked through other nss modules and it seems they all handle this situation
themselves. nss-compat, for example, will arbitrarily double the buffer each
time it gets an NSS_STATUS_TRYAGAIN with an ERANGE error and call the function again.