[PATCH] Remove fstring from wb_acct_info

Uri Simchoni uri at samba.org
Thu Nov 1 06:00:47 UTC 2018

On 10/31/18 6:45 PM, Samuel Cabrero via samba-technical wrote:
> Hi,
> the attached patch removes two fstrings from wb_acct_info struct. The
> reason for this change is because the winbindd group enumeration
> backend functions (ADS in particular) try to allocate an array of
> wb_acct_info as long as the number of groups in the domain, which may
> result in a huge chunk of memory for domains with a large number of
> groups.
> Branch:
> https://gitlab.com/samuelcabrero/samba/commits/winbind_enum_grp_nomem
> CI:
> https://gitlab.com/samuelcabrero/samba/pipelines/34956873
> Please review and push if you agree.

A bit off-topic, but having been bitten in the past by this issue of
winbindd group enumeration and large domains:

1. No matter how optimized the memory layout, if your domain has 100K
groups you're going to lose. The sheer number of round-trips required to
fetch all those groups would make it unfeasible.
2. Large domains also tend to have non-out-of-the-box security
configuration. The server computer account, which winbindd uses, doesn't
always have the best authorization for making those queries.

For both those reasons I wouldn't use this API in a product that aims
large enterprize domains. Straight ldap searches (with a filter,
limiting the number of returned results, possibly with vlv control) are
better suited for that.

I think it was proposed in the past to remove that functionality from

Just my 2c,

More information about the samba-technical mailing list