[Samba] Samba with winbindd AD Group access limit problem
Andreas
andreas at conectiva.com.br
Fri Oct 8 18:40:30 GMT 2004
On Thu, Oct 07, 2004 at 04:22:04PM -0400, PFreund at kichler.com wrote:
> I'm running Samba 3.0.2 on Solaris using winbindd to allow me to security
> tailor access to subdirectories on a Samba share. We assign the
> subdirectories within a Samba share to an Active Directory group name. This
> generally works fine but I am having user access issues from the Win2K / Win
> XP workstations that have mapped the share. The problem seems to be related
> to the number of groups / total length of group names the user is assigned
> to in Active Directory. If there are too many groups (or the aggregate
> length of all group names is too long), the user cannot access the secured
> directories even though they are a member of the group in AD. If I keep
> reducing the number of assigned groups in AD, the user can, at some point,
> gain access to the directories.
>
> Can someone tell me the following:
> 1. What limitation is causing this problem?
> 2. How to I remove the limitation?
I had this problem. Try this patch (for 3.0.7, I don't know if it applies to 3.0.2):
-------------- next part --------------
--- branches/SAMBA_3_0/source/nsswitch/winbind_nss_linux.c 2004/04/04 10:42:06 3
+++ branches/SAMBA_3_0/source/nsswitch/winbind_nss_linux.c 2004/09/20 20:18:19 2451
@@ -833,25 +833,38 @@
/* Skip primary group */
- if (gid_list[i] == group) continue;
+ if (gid_list[i] == group) {
+ continue;
+ }
- /* Add to buffer */
+ /* Filled buffer ? If so, resize. */
- if (*start == *size && limit <= 0) {
- (*groups) = realloc(
- (*groups), (2 * (*size) + 1) * sizeof(**groups));
- if (! *groups) goto done;
- *size = 2 * (*size) + 1;
+ if (*start == *size) {
+ long int newsize;
+ gid_t *newgroups;
+
+ newsize = 2 * (*size);
+ if (limit > 0) {
+ if (*size == limit) {
+ goto done;
+ }
+ newsize = newsize < limit ? newsize : limit;
+ }
+
+ newgroups = realloc((*groups), newsize * sizeof(**groups));
+ if (!newgroups) {
+ *errnop = ENOMEM;
+ ret = NSS_STATUS_NOTFOUND;
+ goto done;
+ }
+ *groups = newgroups;
+ *size = newsize;
}
- if (*start == *size) goto done;
+ /* Add to buffer */
(*groups)[*start] = gid_list[i];
*start += 1;
-
- /* Filled buffer? */
-
- if (*start == limit) goto done;
}
}
More information about the samba
mailing list