lookup_groupmem in winbindd_ads.c does not honour range retrieval of multivalued attributes. for a description of "Incremental Retrieval of Multi-valued Properties" in LDAP see the (expired) draft at http://www.watersprings.org/pub/id/draft-kashi-incremental-00.txt thus any group in ads that does have more then 1000 (win2k) or 1500 (win2k3) members appears to have 0 members if winbindd is used in ads-mode (by e.g. getgrnam). this behaviour is caused because the ads_pull_strings-function is just pulling the "member" attribute from the ldap-result. instead winbindd in ads-mode should repeat ldap-queries until all members were seen. therefor a new ads_pull_strings_range-function should get the values from the ldap-result according to the current range. if you have more values than the builtin limit in a ldap result, the member-attribute will have the form "member;range=0-999" or "member;range=0-1499" in the first query. the next query should then be directed to member;range=1000-* or member;range=1500-*. the last range is indicated by a trailing '*' in the first-attribute: member;4000-*. testcase: unpatched samba3.0.1pre2cvs: getent group "MYDOM\largegroup" gives: MYDOM\largegroup:x:2023: with the patch: getent group "MYDOM\largegroup" gives: MYDOM\largegroup:x:2023:MYDOM\user001,MYDOM\user002, ...
Created attachment 232 [details] client-support for range-retrieval in winbindd_ads
the proposed patch still has an issue with freeing member_range though (noticed while querying a huge list of hige groups with getgrent).
reseting target milestone. 3.0.1 has been frozen. WIll have to re-evaluate these.
Fixed with http://lists.samba.org/archive/samba-cvs/2004-January/046298.html and http://lists.samba.org/archive/samba-cvs/2004-January/046299.html
Talking with abartlet proved the fix to be wrong. Volker
My understanding is that this is fixed now? If so, please close it out. Thanks.
Fixed with abartlet's changes of 01/05/2004 Tested here with a w2k3 domain mutually trusting a w2k domain and a group with 3900 users. Volker
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
database cleanup