[Samba] number of groups of NT account causes authentication problems

Ken Cross kcross at nssolutions.com
Thu Mar 6 02:41:15 GMT 2003


Be careful.  Just rebuilding the kernel with an increased NGROUPS_MAX
probably won't be sufficient.

To accommodate Windows users with lots (40-50) of group memberships, we
had to rebuild NetBSD with NGROUPS_MAX set to 128.

But we also had to rebuild userland, because anything that used
NGROUPS_MAX statically would break.  That meant almost everything in
/sbin /usr/sbin and a lot of /bin and /usr/bin, not to mention libc.

It's a pretty Big Deal.

Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: 
> samba-technical-bounces+kcross=nssolutions.com at lists.samba.org
>  
> [mailto:samba-technical-bounces+kcross=nssolutions.com at lists.s
> amba.org] On Behalf Of Gopal Bhat
> Sent: Wednesday, March 05, 2003 9:25 PM
> To: Michael G. Noble; don_mccall at hp.com
> Cc: samba; samba-technical
> Subject: Re: [Samba] number of groups of NT account causes 
> authentication problems
> 
> 
> Finally, I found that this problem is due to limitation of 
> Solaris OS. 
> By default, the kernel parameter NGROUPS_MAX ( # getconf 
> NGROUPS_MAX) is 
> set to 16 (/usr/include/limits.h), which can be changed to a 
> maximum of 
> 32 by putting a line:
> set ngroups_max=32
> in /etc/system file and rebooting the server. If you do this, 
> the server 
> complains about some NFS problems:
> # dmesg | grep -i ngroups
> Mar  5 17:50:25 chevette unix: [ID 953839 kern.warning] WARNING: 
> ngroups_max of 32 > 16, NFS AUTH_SYS will not work properly
> 
> But again, the cap is raised to 32 from 16.
> To increase the parameter 'ngroups_max' beyond 32, one needs 
> to modify 
> the files '/usr/include/limits.h, /usr/include/sys/param.h', 
> and rebuild 
> the kernel.  But there is no way to compile the new kernel on 
> solaris by 
> using this modified files. The 'boot -r' from the boot prom 
> level will 
> not recompile the kernel, it just loads the existing kernel using 
> '/etc/system' parameters which are limited by the parameters set by 
> '/usr/include/sys/param.h' during the original compilation.
> 
> -Gopal
> 
> Michael G. Noble wrote:
> 
> >Solaris has a 15 member limit to groups. Since you are under that
> >limit, it should not be a problem.  I have Samba running on an Ultra
> >60 with Solaris8, samba version 2.2.5.  I have users who are members
> >of at least 14 groups and not having any problems accessing shared
> >folders.
> >
> >Mike
> >
> >On Tue, 2003-03-04 at 13:35, Gopal Bhat wrote:
> >  
> >
> >>I am facing a strange problem related to authentication of NT users
> >>accessing the SAMBA server.
> >>Here are the details:
> >>Server:  Solaris 9, SUN Ultra 60,  SAMBA 2.2.7a with PAM and WINBIND
> >>Client: Windows XP, NT4.0, 2000
> >>
> >>Symptoms:
> >>Created a share \\server\test (UNIX: /export/SMB/test)  
> with access to
> >>group 'TestGoup' where 'TestUser' is a member.
> >>'TestUser' is a member of 10 more groups along with 
> 'TestGroup' (Total 
> >>number of TestUser's group = 11)
> >>
> >>With the above settings 'TestUser' can't access the share
> >>'\\server\test', and the following message shows up in the 
> Client.log:
> >>
> >>[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
> >>  Unable to initgroups. Error was Not owner
> >>[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
> >>  This is probably a problem with the account domain\testuser 
> >>[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
> >> client (10.81.105.121) Can't change directory to /export/SMB/test
> >>(Permission denied)
> >>
> >>If I change the number of groups the user 'TestUser' 
> belongs from 11 
> >>to
> >>8 ('TestGroup'  + 7 other groups), the user can access the share 
> >>'\\server\test' without any problems.
> >>
> >>It looks like there is some limitation on number of NT group 
> >>memberships
> >>'smbd' can handle.  
> >>Note: 'wbinfo' returns all the right groups of the user without any 
> >>problems.
> >>
> >>Is there anyone out there who is aware of this problem and knows a
> >>workaround/solution to this?
> >>I really appreciate any help from the prestigious SAMBA Team.
> >>
> >>Thanks,
> >>Gopal
> >>
> >>--
> >>To unsubscribe from this list go to the following URL and read the
> >>instructions:  http://lists.samba.org/mailman/listinfo/samba
> >>    
> >>
> >
> >
> >  
> >
> 



More information about the samba mailing list