unpack_nt_owners fails with owner S-1-5-32-544

tridge at samba.org tridge at samba.org
Wed Oct 25 22:58:38 GMT 2006


 > 	I was speaking about ACLs for groups, which are limited by the
 > 	same silly limit on the number of groups: the acl that should
 > 	let me open the file might refer to my 33rd secondary group
 > 	out of 32.

I may be being a bit slow, but I still don't understand this.

Do you mean that if you have a ACL containing 33 group ACEs, that a
user who is a member of less than 32 groups that overlap with that
list of groups in the ACEs will not get correct behaviour when
accessing the file?

I know that if the user is a member of more than 32 groups that the
list of groups they are a member of is truncated. That however has
absolutely nothing to do with any ACL code. It results from the fact
that initgroups()/setgroups() will truncate the list of supplementary
group ids to fit the fixed sized array in the task structure for the
process. That happens completely independently of whether any ACL is
being used at all.

As far as I know, an ACL can have as many group ACEs as you like on
Solaris (certainly more than 32). Just to be sure, I just wrote a
script to test this on Solaris8 with 40 group ACEs on a file and it
worked fine.

Cheers, Tridge

More information about the samba-technical mailing list