[Samba] Problem with number of groups of AD User (token size ?)

Joe Ammann joe at pyx.ch
Wed Feb 10 08:20:01 MST 2010


On Wed, February 10, 2010 15:08, Joe Ammann wrote:
> Sorry for the delay. I tried to reproduce this in a lab setup, but was
> unable to. Even with a user that is a member of 1000 groups, accessing and
> permission check works. So it's probably not an issue with the sheer
> number of groups.
>
> So I investigated a bit more in the production environment

Some more testing revealed, that actually the group lookups seems to work:

For the user that works

# wbinfo --user-domgroups=S-1-5-21-1204043072-522325977-1734762113-122312
S-1-5-21-1204043072-522325977-1734762113-122312
.... and so on, total 97 sids

For the user that does not work

# wbinfo --user-domgroups=S-1-5-21-1204043072-522325977-1734762113-124446
S-1-5-21-1204043072-522325977-1734762113-124446
.... and so on, total 131 sids

Also, wbinfo -r does work for both users:

# wbinfo -r xxxxxx | wc -l
225
# wbinfo -r xxxxxxa | wc -l
313

It really looks like the "only" thing that does not work is the user
information lookup. But I don't understand what could fail there?? Besides
the name and the SID (to construct the UID/GID), I can't see what
information is taken from AD??

I'm confused ..

CU, Joe


More information about the samba mailing list