[Samba] number of groups of NT account causes authentication problems

Gopal Bhat gbhat at taos.com
Thu Mar 6 02:25:24 GMT 2003


Finally, I found that this problem is due to limitation of Solaris OS. 
By default, the kernel parameter NGROUPS_MAX ( # getconf NGROUPS_MAX) is 
set to 16 (/usr/include/limits.h), which can be changed to a maximum of 
32 by putting a line:
set ngroups_max=32
in /etc/system file and rebooting the server. If you do this, the server 
complains about some NFS problems:
# dmesg | grep -i ngroups
Mar  5 17:50:25 chevette unix: [ID 953839 kern.warning] WARNING: 
ngroups_max of 32 > 16, NFS AUTH_SYS will not work properly

But again, the cap is raised to 32 from 16.
To increase the parameter 'ngroups_max' beyond 32, one needs to modify 
the files '/usr/include/limits.h, /usr/include/sys/param.h', and rebuild 
the kernel.  But there is no way to compile the new kernel on solaris by 
using this modified files. The 'boot -r' from the boot prom level will 
not recompile the kernel, it just loads the existing kernel using 
'/etc/system' parameters which are limited by the parameters set by 
'/usr/include/sys/param.h' during the original compilation.

-Gopal

Michael G. Noble wrote:

>Solaris has a 15 member limit to groups. Since you are under that 
>limit, it should not be a problem.  I have Samba running on an Ultra
>60 with Solaris8, samba version 2.2.5.  I have users who are members
>of at least 14 groups and not having any problems accessing shared
>folders.
>
>Mike
>
>On Tue, 2003-03-04 at 13:35, Gopal Bhat wrote:
>  
>
>>I am facing a strange problem related to authentication of NT users 
>>accessing the SAMBA server.
>>Here are the details:
>>Server:  Solaris 9, SUN Ultra 60,  SAMBA 2.2.7a with PAM and WINBIND
>>Client: Windows XP, NT4.0, 2000
>>
>>Symptoms:
>>Created a share \\server\test (UNIX: /export/SMB/test)  with access to 
>>group 'TestGoup' where 'TestUser' is a member.
>>'TestUser' is a member of 10 more groups along with 'TestGroup' (Total 
>>number of TestUser's group = 11)
>>
>>With the above settings 'TestUser' can't access the share 
>>'\\server\test', and the following message shows up in the Client.log:
>>
>>[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
>>  Unable to initgroups. Error was Not owner
>>[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
>>  This is probably a problem with the account domain\testuser
>>[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
>> client (10.81.105.121) Can't change directory to /export/SMB/test 
>>(Permission denied)
>>
>>If I change the number of groups the user 'TestUser' belongs from 11 to 
>>8 ('TestGroup'  + 7 other groups), the user can access the share 
>>'\\server\test' without any problems.
>>
>>It looks like there is some limitation on number of NT group memberships 
>>'smbd' can handle.  
>>Note: 'wbinfo' returns all the right groups of the user without any 
>>problems.
>>
>>Is there anyone out there who is aware of this problem and knows a 
>>workaround/solution to this?
>>I really appreciate any help from the prestigious SAMBA Team.
>>
>>Thanks,
>>Gopal
>>
>>-- 
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>    
>>
>
>
>  
>




More information about the samba mailing list