Problem with AD membership in an AD with more the 100.000 group (possible regression in 4.12?)

Dr. Hansjörg Maurer hansjoerg.maurer at
Mon May 17 17:18:29 UTC 2021


  - sorry for the noise, did not find the "plain switch" for our mail 
gateway -
here the original mail (hopefully)
samba 4.12.3 on CentOS-8
I am  trying to run a wbinfo -g on an AD memberserver in an  AD with 
more the 100.000 groups and it shows no output

The samba logs shows
   list_groups XXX
[2021/05/17 14:21:49.826967,  1] ../../librpc/ndr/ndr.c:632(_ndr_pull_error)
   ndr_pull_array_size: ndr_pull_error(Range Error): More than 65535 NDR 
tokens stored for array_size at ../../librpc/ndr/ndr.c:1093

the wbinfo -g is still working with samba-4.10 on CentOS-7.
I am wondering it thhe following change

  * This value is arbitary, but designed to reduce the memory a client
  * can allocate and the work the client can force in processing a
  * malicious packet.
  * In an ideal world this would be controlled by range() restrictions
  * on array sizes and careful IDL construction to avoid arbitary
  * linked lists, but this is a backstop for now.

leads to this error?



Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at

More information about the samba-technical mailing list