[Samba] Repost: group membership limitations and Linux kernel

Buchan Milne bgmilne at cae.co.za
Mon Aug 18 11:26:19 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Message: 5
> Date: 15 Aug 2003 08:14:58 -0500
> From: "Azelton Sean (RBNA/CIT1)" <sean.azelton at us.bosch.com>
> Subject: [Samba] Repost: group membership limitations and Linux kernel
> To: samba at lists.samba.org
> Message-ID: <1060953297.1972.1.camel at sbdgecko.sbd.us.bosch.com>
> Content-Type: text/plain
>
> Does anyone have any information with regard to this issue?
>
> Thank you,
>
> Sean
>
> On Wed, 2003-08-13 at 09:17, Azelton Sean (RBNA/CIT1) wrote:
>
>>> Hi all,
>>>
>>> I was hoping someone here would be willing to clear up some confusion
>>> we're having about group membership limits and linux.
>>>
>>> While trying to use a file server solution in an AD environment using
>>> OpenLDAP / sasl /  Samba 2.2.x, we ran into the issue that when trying
>>> to import/re-create  group membership,  we reach a limit at 32 groups.
>>> It is my understanding that this is a limitation in the number of
>>> groups that a given user can be  in because of some hard-coded values
>>> in the linux kernel.
>>>
>>> I'm wondering if we abandon the OpenLDAP idea and went to Samba 3 with
>>> direct AD authentication - would we run into this limitation again (on
>>> Linux)?    If so - does this limitation exist on other platforms
>>> (FreeBSD for example) or even on other architectures (Solaris/SPARC)?
>>>
>>> If someone can point me to more information on this issue I'd greatly
>>> appreciate it, as we have the majority of our AD users (10s of
>>> thousands) with  150+ groups per user (we have a global AD forest).
>>> I'm not sure exactly how this limit would manifest itself using Samba
>>> 3 - if at all.

$ grep GROUPS /usr/src/linux/include/linux/limits.h
#define NGROUPS_MAX       32    /* supplemental group IDs are available */

Looks like you will have to try compiling a new kernel for your linux boxen.

This issue will affect both OpenLDAP and Winbind/AD (and any other
mechanism for enumerating groups for that matter).

Also note that NFS has some limitations on the number of groups that can
be used for permissions over NFS, typically 15 (AFAIK).

Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/QLfbrJK6UGDSBKcRAraTAKCcXQwEwGZTpUG1GSKmuC2Q65IzZQCfXCqn
ReAh2cNd0DQxP9beE1WsAZE=
=T0KX
-----END PGP SIGNATURE-----

******************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to info at cae.co.za for a copy.
******************************************************************

More information about the samba mailing list