The Samba-Bugzilla – Bug 1030
winbind, fail to get domain groups with a lot of users (more than 400)
Last modified: 2005-08-24 10:18:22 UTC
Note: I have this problem ONLY on 3.0.2rc1 and 3.0.2rc2, it works perfectly on
When I ask for groups with "getent group", the groups that have a lot of users
(I have a "Domain Users" group with 400 users) are not in the list, all the
others are in the list.
With "wbinfo -g" I see the groups names.
- the domain is a NT 4 domain
- compiled samba with --with-winbind and --with-acl-support on Solaris 8
I don't know how important this is but I have found this issue with Samba 3.0.0
3.0.1 and 3.0.2. This is on Solaris 8 with 3973 user accounts and most recent
Sun recommended patch cluster as of 26/2/2004.
thanks Andy. "pubsyssamba @ bbc.co.uk"
I am using Samba 3.0.2a, along with Solaris 9, I applied the latest patch on
I also tried out Mr. John H. Terpstra's notes on Samba & Solaris 9 at
http://samba.org/~jht/Notes/Samba-Install-Solaris9.txt. But it does not help. I
still have the same problem.
This is a domain member server. I tried to join it to Win2K Active Directory or
NT Domain Controller, but the problem is still the same thing. The following
are some output from my system. I've been trying to get this problem solved
from over several monthes. I tried out every new version of Samba 3, but still
the same thing ;-(
bash-2.05$ ../bin/wbinfo -g | wc -l
bash-2.05$ getent group | wc -l
bash-2.05$ ../bin/wbinfo -u | wc -l
We haven't seen a problem with "getent group", but we do have a problem
where "id -a <user>" does not return all supplementary groups if one of those
have a large number users. Reading the comments below, this appears it is
The problem is caused by a Solaris limitation. The max size for a group entry
buffer in Solaris 8 is 7296 bytes [limits.h and sysconf(_SC_GETGR_R_SIZE_MAX)].
Function fill_grent in winbindd_nss_linux.c uses the 7296 byte buffer passed in
by Solaris (via _nss_winbind_getgrent_solwrap in the case I looked at). For
groups with large numbers of users, this structure fills up, causing fill_grent
to return the members found thusfar with an NSS_STATUS_TRYAGAIN return code.
Solaris does not try again, but stops the group lookup. This also causes all
remaining groups that have yet to be sent to getgrent to be ignored.
I looked into this a bit and found no way to increase this buffer size or
otherwise return all groups (not to say there isn't a way). It is possible to
intercept the NSS_STATUS_TRYAGAIN in the Solaris wrapper and return
NSS_STATUS_SUCCESS instead. The problematic group will then be returned, albeit
with only the members that would fit in the buffer. It would also allow the
followon groups to be returned, instead of stopping with the problematic group.
The only other [weak] idea I have is to somehow return the remaining groups in
a subsequent query, similar to entering multiple lines in /etc/group. I don't
see how to reliably do this, though, since Solaris is looping using a group
list it previously obtained via enum_dom_groups.
I'd retest against 3.0.11. Lots of winbind changes. reopen if you
find the bug still exists. Thanks.
(In reply to comment #4)
> I'd retest against 3.0.11. Lots of winbind changes. reopen if you
> find the bug still exists. Thanks.
This still happens under solaris 9 (Solaris 5.9 Generic_118558-06) on Sparc,
with Samba 3.0.14a. It seems to be referenced in a few other bugs, related (it
seems) to very large numbers of users in groups on Solaris.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.