FreeBSD nss, getgroupmembership(3)

Sun May 28 10:32:54 PDT 2006

(Sorry for the lack of an In-Reply-To header, I couldn't find the message ID


I've been playing around with this issue myself as well. I want to support
nested groups through winbind, which is supported through
winbind_getgrouplist, but not through getgrent...

> I have been playing around with nss and libc this weekend to find  
> ways to make nss_ldap work more efficiently by coupling getgrouplist 
> (3) with _nss_ldap_initgroups_dyn.
init_groups_dyn seems to be the function used by linux. It has pretty much the
same interface as getgroupmembership from NetBSD, with just a difference in
memory allocation.

> By coincidence I found that NetBSD has created the infrastructure  
> needed to make this a reallity allready! In NetBSD getgrouplist(3) is  
> now a front-end for getgroupmembership(3).
I just found this one too. I'm not sure how widespread the implementation of
getgroupmembership is, though. I know nss_winbind does not implement it, but
does implement initgroups_dyn. From your post I think nss_ldap does this also.

> Is there any chance for FreeBSD to get an updated import of NSS from  
> NetBSD anytime soon? :-)
Due to the (possibly) limited support of getgroupmembership in nss backends,
it might be better to use initgroups_dyn instead?

Anyway, I've spent some words on this issue on my blog [1], if anyones
interested. I'm planning on trying to make this work on FreeBSD sometime soon.
But, since I only have FreeBSD 6.0 machines to play around with (possibly 6.1
soon), I will probably code up a patch for 6.0. Have there been big changes to
nss since then that might make this a useless idea?




