Old user can't log in
Chuck Swiger
cswiger at mac.com
Thu Feb 12 20:37:41 PST 2009
On Feb 12, 2009, at 8:17 PM, Da Rock wrote:
> I've been following this thread with interest: are you saying FreeBSD
> logins cannot handle more than 16 groups? If so, why? Is this
> mitigated
> by using other authentication methods (ie kerberos, ldap, etc)?
There's a compile-time limit of the relevant kernel data structures as
to how many groups a user can be in, described by "sysctl
kern.ngroups". It's possible to recompile the kernel with a larger
number, but doing so will break NFS (and possibly other things). It
doesn't matter whether you use Kerberos, LDAP, etc to set up the
groups; while those things do not have a 16-group limit, the FreeBSD
kernel [1] does.
With reasonable organization, and appropriate use of sudo or setgid
binaries for things like people who use SVN or CVS, there generally
isn't reason or need for a user to be in so many groups. For the
exceptional cases, switching to using a full ACL system rather than
the traditional Unix permission model is probably going to be a better
solution.
Regards,
--
-Chuck
[1]: And almost all other Unixes...
More information about the freebsd-questions
mailing list