samba - Feb 2010 - Problem with number of groups of AD User (token size ?)

Hi all

On a CentOS 5.4 system with Samba 3.0.33 (member server of an AD domain in 
2003 native mode) I have the problem that certain users can't use the shares
(can't logon), while others can.

I *think* this is related to the fact that those users unable to connect are 
member of a huge number of groups (100+).

We know from experience that this is a problem in Windows itsself (need to set 
MaxTokenSize as discussed here http://support.microsoft.com/kb/327825) or with 
Apache mod_auth_kerb (need to set LimitRequestFieldSize in Apache). 

Unfortunately, I was unable to find any clear indication that this might also 
be a problem with Samba/Winbind, let alone find a solution for it. And I must 
admit that I don't have any log entries that actually point me in this 
direction, so it's more of a "feeling" :-/

I just wanted to ask if that (users being member of a huge number of AD groups 
and thus there Kerberos ticket getting really big) can be at all a problem 
with Samba/Winbind and that I should investigate more thouroughly along this 
line?

-- 
	CU, Joe

On Thu, Feb 04, 2010 at 10:07:57AM +0100, Joe Ammann
wrote:
> Hi all
> 
> On a CentOS 5.4 system with Samba 3.0.33 (member server of an AD domain in 
> 2003 native mode) I have the problem that certain users can't use the
shares
> (can't logon), while others can.
> 
> I *think* this is related to the fact that those users unable to connect
are
> member of a huge number of groups (100+).
> 
> We know from experience that this is a problem in Windows itsself (need to
set
> MaxTokenSize as discussed here http://support.microsoft.com/kb/327825) or
with
> Apache mod_auth_kerb (need to set LimitRequestFieldSize in Apache). 
> 
> Unfortunately, I was unable to find any clear indication that this might
also
> be a problem with Samba/Winbind, let alone find a solution for it. And I
must
> admit that I don't have any log entries that actually point me in this 
> direction, so it's more of a "feeling" :-/
> 
> I just wanted to ask if that (users being member of a huge number of AD
groups
> and thus there Kerberos ticket getting really big) can be at all a problem 
> with Samba/Winbind and that I should investigate more thouroughly along
this
> line?
It could be. We depend on the underlying krb5 libraries to
do this right (fallback to TCP to get the ticket if it's too
large for UDP). What error messages do you get in the logs ?

Jeremy.

On Wed, February 10, 2010 15:08, Joe Ammann wrote:
> Sorry for the delay. I tried to reproduce this in a lab setup, but was
> unable to. Even with a user that is a member of 1000 groups, accessing and
> permission check works. So it's probably not an issue with the sheer
> number of groups.
>
> So I investigated a bit more in the production environment
Some more testing revealed, that actually the group lookups seems to work:

For the user that works

# wbinfo --user-domgroups=S-1-5-21-1204043072-522325977-1734762113-122312
S-1-5-21-1204043072-522325977-1734762113-122312
.... and so on, total 97 sids

For the user that does not work

# wbinfo --user-domgroups=S-1-5-21-1204043072-522325977-1734762113-124446
S-1-5-21-1204043072-522325977-1734762113-124446
.... and so on, total 131 sids

Also, wbinfo -r does work for both users:

# wbinfo -r xxxxxx | wc -l
225
# wbinfo -r xxxxxxa | wc -l
313

It really looks like the "only" thing that does not work is the user
information lookup. But I don't understand what could fail there?? Besides
the name and the SID (to construct the UID/GID), I can't see what
information is taken from AD??

I'm confused ..

CU, Joe