see bug 279, my idea on a workaround/solution; I understand this is not a bug ; it is caused by a limitation in the unix operating system; however this is not a reason not trying to find a solution for it. as winbind strives to integrate a windows domain with a samba unix member... think we should tackle the NGROUPS_MAX limit. In the case where I have a samba 3 domain MEMBER of a windows Active Directory. I would be very happy with a facility to setup a groups_mapping.txt file which lists all the groups that I want to "accept" on the unix side. The other groups that a user may have will simply be filtered out. On the domain where I'm testing samba as a domain member I find 119 groups defined; ofcourse a user does not have all these groups but it is likely that for all kind of windows-related reasons a user gets assigned > 16 groups (the limit on Solaris 8..!). For the users accessing my share on unix I'm only interested to test 1 specific group; the share I'm using will set "force group=+sambagroup" so that only windows users that have this specific sambagroup can see and use this share and see each other's documents on this share. If any user has more than 16 groups currently the whole implementation of winbind needs to be cancelled in the current version; winbind will become unreliable as you never know which groups will be shown in the first 16 'visible' unix groups and which not...! A mapping file should never contain more than NGROUPS_MAX entries. winbind should check NGROUPS_MAX and give a severy warning if any user has more than NGROUPS_MAX groups assigned... something needs to be done on this :--)
Check https://bugzilla.samba.org/show_bug.cgi?id=1184 for another possible solution. With that patch, you can apply an ldap filter, or change the ou search path to limit the groups returned.
Sorry. No static mapping files.