[Samba] Re: number of groups of NT account causes authentication problems

John H Terpstra jht at samba.org
Wed Mar 5 02:20:43 GMT 2003 

On Tue, 4 Mar 2003, Gopal Bhat wrote:

> Hi,
> I did more experiments with this problem and found that 'SMBD' fails to
> authenticate when the Number of Groups an NT user belongs grows more
> than 14 (i.e. 15 or more).

In my experience this is VERY much a platform issue and not a Samba
specific issue. Some Unix  platforms allow no more than membership in 8
groups.

- John T.

> Thanks,
> Gopal
>
> Gopal Bhat wrote:
>
> > I am facing a strange problem related to authentication of NT users
> > accessing the SAMBA server.
> > Here are the details:
> > Server:  Solaris 9, SUN Ultra 60,  SAMBA 2.2.7a with PAM and WINBIND
> > Client: Windows XP, NT4.0, 2000
> >
> > Symptoms:
> > Created a share \\server\test (UNIX: /export/SMB/test)  with access to
> > group 'TestGoup' where 'TestUser' is a member.
> > 'TestUser' is a member of 14 more groups along with 'TestGroup' (Total
> > number of TestUser's group = 15)
> >
> > With the above settings 'TestUser' can't access the share
> > '\\server\test', and the following message shows up in the Client.log:
> >
> > [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
> >  Unable to initgroups. Error was Not owner
> > [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
> >  This is probably a problem with the account domain\testuser
> > [2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
> > client (10.81.105.121) Can't change directory to /export/SMB/test
> > (Permission denied)
> >
> > If I change the number of groups the user 'TestUser' belongs from 15
> > to 8 ('TestGroup'  + 7 other groups), the user can access the share
> > '\\server\test' without any problems.
> >
> > It looks like there is some limitation on number of NT group
> > memberships 'smbd' can handle.  Note: 'wbinfo' returns all the right
> > groups of the user without any problems.
> >
> > Is there anyone out there who is aware of this problem and knows a
> > workaround/solution to this?
> > I really appreciate any help from the prestigious SAMBA Team.
> >
> > Thanks,
> > Gopal
> >
>
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list