Re: Group "Domain Users"

2002-11-11 Thread Michael Steffens 
Tim Potter wrote:

On Mon, Nov 11, 2002 at 01:40:25PM +0100, Michael Steffens wrote:
The winbind enum users/groups parameter deliberately doesn't stop wbinfo
from listing the groups so there is at least one way to enumerate users
and groups.  

Yes, but specifically in an environment where domains are very large,
with many trust relationships, and with domain controllers being distributed
all over the world, benefits of this possibilty doesn't outweigh the costs
any more.



The fact that a client disconnecting doesn't stop winbindd is a bug in 
winbindd but I think it will be hard to fix properly.

With excessively long queries being disabled it isn't that dramatic
for me.

BTW: I love Winbind! :))

Re: Group "Domain Users"

2002-11-11 Thread Tim Potter 
On Mon, Nov 11, 2002 at 01:40:25PM +0100, Michael Steffens wrote:

> recently David Shapiro complained about getent group not working
> in large domain groups, in particular "Domain Users":
> 
>  http://lists.samba.org/pipermail/samba-technical/2002-November/040646.html

> Resolved the problem in my local version by modifying winbindd_group.c
> such that domain groups "Domain Users" will never get members filled
> in the result. This is somewhat anologous to the habit not to
> list primary group members in /etc/group in order not to exceed
> maximum group sizes on systems with many local users.

I think this would be a candidate for Yet Another New Parameter.  We
could either have a parameter to explicitly disable the Domain Users
group, or maybe some generic filtering mechanism where you can specify
group names or rids not to resolve.

Looking at it perhaps the second option seems a bit complicated.

> In the attached patches I also disabled enumeration of domain
> users and groups in winbindd_list_users() and winbindd_list_groups()
> depending on parameters "winbind enum users" and "winbind enum groups".
> 
> It's done the same way as in winbindd_setpwent() and winbindd_setgrent().

The winbind enum users/groups parameter deliberately doesn't stop wbinfo
from listing the groups so there is at least one way to enumerate users
and groups.  

The fact that a client disconnecting doesn't stop winbindd is a bug in 
winbindd but I think it will be hard to fix properly.


Tim.

Group "Domain Users"

2002-11-11 Thread Michael Steffens 
Hi,

recently David Shapiro complained about getent group not working
in large domain groups, in particular "Domain Users":

 http://lists.samba.org/pipermail/samba-technical/2002-November/040646.html

I was facing the same problem, which I found annoying because it
always blocks winbindd without producing anything, while applications
like "ls" just wanted to determine group names. Which occurs frequently,
because "Domain Users" has been selected as default primary group.

And it will hardly ever succeed, as large domains quickly exceed
buffer sizes provided by applications or libc for getgrgid()
or getgrgid_r().

Resolved the problem in my local version by modifying winbindd_group.c
such that domain groups "Domain Users" will never get members filled
in the result. This is somewhat anologous to the habit not to
list primary group members in /etc/group in order not to exceed
maximum group sizes on systems with many local users.

Not ideal, not elegant, but it happens to produce the desired result :)

In the attached patches I also disabled enumeration of domain
users and groups in winbindd_list_users() and winbindd_list_groups()
depending on parameters "winbind enum users" and "winbind enum groups".

It's done the same way as in winbindd_setpwent() and winbindd_setgrent().

Reason: processing these requests take extremely long in our environment
(hours to days), while winbindd will block other requests. And it won't
stop when a user of, for example, "wbinfo -u" aborts his request by
killing wbinfo. You would need to kill winbindd and restart it for
domain users to be able to log on again.

Cheers!
Michael





Index: source/nsswitch/winbindd_group.c
===
RCS file: /cvsroot/samba/source/nsswitch/winbindd_group.c,v
retrieving revision 1.3.4.25
diff -u -r1.3.4.25 winbindd_group.c
--- source/nsswitch/winbindd_group.c14 Oct 2002 03:00:14 -  1.3.4.25
+++ source/nsswitch/winbindd_group.c11 Nov 2002 11:40:25 -
@@ -77,6 +77,17 @@
 goto done;
}
 
+   /* Always skip members of "Domain Users" */
+
+   if (group_rid == DOMAIN_GROUP_RID_USERS) {
+   DEBUG(10, ("skip enumerating members of %s\\Domain Users\n", 
+ domain->name));
+   *gr_mem_len = 0;
+   *gr_mem = NULL;
+   result = True;
+   goto done;
+   }
+
/* Lookup group members */
status = domain->methods->lookup_groupmem(domain, mem_ctx, group_rid, 
&num_names, 
  &rid_mem, &names, &name_types);
@@ -690,6 +701,11 @@
int extra_data_len = 0, i;
 
DEBUG(3, ("[%5d]: list groups\n", state->pid));
+
+   /* Check user has enabled this */
+
+   if (!lp_winbind_enum_groups())
+   return WINBINDD_ERROR;
 
/* Enumerate over trusted domains */
 

Index: source/nsswitch/winbindd_user.c
===
RCS file: /cvsroot/samba/source/nsswitch/winbindd_user.c,v
retrieving revision 1.3.4.17
diff -u -r1.3.4.17 winbindd_user.c
--- source/nsswitch/winbindd_user.c 14 Oct 2002 03:00:14 -  1.3.4.17
+++ source/nsswitch/winbindd_user.c 11 Nov 2002 11:41:11 -
@@ -556,6 +556,11 @@
 
DEBUG(3, ("[%5d]: list users\n", state->pid));
 
+   /* Check user has enabled this */
+
+   if (!lp_winbind_enum_users())
+   return WINBINDD_ERROR;
+
if (!(mem_ctx = talloc_init_named("winbindd_list_users")))
return WINBINDD_ERROR;

getent group 'Domain Users' hangs

2002-10-23 Thread Marcel Mary 
The setup:
  - Samba 2.2.6 with winbind on Solaris 9.
  - PDC on NT 4.0 SP6
  - fresh install in test lab

Solaris host correctly authenticates users.
wbinfo -u returns all users
wbinfo -g returns all groups
getent passwd returns all users
getent group returns all groups except Domain Users!
wbinfo -n 'Domain Users' returns  
wbinfo -G 1 returns 
wbinfo -s  returns Domain Users

getent group 'Domain Users' hangs forever as does an ls -l on
any new file created by a user belonging to that group.

nscd.conf is the default one from the Solaris install.
nscd -i group or even terminating nscd didn't help.

The smb.conf:
[global]
log level = 3
workgroup = MARCO
netbios name = SELDON
admin users = root
encrypt passwords = yes
security = domain
winbind separator = |
winbind enum users = yes
winbind enum groups = yes
winbind uid = 1-2
winbind gid = 1-2
winbind use default domain = yes
password server = *

[public]
comment = Public Stuff
path = /u02/smbdata/public
guest ok = no
write ok = yes


-- 
Marcel