WARNING to those running Samba on OpenIndiana or other Illumos based systems with > 16 groups

Ira Cooper ira at samba.org
Tue Apr 23 18:44:37 MDT 2013


"Hey Volker, is this familiar?"  (I've actually used this exact example in
presentations!)

I think this is the 1st or 2nd issue I tried to address.  It turns out
there is a *MUCH* simpler fix.

For "modern enough" Illumos/Solaris systems you can really "fix" this, for
the most part.

Put "set ngroups_max = 1024" in your /etc/system.  (On less modern systems
you may have to use 128...)

If your user is in over 1024 groups... Well.. Then you need a patch to cap
it.  But in my environment, it doesn't happen.

I suspect with a recompile that 1024 can be bumped, though I haven't
researched it.

Note on my 1st systems, I couldn't do this, so I clamped using NGROUPS_MAX
as defined by POSIX.  That stopped the process death, but it didn't deal
with the security issue, that users can't access files in some of the
groups they should be in... (For me, a working system was more important, I
didn't need all the groups.  I moved on.)

Thanks,

-Ira


On Tue, Apr 23, 2013 at 8:31 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> Just a heads-up, because this bug took me absolutely ages to chase down,
> and I want to save others the same pain.
>
> Samba is perhaps the most prominent reason why you might find a user in
> more than 16 groups on a Unix system, and so this bug may at first
> appear to be a 'Samba issue' (that certainly is why it found it's way to
> my attention :-)
>
> https://www.illumos.org/issues/3691
>
> In short, unless the group list we supply to setgroups() is sorted, if
> there are more than 16 groups, the Illumos kernel fails to honour some
> of the groups.  Presumably there is a bisection search being done.
>
> The symptom for Samba users is that as a user is added to more groups,
> they loose access to folders they previously had access too.
>
> Attached is a total hack that appears to resolve the issue, but the real
> fix needs to be in glibc or the kernel.
>
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>


More information about the samba-technical mailing list