[Samba] samba always expanding nested groups
Peacock,Josh
Josh.Peacock at SanfordHealth.org
Thu Oct 6 13:04:42 MDT 2011
I am having a problem with Samba still core dumping on AIX 6.1 when my AD user has 13 groups I am a member of.
I have the following directives set
winbind nested groups = no
winbind expand groups = 0
With this configuration I thought that Samba wouldn't try to find all the groups that my original 13 groups are also members of, however samba continues to core dump on sys_setgroups. Am I missing something in the configuration or my understanding of the directives listed above?
On AIX 7.1 changing the new tunable has shown to work flawlessly but IBM has said there is no plans to back port this tunable into AIX 6.1.
I applied the following patch are recompiled with no help.
From 1958f6034916746363fcbfa504c84dc6a13be495 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 23 Feb 2011 17:09:58 +0100
Subject: [PATCH] s3: Respect "winbind nested groups" in wb_gettoken_gotgroups
---
source3/winbindd/wb_gettoken.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/source3/winbindd/wb_gettoken.c b/source3/winbindd/wb_gettoken.c
index f2fbe4c..27d8c9a 100644
--- a/source3/winbindd/wb_gettoken.c
+++ b/source3/winbindd/wb_gettoken.c
@@ -103,6 +103,11 @@ static void wb_gettoken_gotgroups(struct tevent_req *subreq)
state->num_sids += 1;
state->sids = sids;
+ if (!lp_winbind_nested_groups()) {
+ tevent_req_done(req);
+ return;
+ }
+
/*
* Expand our domain's aliases
*/
--
1.7.0.4
I also recompiled commenting out the panic when the number of groups exceeds NGROUPS_MAX (which is hard coded to 128 in AIX 6.1).
Thanks
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Peacock,Josh
Sent: Monday, October 03, 2011 11:55 AM
To: samba at lists.samba.org
Subject: [Samba] samba always expanding nested groups
Volker was working with someone back in Feb on this issue and sent a patch to him but was wondering if that worked and if there was an official fix in the works.
What is happening is even after setting "winbind expand groups = 0" the 13 groups currently assigned to my user are expanding into 220 groups. This also breaks smbd by causing a panic and throwing the sys_set_groups error. Running on AIX 6.1 TL 6 SP 5. I have tried this on 3.5.8 and 3.6.0.
Also AIX has made maximum number of groups per user a system parameter tunable between 128 and 2048 in AIX 7.1. If samba could find a way to accommodate this new parameter it would be great.
Thanks,
Josh
Josh Peacock
UNIX Administrator
-----------------------------------------------------------------------
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
privileged and confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy
all copies of the original message.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
-----------------------------------------------------------------------
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
privileged and confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy
all copies of the original message.
More information about the samba
mailing list