Bug 14843 - Domain users belong to 2000 groups winfo -r error
Summary: Domain users belong to 2000 groups winfo -r error
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.11.7
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-24 08:14 UTC by zhangjingjun
Modified: 2022-01-17 17:31 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description zhangjingjun 2021-09-24 08:14:50 UTC 
/usr/local/samba/bin/wbinfo -r TT\\xwj
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user TT\xwj

This is a must-have problem
User TT\xwj belongs to 2000 user groups

I added some logs to show:
[2021/09/23 22:45:25.860338, 10, pid=207028, effective(0, 0), real(0, 0)] 207028 (dcerpc_binding_handle_raw_call_recv)   enter req:0x5567d8793200 mem_ctx:0x5567d8178930 out_data:0x5567d8178968 out_length:0x5567d8178970 out_flags:0x7ffcd1b9e62c
[2021/09/23 22:45:25.860346, 10, pid=207028, effective(0, 0), real(0, 0)] 207028 (dcerpc_binding_handle_raw_call_recv)   exit req:0x5567d8793200 out_data:0x5567d8178968 out_length:24 out_flags:0 status:NT_STATUS_OK
[2021/09/23 22:45:25.860369, 10, pid=207028, effective(0, 0), real(0, 0)] 207028 (dcerpc_binding_handle_call_done)   exit req:0x5567d8178780
[2021/09/23 22:45:25.860389, 10, pid=207028, effective(0, 0), real(0, 0), class=winbind] 207028 (wb_sids2xids_lookupsids_done)   enter subreq:0x5567d8ed7880
[2021/09/23 22:45:25.860405, 10, pid=207028, effective(0, 0), real(0, 0), class=winbind] 207028 (wb_sids2xids_recv)   enter req:0x5567d8ed7480 xids:0x5567d8ecc060 num_xids:2052
[2021/09/23 22:45:25.860412,  0, pid=207028, effective(0, 0), real(0, 0), class=winbind] 207028 (wb_sids2xids_recv)   exit wb_sids_to_xids failed: NT_STATUS_INVALID_PARAMETER
[2021/09/23 22:45:25.860422,  5, pid=207028, effective(0, 0), real(0, 0), class=winbind] 207028 (winbindd_getgroups_recv)   Could not convert sid S-1-5-21-3900811479-1239833217-1972042563-166918: NT_STATUS_INVALID_PARAMETER

dcerpc_binding_handle_raw_call_recv is ok but wb_sids2xids_recv get NT_STATUS_INVALID_PARAMETER

I found that ndr_pull_lsa_TransNameArray2 reports an error when count> 1000, count is the number of groups 2052

Found from Microsoft's documentation
https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsalookupnames2
https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsalookupnames

lsalookupnames Count
Specifies the number of names in the Names array. This is also the number of entries returned in the Sids array. This value must be less than or equal to 1000.

lsalookupnames2 Count
Specifies the number of names in the Names array. This is also the number of entries returned in the Sids array.

in file librpc/idl/lsa.idl line 1142

	typedef struct {
		[range(0,1000)] uint32 count;
		[size_is(count)] lsa_TranslatedName2 *names;
	} lsa_TransNameArray2;

lsa_TransNameArray2's count should not have a range limit
The limit should be lsa_TransNameArray2
Comment 1 Björn Jacke 2022-01-17 17:31:54 UTC 
afaik a user cannot expect to be working if it is member of 2000 groups in Windows, see also: http://support.microsoft.com/kb/328889

STATUS_TOO_MANY_CONTEXT_IDS (0xC000015A) would be the right error code to return in cases like that. We might have fix that.