[Samba] Re: number of groups of NT account causes authentication
rsharpe at richardsharpe.com
Wed Mar 5 03:07:36 GMT 2003
On Tue, 4 Mar 2003, Gopal Bhat wrote:
> I did more experiments with this problem and found that 'SMBD' fails to
> authenticate when the Number of Groups an NT user belongs grows more
> than 14 (i.e. 15 or more).
I can't have a look until tomorrow, but I wonder, is it possible that
Solaris 9 has a restriction that the user cannot be in more that 14
groups? I would think not, but will find it difficult to test tonight.
Besides, I can probably only test on Solaris 8.
If that is not the problem, then I would have to look at the code that
does setgroups and test on our platform.
> Gopal Bhat wrote:
> > I am facing a strange problem related to authentication of NT users
> > accessing the SAMBA server.
> > Here are the details:
> > Server: Solaris 9, SUN Ultra 60, SAMBA 2.2.7a with PAM and WINBIND
> > Client: Windows XP, NT4.0, 2000
> > Symptoms:
> > Created a share \\server\test (UNIX: /export/SMB/test) with access to
> > group 'TestGoup' where 'TestUser' is a member.
> > 'TestUser' is a member of 14 more groups along with 'TestGroup' (Total
> > number of TestUser's group = 15)
> > With the above settings 'TestUser' can't access the share
> > '\\server\test', and the following message shows up in the Client.log:
> > [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
> > Unable to initgroups. Error was Not owner
> > [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
> > This is probably a problem with the account domain\testuser
> > [2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
> > client (10.81.105.121) Can't change directory to /export/SMB/test
> > (Permission denied)
> > If I change the number of groups the user 'TestUser' belongs from 15
> > to 8 ('TestGroup' + 7 other groups), the user can access the share
> > '\\server\test' without any problems.
> > It looks like there is some limitation on number of NT group
> > memberships 'smbd' can handle. Note: 'wbinfo' returns all the right
> > groups of the user without any problems.
> > Is there anyone out there who is aware of this problem and knows a
> > workaround/solution to this?
> > I really appreciate any help from the prestigious SAMBA Team.
> > Thanks,
> > Gopal
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org,
More information about the samba