Problem with AD membership in an AD with more the 100.000 group (possible regression in 4.12?)

Mon May 17 17:18:29 UTC 2021

Hi

  - sorry for the noise, did not find the "plain switch" for our mail 
gateway -
here the original mail (hopefully)
samba 4.12.3 on CentOS-8
I am  trying to run a wbinfo -g on an AD memberserver in an  AD with 
more the 100.000 groups and it shows no output

The samba logs shows
   list_groups XXX
[2021/05/17 14:21:49.826967,  1] ../../librpc/ndr/ndr.c:632(_ndr_pull_error)
   ndr_pull_array_size: ndr_pull_error(Range Error): More than 65535 NDR 
tokens stored for array_size at ../../librpc/ndr/ndr.c:1093

the wbinfo -g is still working with samba-4.10 on CentOS-7.
I am wondering it thhe following change

https://github.com/samba-team/samba/commit/7a0ed44b0e65e742a778915d493e17f04c43b2ef#diff-6a1478caa948ca1d186a648c470ded02699da3705181b633232d582a7c73576d

/*
  * This value is arbitary, but designed to reduce the memory a client
  * can allocate and the work the client can force in processing a
  * malicious packet.
  *
  * In an ideal world this would be controlled by range() restrictions
  * on array sizes and careful IDL construction to avoid arbitary
  * linked lists, but this is a backstop for now.
  */
#define NDR_TOKEN_MAX_LIST_SIZE 65535

leads to this error?

regards

Hansjörg

----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.