NGROUPS_MAX : proxy authentication/authorization

miguel.sanders at arcelormittal.com miguel.sanders at arcelormittal.com
Mon Dec 14 09:41:22 MST 2009 

Hi Volker

Thanks for your feedback.
I'll certainly look into this further.
Also, in our environment, the AD groups used for Samba access to shares
are all located in a single dedicated OU.
Could that dedicated OU be a starting point of the group enumeration of
a user (I'm just thinking out loud)?

Cheers

Miguel 

-----Oorspronkelijk bericht-----
Van: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] 
Verzonden: maandag 14 december 2009 14:58
Aan: SANDERS Miguel
CC: samba-technical at samba.org
Onderwerp: Re: NGROUPS_MAX : proxy authentication/authorization

On Mon, Dec 14, 2009 at 02:39:07PM +0100, SANDERS Miguel wrote:
> I'm currently thinking of a way to bypass the NGROUPS_MAX problem we 
> are currently having on AIX.
> Is it somehow possible to let a Linux server handle the 
> authentication/authorization part and then forward the request to AIX 
> samba server.
> In a way the Linux server would act as a sort of proxy.
> Would it be possible to setup something like that?

The question is then: Who does the authorization checks, i.e. who will
be in charge of actually evaluating the list of groups a user is member
of. The only right place to do this is in the kernel who maintains the
filesystem permissions, everything else will be a hack.

You might also try to find someone who can implement a group filter in
winbind. One way to limit the number of groups that are shown to AIX is
to implement a filter in winbind. 

I have seen users who could have worked around the issue because they
only had a very limited number of groups actually being assigned file
system access rights, but nobody so far was able to sponsor the
corresponding winbind development, so this is sitting somewhere as a
feature request.

Volker

**** 
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
****

More information about the samba-technical mailing list