get_domain_user_groups() improvement.

John P Janosik jpjanosi at
Thu Sep 30 14:22:19 GMT 2004 at wrote on
09/26/2004 01:18:30 AM:

> Would you look at that! All 'query' backends (ldap, mysql, pgsql) has
> primaryGroupSid in their Samba user databases and this is enough to have
> the requested optimization.
> The attached patch introduces yet another pdb interface method
> enum_group_prmembers to retrieve SIDs of users with the given
> primaryGroupSid. Its default implementation goes through all users as it
> was done in get_memberuids(). Implementations in ldap, mysql, and pgsql
> backends use correct filter and query.
> get_memberuids() is adjusted to use this new method instead of going
> through all users all the time.
> This patch is made on top of my previous patch.
> I've tested it a little - group members are shown correctly and smbd
> doesn't crash.
> Hope you like it. Note, no "ldap trust ids" is necessary. :o)
> Igor

I tested this patch in a 20000 user test Samba/openldap domain and it
worked ok when I was connecting in as root.  When winbindd on a member
server connects anonymously or as a non-priv user with --set-auth-user I
get "smbldap_open: cannot access LDAP when not root.." errors in the logs.
I added become_root and unbecome_root calls in rpc_server/srv_samr_nt.c
before and after the calls to the new pdb interface methods to work around
those problems.

John Janosik

More information about the samba-technical mailing list