"net groupfilter" ?

[simo]

On Tue, 2008-12-16 at 14:36 +0100, Volker Lendecke wrote:
> 
> Hi!
> 
> Attached find a patch that I'd like to receive some comments
> on. I know this is ugly, but then NGROUPS is just a bug that
> only Linux 2.6 has solved properly yet.

I have been battling with this problem for a year a while ago, but
reaching consensus on a solution was impossible so I gave up.

The problem I see with your patch here is that you have a global set of
groups. This is not going to work in large organizations (at least not
the ones I have been talking to in the past).

This following is just my 2c, I am not saying your patch is not good,
just adding some considerations about your approach. If most still think
that, even if limiting, your approach is better because introduces less
code changes and add little clutter (after all we are just trying to
deal with buggy platforms and the real solution is to fix them or move
to better platforms) then I am in for it.


Ideally you should have a group filter per share, so that admins can
control which groups are interesting for that share.

I know that going down the 'per share' approach is much more code, but
on a busy server, the filter list is going to be pretty limiting if it
is global.

Your approach may work in some situations where all you need is a very
specific subset of groups and you are guaranteed no user is in more than
16 of them, but I am not sure you are going to easily be able to come up
with such a subset in large environments.

Filtering on a share level instead is usually much easier, at least for
shares dedicated to specific groups inside an organizations. For
organization wide shares it may still be an issue but usually these
shares have a very limited listed of users permitted to write and a few
big groups permitted to read. Worst case they can migrate to Linux
there :)

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <simo at redhat.com>