[Samba] number of groups of NT account causes authentication
problems
Gopal Bhat
gbhat at taos.com
Thu Mar 6 02:25:24 GMT 2003
Finally, I found that this problem is due to limitation of Solaris OS.
By default, the kernel parameter NGROUPS_MAX ( # getconf NGROUPS_MAX) is
set to 16 (/usr/include/limits.h), which can be changed to a maximum of
32 by putting a line:
set ngroups_max=32
in /etc/system file and rebooting the server. If you do this, the server
complains about some NFS problems:
# dmesg | grep -i ngroups
Mar 5 17:50:25 chevette unix: [ID 953839 kern.warning] WARNING:
ngroups_max of 32 > 16, NFS AUTH_SYS will not work properly
But again, the cap is raised to 32 from 16.
To increase the parameter 'ngroups_max' beyond 32, one needs to modify
the files '/usr/include/limits.h, /usr/include/sys/param.h', and rebuild
the kernel. But there is no way to compile the new kernel on solaris by
using this modified files. The 'boot -r' from the boot prom level will
not recompile the kernel, it just loads the existing kernel using
'/etc/system' parameters which are limited by the parameters set by
'/usr/include/sys/param.h' during the original compilation.
-Gopal
Michael G. Noble wrote:
>Solaris has a 15 member limit to groups. Since you are under that
>limit, it should not be a problem. I have Samba running on an Ultra
>60 with Solaris8, samba version 2.2.5. I have users who are members
>of at least 14 groups and not having any problems accessing shared
>folders.
>
>Mike
>
>On Tue, 2003-03-04 at 13:35, Gopal Bhat wrote:
>
>
>>I am facing a strange problem related to authentication of NT users
>>accessing the SAMBA server.
>>Here are the details:
>>Server: Solaris 9, SUN Ultra 60, SAMBA 2.2.7a with PAM and WINBIND
>>Client: Windows XP, NT4.0, 2000
>>
>>Symptoms:
>>Created a share \\server\test (UNIX: /export/SMB/test) with access to
>>group 'TestGoup' where 'TestUser' is a member.
>>'TestUser' is a member of 10 more groups along with 'TestGroup' (Total
>>number of TestUser's group = 11)
>>
>>With the above settings 'TestUser' can't access the share
>>'\\server\test', and the following message shows up in the Client.log:
>>
>>[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
>> Unable to initgroups. Error was Not owner
>>[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
>> This is probably a problem with the account domain\testuser
>>[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
>> client (10.81.105.121) Can't change directory to /export/SMB/test
>>(Permission denied)
>>
>>If I change the number of groups the user 'TestUser' belongs from 11 to
>>8 ('TestGroup' + 7 other groups), the user can access the share
>>'\\server\test' without any problems.
>>
>>It looks like there is some limitation on number of NT group memberships
>>'smbd' can handle.
>>Note: 'wbinfo' returns all the right groups of the user without any
>>problems.
>>
>>Is there anyone out there who is aware of this problem and knows a
>>workaround/solution to this?
>>I really appreciate any help from the prestigious SAMBA Team.
>>
>>Thanks,
>>Gopal
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>
>>
>
>
>
>
More information about the samba
mailing list