number of groups of NT account causes authentication problems

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Wed Mar 5 13:22:42 GMT 2003 

Hi Richard, et al;
Can't speak for Solaris, but HP-UX has a 20 group membership limit
for HP-UX users. From man setgroups: must be no more than NGROUPS_MAX,
as defined in <limits.h>.  Same applies to initgroups.
So Solaris may have some limit as well....
Hope this helps,
Don

> -----Original Message-----
> From: Richard Sharpe [mailto:rsharpe at richardsharpe.com]
> Sent: Tuesday, March 04, 2003 22:08
> To: Gopal Bhat
> Cc: samba; samba-technical
> Subject: Re: number of groups of NT account causes authentication
> problems
> 
> 
> On Tue, 4 Mar 2003, Gopal Bhat wrote:
> 
> > Hi,
> > I did more experiments with this problem and found that 
> 'SMBD' fails to 
> > authenticate when the Number of Groups an NT user belongs 
> grows more 
> > than 14 (i.e. 15 or more).
> > Thanks,
> > Gopal
> 
> I can't have a look until tomorrow, but I wonder, is it possible that 
> Solaris 9 has a restriction that the user cannot be in more that 14 
> groups? I would think not, but will find it difficult to test tonight.
> 
> Besides, I can probably only test on Solaris 8.
> 
> If that is not the problem, then I would have to look at the 
> code that 
> does setgroups and test on our platform.
> 
> > Gopal Bhat wrote:
> > 
> > > I am facing a strange problem related to authentication 
> of NT users 
> > > accessing the SAMBA server.
> > > Here are the details:
> > > Server:  Solaris 9, SUN Ultra 60,  SAMBA 2.2.7a with PAM 
> and WINBIND
> > > Client: Windows XP, NT4.0, 2000
> > >
> > > Symptoms:
> > > Created a share \\server\test (UNIX: /export/SMB/test)  
> with access to 
> > > group 'TestGoup' where 'TestUser' is a member.
> > > 'TestUser' is a member of 14 more groups along with 
> 'TestGroup' (Total 
> > > number of TestUser's group = 15)
> > >
> > > With the above settings 'TestUser' can't access the share 
> > > '\\server\test', and the following message shows up in 
> the Client.log:
> > >
> > > [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
> > >  Unable to initgroups. Error was Not owner
> > > [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
> > >  This is probably a problem with the account domain\testuser
> > > [2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
> > > client (10.81.105.121) Can't change directory to /export/SMB/test 
> > > (Permission denied)
> > >
> > > If I change the number of groups the user 'TestUser' 
> belongs from 15 
> > > to 8 ('TestGroup'  + 7 other groups), the user can access 
> the share 
> > > '\\server\test' without any problems.
> > >
> > > It looks like there is some limitation on number of NT group 
> > > memberships 'smbd' can handle.  Note: 'wbinfo' returns 
> all the right 
> > > groups of the user without any problems.
> > >
> > > Is there anyone out there who is aware of this problem 
> and knows a 
> > > workaround/solution to this?
> > > I really appreciate any help from the prestigious SAMBA Team.
> > >
> > > Thanks,
> > > Gopal
> > >
> > 
> > 
> 
> -- 
> Regards
> -----
> Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
> sharpe[at]ethereal.com, http://www.richardsharpe.com
>

More information about the samba-technical mailing list