samba - Oct 2004 - Samba with winbindd AD Group access limit problem

I'm running Samba 3.0.2 on Solaris using winbindd to allow me to security
tailor access to subdirectories on a Samba share. We assign the
subdirectories within a Samba share to an Active Directory group name. This
generally works fine but I am having user access issues from the Win2K / Win
XP workstations that have mapped the share. The problem seems to be related
to the number of groups / total length of group names the user is assigned
to in Active Directory. If there are too many groups (or the aggregate
length of all group names is too long), the user cannot access the secured
directories even though they are a member of the group in AD. If I keep
reducing the number of assigned groups in AD, the user can, at some point,
gain access to the directories.

Can someone tell me the following:
1. What limitation is causing this problem?
2. How to I remove the limitation?
Phil Freund 
System Administrator 
Kichler Lighting Group

On Thu, Oct 07, 2004 at 04:22:04PM -0400, PFreund@kichler.com
wrote:
> I'm running Samba 3.0.2 on Solaris using winbindd to allow me to
security
> tailor access to subdirectories on a Samba share. We assign the
> subdirectories within a Samba share to an Active Directory group name. This
> generally works fine but I am having user access issues from the Win2K /
Win
> XP workstations that have mapped the share. The problem seems to be related
> to the number of groups / total length of group names the user is assigned
> to in Active Directory. If there are too many groups (or the aggregate
> length of all group names is too long), the user cannot access the secured
> directories even though they are a member of the group in AD. If I keep
> reducing the number of assigned groups in AD, the user can, at some point,
> gain access to the directories.
> 
> Can someone tell me the following:
> 1. What limitation is causing this problem?
> 2. How to I remove the limitation?
I had this problem. Try this patch (for 3.0.7, I don't know if it applies to
3.0.2):


-------------- next part --------------
--- branches/SAMBA_3_0/source/nsswitch/winbind_nss_linux.c	2004/04/04 10:42:06	3
+++ branches/SAMBA_3_0/source/nsswitch/winbind_nss_linux.c	2004/09/20 20:18:19
2451
@@ -833,25 +833,38 @@
 
 			/* Skip primary group */
 
-			if (gid_list[i] == group) continue;
+			if (gid_list[i] == group) {
+				continue;
+			}
 
-			/* Add to buffer */
+			/* Filled buffer ? If so, resize. */
 
-			if (*start == *size && limit <= 0) {
-				(*groups) = realloc(
-					(*groups), (2 * (*size) + 1) * sizeof(**groups));
-				if (! *groups) goto done;
-				*size = 2 * (*size) + 1;
+			if (*start == *size) {
+				long int newsize;
+				gid_t *newgroups;
+
+				newsize = 2 * (*size);
+				if (limit > 0) {
+					if (*size == limit) {
+						goto done;
+					}
+					newsize = newsize < limit ? newsize : limit;
+				}
+
+				newgroups = realloc((*groups), newsize * sizeof(**groups));
+				if (!newgroups) {
+					*errnop = ENOMEM;
+					ret = NSS_STATUS_NOTFOUND;
+					goto done;
+				}
+				*groups = newgroups;
+				*size = newsize;
 			}
 
-			if (*start == *size) goto done;
+			/* Add to buffer */
 
 			(*groups)[*start] = gid_list[i];
 			*start += 1;
-
-			/* Filled buffer? */
-
-			if (*start == limit) goto done;
 		}
 	}

Thank you. I used the opportunity to upgrade to 3.0.7 and applied the patch. It
appears to work perfectly. Do you know if this will be in the next distribution?

Phil

-----Original Message-----
From: Andreas [mailto:andreas@conectiva.com.br]
Sent: Friday, October 08, 2004 2:41 PM
To: PFreund@kichler.com
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba with winbindd AD Group access limit problem


On Thu, Oct 07, 2004 at 04:22:04PM -0400, PFreund@kichler.com
wrote:
> I'm running Samba 3.0.2 on Solaris using winbindd to allow me to
security
> tailor access to subdirectories on a Samba share. We assign the
> subdirectories within a Samba share to an Active Directory group name. This
> generally works fine but I am having user access issues from the Win2K /
Win
> XP workstations that have mapped the share. The problem seems to be related
> to the number of groups / total length of group names the user is assigned
> to in Active Directory. If there are too many groups (or the aggregate
> length of all group names is too long), the user cannot access the secured
> directories even though they are a member of the group in AD. If I keep
> reducing the number of assigned groups in AD, the user can, at some point,
> gain access to the directories.
> 
> Can someone tell me the following:
> 1. What limitation is causing this problem?
> 2. How to I remove the limitation?
I had this problem. Try this patch (for 3.0.7, I don't know if it applies to
3.0.2):