Old user can't log in
Da Rock
rock_on_the_web at comcen.com.au
Thu Feb 12 20:52:22 PST 2009
On Thu, 2009-02-12 at 20:37 -0800, Chuck Swiger wrote:
> On Feb 12, 2009, at 8:17 PM, Da Rock wrote:
> > I've been following this thread with interest: are you saying FreeBSD
> > logins cannot handle more than 16 groups? If so, why? Is this
> > mitigated
> > by using other authentication methods (ie kerberos, ldap, etc)?
>
> There's a compile-time limit of the relevant kernel data structures as
> to how many groups a user can be in, described by "sysctl
> kern.ngroups". It's possible to recompile the kernel with a larger
> number, but doing so will break NFS (and possibly other things). It
> doesn't matter whether you use Kerberos, LDAP, etc to set up the
> groups; while those things do not have a 16-group limit, the FreeBSD
> kernel [1] does.
>
> With reasonable organization, and appropriate use of sudo or setgid
> binaries for things like people who use SVN or CVS, there generally
> isn't reason or need for a user to be in so many groups. For the
> exceptional cases, switching to using a full ACL system rather than
> the traditional Unix permission model is probably going to be a better
> solution.
Interesting. What would you suggest for full ACL?
More information about the freebsd-questions
mailing list