[Samba] Samba with winbindd AD Group access limit problem

Fri Oct 8 18:40:30 GMT 2004

On Thu, Oct 07, 2004 at 04:22:04PM -0400, PFreund at kichler.com wrote:
> I'm running Samba 3.0.2 on Solaris using winbindd to allow me to security
> tailor access to subdirectories on a Samba share. We assign the
> subdirectories within a Samba share to an Active Directory group name. This
> generally works fine but I am having user access issues from the Win2K / Win
> XP workstations that have mapped the share. The problem seems to be related
> to the number of groups / total length of group names the user is assigned
> to in Active Directory. If there are too many groups (or the aggregate
> length of all group names is too long), the user cannot access the secured
> directories even though they are a member of the group in AD. If I keep
> reducing the number of assigned groups in AD, the user can, at some point,
> gain access to the directories.
> 
> Can someone tell me the following:
> 1. What limitation is causing this problem?
> 2. How to I remove the limitation?

I had this problem. Try this patch (for 3.0.7, I don't know if it applies to 3.0.2):


-------------- next part --------------

--- branches/SAMBA_3_0/source/nsswitch/winbind_nss_linux.c	2004/04/04 10:42:06	3
+++ branches/SAMBA_3_0/source/nsswitch/winbind_nss_linux.c	2004/09/20 20:18:19	2451
@@ -833,25 +833,38 @@
 
 			/* Skip primary group */
 
-			if (gid_list[i] == group) continue;
+			if (gid_list[i] == group) {
+				continue;
+			}
 
-			/* Add to buffer */
+			/* Filled buffer ? If so, resize. */
 
-			if (*start == *size && limit <= 0) {
-				(*groups) = realloc(
-					(*groups), (2 * (*size) + 1) * sizeof(**groups));
-				if (! *groups) goto done;
-				*size = 2 * (*size) + 1;
+			if (*start == *size) {
+				long int newsize;
+				gid_t *newgroups;
+
+				newsize = 2 * (*size);
+				if (limit > 0) {
+					if (*size == limit) {
+						goto done;
+					}
+					newsize = newsize < limit ? newsize : limit;
+				}
+
+				newgroups = realloc((*groups), newsize * sizeof(**groups));
+				if (!newgroups) {
+					*errnop = ENOMEM;
+					ret = NSS_STATUS_NOTFOUND;
+					goto done;
+				}
+				*groups = newgroups;
+				*size = newsize;
 			}
 
-			if (*start == *size) goto done;
+			/* Add to buffer */
 
 			(*groups)[*start] = gid_list[i];
 			*start += 1;
-
-			/* Filled buffer? */
-
-			if (*start == limit) goto done;
 		}
 	}
 	
