NGROUPS_MAX : proxy authentication/authorization
Volker Lendecke
Volker.Lendecke at SerNet.DE
Mon Dec 14 06:57:40 MST 2009
On Mon, Dec 14, 2009 at 02:39:07PM +0100, SANDERS Miguel wrote:
> I'm currently thinking of a way to bypass the NGROUPS_MAX problem we are
> currently having on AIX.
> Is it somehow possible to let a Linux server handle the
> authentication/authorization part and then forward the request to AIX
> samba server.
> In a way the Linux server would act as a sort of proxy.
> Would it be possible to setup something like that?
The question is then: Who does the authorization checks,
i.e. who will be in charge of actually evaluating the list
of groups a user is member of. The only right place to do
this is in the kernel who maintains the filesystem
permissions, everything else will be a hack.
You might also try to find someone who can implement a group
filter in winbind. One way to limit the number of groups
that are shown to AIX is to implement a filter in winbind.
I have seen users who could have worked around the issue
because they only had a very limited number of groups
actually being assigned file system access rights, but
nobody so far was able to sponsor the corresponding winbind
development, so this is sitting somewhere as a feature
request.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091214/5ad6a477/attachment.pgp>
More information about the samba-technical
mailing list