kern.ngroups question
Reuben A. Popp
rapopp at eastcentral.edu
Thu Jul 19 16:08:40 UTC 2007
On Wednesday 18 July 2007 21:19, Michael Vince wrote:
> Julian Elischer wrote:
> > Reuben A. Popp wrote:
> >> Hello all,
> >>
> >> Can someone explain to me the rationale behind having ngroups_max set
> >> to 16 by default?
> >
> > NFS only supports this much by default (from memory).
> >
> > Samba (in the guise of Jeremy Allison)
> > has asked us to follow Linux's lead and support an arbitrary number of
> > Groups
> > but it hasn't happened yet, Partly due to the question of "what to do
> > about NFS" and partly just due to ENOTIME.
>
> I think at the very least that there should be some more obvious
> warnings about this potentially serious limitation in either release
> notes of FreeBSD and or Samba.
>
> I just had to deal with this limitation and it was quite annoying to say
> the least, it appears Samba is somewhat deliberately designed to give
> you a hard time when you run into this limit, because as soon as you add
> a user to more than 16 groups it declares the group file unreadable and
> as a security measure shuts down all shares and authentication which
> wrecks a network which relies on Samba.
>
> Also as far as I know Solaris and Linux has long gone past this limitation.
>
> Mike
Running into a problem nearly identical to Mike's is what caused me to start
researching ngroups in the first place. Granted, in our Samba
implementation, there isn't really anyone who hits the limitation (short of
the admin), but the problem is still a definite show stopper.
I imagine this will become even more of an issue once Samba 4.x is completed
and sees deployment. Maybe this weekend I can write a small blurb for the
handbook
I guess the next question I have would be about the limit in NFS. I did a
little sleuthing and found out that the actual culprit is not necessarily
NFS, but the underlying RPC calls. IF I'm reading this correctly (excuse me
if I'm wrong.. I'm just now getting my feet wet with c/c++), the limit is set
in the auth_unix structure (taken from RFC 1057):
struct auth_unix {
unsigned int stamp;
string machinename<255>;
unsigned int uid;
unsigned int gid;
unsigned int gids<16>;
};
If the value for gids were to be changed, that obviously would mean that the
RPC implementation would be out of whack with the standard. How then are the
other *nixes getting around this issue?
Thanks again
Reuben A. Popp
Just a note: As I said above, I'm still just now getting my feet wet in any
kind of programming (other than shell scripting). If I make an incorrect
assumption or a pretty stupid mistake, all I ask is to be kind :)
--
Reuben A. Popp
Systems Administrator
Information Technology Department
East Central College
1+ 636 583 5195 x2480
More information about the freebsd-hackers
mailing list