Samba: Winbindd and Solaris - missing groups

I recently ran into this issue working on Samba for a Customer. Apparently Solaris 9 has a bug which prevents large groups from being displayed properly. When working with winbind this problem manifests itself in two ways:

  • The typical debugging/verification steps for winbind groups are:

    to verify that winbind is receiving group data:

    wbinfo -g

    and to verify that Solaris NSS can retrieve the group data:

    getent group

    However, when displaying groups with the getent command, the group display will be missing some groups.

  • When performing any Solaris commands that do "reverse" lookups on group (converting a group number to a group name), the system will simply hang for an indefinite period of time. Some example of this are:
    ls -l
    (hangs)
    ls -ln
    (works, displaying only group numbers)
    id <user>
    (hangs)
    getfacl <file>
    (hangs)

    Also, most installation procedures recommend that you disable NSCD (/etc/init.d/nscd). I agree with this under ordinary circumstances. However, with the bug present, having NSCD running actually seems to allieviate some of the issues. There are fewer hangs - it appears that the negative caching in NSCD seems to help prevent system hangs, although only group numbers are displayed for problem groups.

The fix for this is, of course, to apply a Solaris patch. Unfortunately for us, it took quite some time to track down this particular issue. The most apparent symptom to us was the hanging during various Solaris commands. However, there seems to be very little documented about this particular symptom. I was only finally able to track down this bug and find the patch by searching for the missing group symptom.

The patch you need is 112874-36 (or higher). Our system had a relatively recent Solaris 9 Recommended Patch Cluster installed, but our version of the patch was only 112874-30. At the time of this writing the current patch version is 112874-45, which is what we installed.

I am writing this in the hopes that perhaps I'll prevent someone else going through the long search process I went trhough tracking this down. As I mentioned above, there was very little (if any) description of the hanging symptom we described. I finally tracked down the issue with the missing groups and the additional detail that this happens only when the group string exceeds 2047 characters, on the Samba newsgroups. However, the post only mentioned that a patch there was a patch.

So, if you're experiencing this issue, you should apply the patch. If you've got a valid Sun support contract, you can download it here:

112874-45

If you don't have a Sun support contract, you'll need to get it via some other means - it may be in the recommended patch cluster. Please do not ask me to download it for you!

If obtaining (or applying) the patch is really not an option, the only other solution would be to make sure your group sizes on your Windows domain controller don't exceed the limit in Solaris. You could shorten the names of your users or perhaps use nested groups (yes, this is an option in Windows!).

I hope this helps!