[Samba] Problem with large NIS groups - Samba 2.2.8

Strong, Hugh A. hugh.strong at pw.utc.com
Fri Jun 13 12:27:13 GMT 2003 

Hello from the Military-Industrial Complex!

We're a large defense contractor located in East Hartford, CT, USA.  US
export 
laws make us 'kind of' concerned about who gets in here and what they can 
access.  We've got a problem  with some of the groups that we have in our
NIS 
database.  Everyone who logs into our Sun system is assigned to one of
several 
groups for export-control purposes depending on the type of data they're
allowed 
to see.  This has generated a few very large groups spanning multiple lines
and
sharing the same GID but not the same name.  In general, the sub-groups have
a number at the end of the name to differentiate them.  In total, there are
16,000
users in our passwd map.

The (expurgated) NIS group map for one of these would look a lot like this:

usa:*:21:
usa1:*:21:user1,...,user20
usa2:*:21:user21,...,user40
.....
user235:*:21:   (That's right - over 200 sub-groups)

Now that I'm trying to grant Samba access to some of our on-site foreign
national 
employees and  contractors, this is coming back to haunt us.  For reasons I
won't 
delve into, this requires securing shares via the "valid users" list.  The
code called
by user_in_group_list (2.2.8) matches on group name, not GID, so we would
have 
to put an unmanageable list of groups into every share list and incur large 
overhead.   I've tried to write some additional code to do a lookup by gid,
but this 
involves a sequential search and it turns out to be unacceptably expensive:

struct sys_userlist *get_users_in_group_by_gid(gid_t gid)
{
	struct sys_userlist *list_head = NULL;
	struct group *gptr;

	setgrent();
	while((gptr = getgrent()) != NULL) {
	  if (gid == gptr->gr_gid) {
	    list_head = add_members_to_userlist(list_head, gptr);
	    if (list_head == NULL)
	      return NULL;
	  }
	}
	endgrent();
	return list_head;
}

It all comes down to the fact that matches are not done against an 
instantiated user context with all groups mapped to GIDs. Is there any
way other than using netgroups to make these matches work efficiently? 
Has anyone tried adding some caching logic?

Hugh Strong
CSC Pratt & Whitney Account 
400 Main Street, East Hartford CT 06108, MS 163-17
Engineering Building, 3rd Floor East, J-7  
TechNet: 435-6851  External: (860) 565-6851 Fax: (860) 755-5182
hugh.strong at pw.utc.com

More information about the samba mailing list