Problem with AD membership in an AD with more the 100.000 group (possible regression in 4.12?)

Andrew Bartlett abartlet at
Tue May 18 03:15:15 UTC 2021

On Mon, 2021-05-17 at 19:18 +0200, Dr. Hansjörg Maurer via samba-
technical wrote:
> Hi
>   - sorry for the noise, did not find the "plain switch" for our
> mail 
> gateway -
> here the original mail (hopefully)
> samba 4.12.3 on CentOS-8
> I am  trying to run a wbinfo -g on an AD memberserver in an  AD with 
> more the 100.000 groups and it shows no output
> The samba logs shows
>    list_groups XXX
> [2021/05/17 14:21:49.826967,  1]
> ../../librpc/ndr/ndr.c:632(_ndr_pull_error)
>    ndr_pull_array_size: ndr_pull_error(Range Error): More than 65535
> NDR 
> tokens stored for array_size at ../../librpc/ndr/ndr.c:1093

Ouch.  This isn't good.

While of course you could locally patch to increase the limit, I'm
really not sure what to do here, because the way the NDR tokens are
handled, some of the behaviour is N^2, so large numbers are a really
bad idea.

Can you attach a debugger and break on that line?  (It might take some
trial/error to find the right process).  It would be helpful to know
exactly which structure can't be parsed.  If it is this one from
     NTSTATUS wbint_QueryGroupList(
	[out] wbint_Principals *groups

Then we have more hope of being able to modify the structure to be less

I wonder if changing to a different string type would help.  Thankfully
this isn't a public protocol, so we can be flexible.

Try the attached patch.  It uses an encoding that stores the strings as
<num bytes><string> rather than <num bytes><pointer> .... <string>,
which needs these 'tokens' to get between the stages.

Andrew Bartlett
Andrew Bartlett (he/him)
Samba Team Member (since 2001)
Samba Team Lead, Catalyst IT

Samba Development and Support, Catalyst IT - Expert Open Source

-------------- next part --------------
A non-text attachment was scrubbed...
Name: less-unique-pointers-in-winbind.patch
Type: text/x-patch
Size: 1087 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list