Dynamic groups (was Samba and groups > 16)
Volker Lendecke
Volker.Lendecke at SerNet.DE
Mon Mar 7 16:46:48 GMT 2005
On Mon, Mar 07, 2005 at 11:33:13AM -0500, David Collier-Brown wrote:
> Am I correct in thinking the Samba team was one of the
> proponents of larger number of groups in Linux, as
> implied by http://lwn.net/Articles/50916 ?
Maybe, no idea.
> Does that perhaps mean that folks with older
> Unixes (Solarii, BSDs, HP/UX, AIX, etc, etc)
> are still banging up against this on \large sites
> with AD and large numbers of NT groups?
Yes.
> If so, should the limited set of groups
> that Unix allows perhaps be used as a cache of the
> recently-used groups? For example, if a
> user attempts to open a file belonging to
> group 17, and they only have 0-16 in their group
> list, should samba toss out the least
> recently used group, stick 17 in its
> place and retry the open?
Not possible. For each access denied from the kernel you would have to iterate
through all groups that a user is in to retry, just in case some group
membership would give him permission. The only real way around this is a
user-space implementation of NT acls, but then you lose the unix
interoperability.
With Solaris you're stuck, sorry. That is just not usable in large AD
environments.
Volker
More information about the samba-technical
mailing list