Bug 707 - empty large groups in winbindd (ads-mode)
empty large groups in winbindd (ads-mode)
Product: Samba 3.0
Classification: Unclassified
Component: winbind
All other
: P3 normal
: none
Assigned To: Andrew Bartlett
Depends on:
Blocks: 807
  Show dependency treegraph
Reported: 2003-11-02 09:53 UTC by Guenther Deschner
Modified: 2005-11-14 09:28 UTC (History)
2 users (show)

See Also:

client-support for range-retrieval in winbindd_ads (5.43 KB, patch)
2003-11-02 09:54 UTC, Guenther Deschner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Guenther Deschner 2003-11-02 09:53:58 UTC
lookup_groupmem in winbindd_ads.c does not honour range retrieval of multivalued

for a description of "Incremental Retrieval of Multi-valued Properties" in LDAP
 see the (expired) draft at

thus any group in ads that does have more then 1000 (win2k) or 1500 (win2k3)
members appears to have 0 members if winbindd is used in ads-mode (by e.g.
getgrnam). this behaviour is caused because the ads_pull_strings-function is
just pulling the "member" attribute
from the ldap-result. instead winbindd in ads-mode should repeat ldap-queries
until all members were seen. therefor a new ads_pull_strings_range-function
should get the values from the ldap-result according to the current range. if
you have more values than the builtin limit in a ldap result, the
member-attribute will have the form "member;range=0-999" or
"member;range=0-1499" in the first query. the next query should then be directed
to member;range=1000-* or member;range=1500-*. the last range is indicated by a
trailing '*' in the first-attribute: member;4000-*.


unpatched samba3.0.1pre2cvs:

   getent group "MYDOM\largegroup" gives:

with the patch:

   getent group "MYDOM\largegroup" gives:
   MYDOM\largegroup:x:2023:MYDOM\user001,MYDOM\user002, ...
Comment 1 Guenther Deschner 2003-11-02 09:54:50 UTC
Created attachment 232 [details]
client-support for range-retrieval in winbindd_ads
Comment 2 Guenther Deschner 2003-11-04 21:26:16 UTC
the proposed patch still has an issue with freeing member_range though (noticed
while querying a huge list of hige groups with getgrent).
Comment 3 Gerald (Jerry) Carter 2003-12-12 08:28:05 UTC
reseting target milestone.  3.0.1 has been frozen.  WIll have to 
re-evaluate these.
Comment 5 Volker Lendecke 2004-01-01 13:14:38 UTC
Talking with abartlet proved the fix to be wrong.

Comment 6 Gerald (Jerry) Carter 2004-01-05 07:57:02 UTC
My understanding is that this is fixed now?  If 
so, please close it out.  Thanks.
Comment 7 Volker Lendecke 2004-01-05 10:00:59 UTC
Fixed with abartlet's changes of 01/05/2004

Tested here with a w2k3 domain mutually trusting a w2k domain 
and a group with 3900 users.

Comment 8 Gerald (Jerry) Carter 2005-08-24 10:18:14 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 9 Gerald (Jerry) Carter 2005-11-14 09:28:39 UTC
database cleanup