[PATCH] winbind nested groups fix?

Gautier, B (Bob) Bob.Gautier at rabobank.com
Tue Jun 6 10:41:00 GMT 2006

> -----Original Message-----
> From: 
> samba-technical-bounces+bob.gautier=rabobank.com at lists.samba.o
rg [mailto:samba-technical->
bounces+bob.gautier=rabobank.com at lists.samba.org] On Behalf 
> Of Matthijs Kooijman
> Sent: 05 June 2006 16:24
> To: samba-technical at lists.samba.org
> Subject: Re: [PATCH] winbind nested groups fix?
> Hey,
> apparently, my message to this list I sent a week or so back 
> didn't make it here. Weird. Anyway, it said that from a 
> discussion on IRC, we've concluded that fixing the getgrent 
> interface of winbind is not the way to go. Winbind has a 
> working getgroups interface that handles nested groups 
> correctly. This interface is at least by linux through the 
> "initgroups_dyn" nss call.

> Anyway, any comments on this code?

Only the other day I got asked if support for nested groups would be
available any time soon, so this is very timely for me, and I'd been
intending to mail you to see if you were making more progress with this.
But I mostly have questions, not comments:

This code certainly looks a lot simpler and more compact than a good fix
to getgrent would be, but I'm not clear how much of the problem it
solves.  The problem to be solved, from my POV (please correct me if I
am wrong) is that if I have a user U who is a member of group A which in
turn is a member of group B, then when I type 'getent group B' I should
see U in that entry.

This doesn't work at the moment, right?

Also, I need a Linux solution: if a patch like this one were ported to
the Linux libnss_winbind, would it fix the problem?

Final comment on the patch: enumerating group members is not likely to
be a frequent operation, but some (of my) groups may have quite a lot of
members, so I'm a little concerned about the performance implications of
the linear search to eliminate duplicate members, especially as the scan
will normally fail (not a duplicate).


Bob Gautier

This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat.

More information about the samba-technical mailing list