707 – empty large groups in winbindd (ads-mode)

Bug 707 - empty large groups in winbindd (ads-mode)

Summary: empty large groups in winbindd (ads-mode)

Status:	CLOSED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	winbind (show other bugs)
Version:	3.0.0
Hardware:	All other

Importance:	P3 normal
Target Milestone:	none
Assignee:	Andrew Bartlett
QA Contact:

URL:
Keywords:

Depends on:
Blocks:	807
	Show dependency tree / graph

Reported:	2003-11-02 09:53 UTC by Guenther Deschner
Modified:	2005-11-14 09:28 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
client-support for range-retrieval in winbindd_ads (5.43 KB, patch) 2003-11-02 09:54 UTC, Guenther Deschner	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Guenther Deschner 2003-11-02 09:53:58 UTC

lookup_groupmem in winbindd_ads.c does not honour range retrieval of multivalued
attributes. 

for a description of "Incremental Retrieval of Multi-valued Properties" in LDAP
 see the (expired) draft at
http://www.watersprings.org/pub/id/draft-kashi-incremental-00.txt

thus any group in ads that does have more then 1000 (win2k) or 1500 (win2k3)
members appears to have 0 members if winbindd is used in ads-mode (by e.g.
getgrnam). this behaviour is caused because the ads_pull_strings-function is
just pulling the "member" attribute
from the ldap-result. instead winbindd in ads-mode should repeat ldap-queries
until all members were seen. therefor a new ads_pull_strings_range-function
should get the values from the ldap-result according to the current range. if
you have more values than the builtin limit in a ldap result, the
member-attribute will have the form "member;range=0-999" or
"member;range=0-1499" in the first query. the next query should then be directed
to member;range=1000-* or member;range=1500-*. the last range is indicated by a
trailing '*' in the first-attribute: member;4000-*.

testcase:

unpatched samba3.0.1pre2cvs:

   getent group "MYDOM\largegroup" gives:
   MYDOM\largegroup:x:2023:

with the patch:

   getent group "MYDOM\largegroup" gives:
   MYDOM\largegroup:x:2023:MYDOM\user001,MYDOM\user002, ...

Comment 1 Guenther Deschner 2003-11-02 09:54:50 UTC

Created attachment 232 [details]
client-support for range-retrieval in winbindd_ads

Comment 2 Guenther Deschner 2003-11-04 21:26:16 UTC

the proposed patch still has an issue with freeing member_range though (noticed
while querying a huge list of hige groups with getgrent).

Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-12-12 08:28:05 UTC

reseting target milestone.  3.0.1 has been frozen.  WIll have to 
re-evaluate these.

Comment 4 Volker Lendecke 2004-01-01 12:35:25 UTC

Fixed with 
http://lists.samba.org/archive/samba-cvs/2004-January/046298.html 
and 
http://lists.samba.org/archive/samba-cvs/2004-January/046299.html

Comment 5 Volker Lendecke 2004-01-01 13:14:38 UTC

Talking with abartlet proved the fix to be wrong.

Volker

Comment 6 Gerald (Jerry) Carter (dead mail address) 2004-01-05 07:57:02 UTC

My understanding is that this is fixed now?  If 
so, please close it out.  Thanks.

Comment 7 Volker Lendecke 2004-01-05 10:00:59 UTC

Fixed with abartlet's changes of 01/05/2004

Tested here with a w2k3 domain mutually trusting a w2k domain 
and a group with 3900 users.

Volker

Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:18:14 UTC

sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.

Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:28:39 UTC

database cleanup