NGROUPS limit

miguel.sanders at arcelormittal.com miguel.sanders at arcelormittal.com
Fri Dec 5 09:51:31 GMT 2008 

Hmm

And what can I do to overcome this problem in 3.2?
Is reducing the number of AD group memberships the only solution? 


Met vriendelijke groet
Best regards
Bien à vous

Miguel SANDERS
ArcelorMittal Gent

UNIX Systems & Storage
IT Supply Western Europe | John Kennedylaan 51
B-9042 Gent

T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
E miguel.sanders at arcelormittal.com
www.arcelormittal.com/gent

-----Oorspronkelijk bericht-----
Van: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] 
Verzonden: vrijdag 5 december 2008 9:56
Aan: SANDERS Miguel
CC: samba-technical at lists.samba.org
Onderwerp: Re: NGROUPS limit

On Thu, Dec 04, 2008 at 12:10:07PM +0100, miguel.sanders at arcelormittal.com wrote:
> I am experimenting with the new Samba 3.2.4 (currently we have 3.0.30 
> deployed) on our AIX boxes and I am experiencing some issues with the 
> OS NGROUPS limit.
> Furthermore, my Windows user has more than 128 group memberships 
> (which is the NGROUPS limit for AIX).
> 
> However, in my Samba 3.0.30 environment this is no problem whereas in 
> Samba 3.2.4 this poses a problem:
> The log states
> 
> [2008/12/04 12:00:53,  0] lib/util.c:smb_panic(1663)
>   PANIC (pid 553208): sys_setgroups failed
> 
> Any idea on how this different behaviour can be explained?

If we can't tell the kernel about all the groups a user is member of, it can become a security problem if we continue if your file system happens to have negative ACLs. So we just stop. It *is* a problem in 3.0.30, because spurious access denied errors might happen that should not. It is just not as obvious.

Volker

**** 
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
****

More information about the samba-technical mailing list