[Samba] Problem with large NIS groups - Samba 2.2.8

Strong, Hugh A. hugh.strong at pw.utc.com
Fri Jun 13 12:27:13 GMT 2003

Hello from the Military-Industrial Complex!

We're a large defense contractor located in East Hartford, CT, USA.  US
laws make us 'kind of' concerned about who gets in here and what they can 
access.  We've got a problem  with some of the groups that we have in our
database.  Everyone who logs into our Sun system is assigned to one of
groups for export-control purposes depending on the type of data they're
to see.  This has generated a few very large groups spanning multiple lines
sharing the same GID but not the same name.  In general, the sub-groups have
a number at the end of the name to differentiate them.  In total, there are
users in our passwd map.

The (expurgated) NIS group map for one of these would look a lot like this:

user235:*:21:   (That's right - over 200 sub-groups)

Now that I'm trying to grant Samba access to some of our on-site foreign
employees and  contractors, this is coming back to haunt us.  For reasons I
delve into, this requires securing shares via the "valid users" list.  The
code called
by user_in_group_list (2.2.8) matches on group name, not GID, so we would
to put an unmanageable list of groups into every share list and incur large 
overhead.   I've tried to write some additional code to do a lookup by gid,
but this 
involves a sequential search and it turns out to be unacceptably expensive:

struct sys_userlist *get_users_in_group_by_gid(gid_t gid)
	struct sys_userlist *list_head = NULL;
	struct group *gptr;

	while((gptr = getgrent()) != NULL) {
	  if (gid == gptr->gr_gid) {
	    list_head = add_members_to_userlist(list_head, gptr);
	    if (list_head == NULL)
	      return NULL;
	return list_head;

It all comes down to the fact that matches are not done against an 
instantiated user context with all groups mapped to GIDs. Is there any
way other than using netgroups to make these matches work efficiently? 
Has anyone tried adding some caching logic?

Hugh Strong
CSC Pratt & Whitney Account 
400 Main Street, East Hartford CT 06108, MS 163-17
Engineering Building, 3rd Floor East, J-7  
TechNet: 435-6851  External: (860) 565-6851 Fax: (860) 755-5182
hugh.strong at pw.utc.com 

More information about the samba mailing list