Problem with AD membership in an AD with more the 100.000 group (possible regression in 4.12?)
Dr. Hansjörg Maurer
hansjoerg.maurer at itsd.de
Mon May 17 17:18:29 UTC 2021
Hi
- sorry for the noise, did not find the "plain switch" for our mail
gateway -
here the original mail (hopefully)
samba 4.12.3 on CentOS-8
I am trying to run a wbinfo -g on an AD memberserver in an AD with
more the 100.000 groups and it shows no output
The samba logs shows
list_groups XXX
[2021/05/17 14:21:49.826967, 1] ../../librpc/ndr/ndr.c:632(_ndr_pull_error)
ndr_pull_array_size: ndr_pull_error(Range Error): More than 65535 NDR
tokens stored for array_size at ../../librpc/ndr/ndr.c:1093
the wbinfo -g is still working with samba-4.10 on CentOS-7.
I am wondering it thhe following change
https://github.com/samba-team/samba/commit/7a0ed44b0e65e742a778915d493e17f04c43b2ef#diff-6a1478caa948ca1d186a648c470ded02699da3705181b633232d582a7c73576d
/*
* This value is arbitary, but designed to reduce the memory a client
* can allocate and the work the client can force in processing a
* malicious packet.
*
* In an ideal world this would be controlled by range() restrictions
* on array sizes and careful IDL construction to avoid arbitary
* linked lists, but this is a backstop for now.
*/
#define NDR_TOKEN_MAX_LIST_SIZE 65535
leads to this error?
regards
Hansjörg
----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.
More information about the samba-technical
mailing list