Hans B. Randgaard
2002-Jun-11  05:39 UTC
[Samba] Is there a limit in the number of users in a NT group used by win bind ?
First of all, I would like to thank everyone in the Samba Team for an
outstanding tool.
I have setup Samba 2.2.4 on a Solaris-8 server using winbind and ACL.
(config file at the end).
It works quite well, but I have a problem with certain global NT groups
in a trusted domain. I can do both:
"wbinfo -u" and "wbinfo -g"
to get all users and groups in all the domains. "getent passwd" also
works OK, but "getent group" ONLY returns the UNIX groups.
winbind is added to /etc/nsswitch.conf for both passwd and group.
One of the global NT groups that gives problems has 1949 members.
If I add this group to the ACL of a file using the NT-explorer(NT-4.0)
and do "getfacl" on Solaris, it hangs when it reaches this particular
group. The same happens if I do "getent group <problem group>".
My questions are:
1. Is there a limit in how many users winbind can handle inside NT
   groups.
2. Can it be a timeout problem, since the trusted domain inwhich
    the group is located, acts much slower than our primary domain ?
3. Have any of you seen similar behaviour ?
Thanks in advance.
Best regards, Hans.
Hans Randgaard
Phone: +45 3363 4002
smb.conf:
----------------------------------------------------------------------------
---------------------
[global]
        workgroup = WG1
        netbios name = SAMBA01
        security = DOMAIN
        interfaces = ge0 1.0.0.0/255.0.0.0 2.1.1.0/255.255.255.0
3.1.0.0/255.255.0.0
        wins server = 1.1.1.1
        encrypt passwords = Yes
        password server = dc01, dc02
        username map = /usr/local/samba/lib/users.map
        admin users = WG1+testuser
        log file = /usr/local/samba/var/log.%m
        max log size = 100
        deadtime = 180
        character set = ISO8859-1
        local master = No
        valid chars = ?:?
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind separator = +
        winbind cache time = 3600
[share1]
        comment = testshare 1
        path = /test1
        read only = No
        browsable = Yes
[share2]
        path = /test2
        browseable = Yes
----------------------------------------------------------------------------
---------------------
**********************************************************************
This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they 
are addressed. If you have received this e-mail in error please notify 
the system manager at hotline@maerskoil.dk.
This e-mail and its contents do not constitute and shall not be 
considered as a financial commitment of Maersk Olie og Gas AS 
and its affiliates. 
Maersk Olie og Gas AS expressly disclaims any responsibility
as to the accuracy and use of this e-mail and its contents.
**********************************************************************