[PATCH] Remove fstring from wb_acct_info
Uri Simchoni
uri at samba.org
Thu Nov 1 06:00:47 UTC 2018
On 10/31/18 6:45 PM, Samuel Cabrero via samba-technical wrote:
> Hi,
>
> the attached patch removes two fstrings from wb_acct_info struct. The
> reason for this change is because the winbindd group enumeration
> backend functions (ADS in particular) try to allocate an array of
> wb_acct_info as long as the number of groups in the domain, which may
> result in a huge chunk of memory for domains with a large number of
> groups.
>
> Branch:
> https://gitlab.com/samuelcabrero/samba/commits/winbind_enum_grp_nomem
>
> CI:
> https://gitlab.com/samuelcabrero/samba/pipelines/34956873
>
>
> Please review and push if you agree.
>
A bit off-topic, but having been bitten in the past by this issue of
winbindd group enumeration and large domains:
1. No matter how optimized the memory layout, if your domain has 100K
groups you're going to lose. The sheer number of round-trips required to
fetch all those groups would make it unfeasible.
2. Large domains also tend to have non-out-of-the-box security
configuration. The server computer account, which winbindd uses, doesn't
always have the best authorization for making those queries.
For both those reasons I wouldn't use this API in a product that aims
large enterprize domains. Straight ldap searches (with a filter,
limiting the number of returned results, possibly with vlv control) are
better suited for that.
I think it was proposed in the past to remove that functionality from
winbindd.
Just my 2c,
Uri.
More information about the samba-technical
mailing list