Dynamic groups (was Samba and groups > 16)
Henrik Nordstrom
hno at squid-cache.org
Mon Mar 7 21:37:25 GMT 2005
On Mon, 7 Mar 2005, David Collier-Brown wrote:
> Which means that only Linux can be used for large sites!
Solaris would work equally well if Solaris would add support for large
number of groups. This 16 groups limit is a serious limitation for any
larger directory installation, not only AD. You run into the exact same
problems in any setup where you use groups to control access and you have
more than 16 different levels of access.
I have run into this problem several times when I worked as a UNIX system
administrator at a not too large company (around 1000 employees), and this
site used plain old NIS for both passwords and groups. Even run into it
once on the prior job as system administrator for a small company with
<100 employees and a single server (no directory at all) but quite rigid
access controls.
I don't know winbind very well, but the way out in this problem is somehow
to specify which of all groups in the directory is interesting for the
server to care about, restricting which of all the possible groups the
user may belong to in the directory is translated to UNIX groups. In most
cases there is many groups your server does not care about and these does
not need to be assigned a gid.
> Which is cool for Linuxians, but a bummer for anyone using BSD!
And not restricted to Samba, just a little more apparent here due to the
nature of how Windows administrators tends to sensibly divide user access
into groups.
Regards
Henrik
More information about the samba-technical
mailing list