[Samba] number of groups of NT account causes authentication
problems
Ken Cross
kcross at nssolutions.com
Thu Mar 6 02:41:15 GMT 2003
Be careful. Just rebuilding the kernel with an increased NGROUPS_MAX
probably won't be sufficient.
To accommodate Windows users with lots (40-50) of group memberships, we
had to rebuild NetBSD with NGROUPS_MAX set to 128.
But we also had to rebuild userland, because anything that used
NGROUPS_MAX statically would break. That meant almost everything in
/sbin /usr/sbin and a lot of /bin and /usr/bin, not to mention libc.
It's a pretty Big Deal.
Ken
________________________________
Ken Cross
Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com
> -----Original Message-----
> From:
> samba-technical-bounces+kcross=nssolutions.com at lists.samba.org
>
> [mailto:samba-technical-bounces+kcross=nssolutions.com at lists.s
> amba.org] On Behalf Of Gopal Bhat
> Sent: Wednesday, March 05, 2003 9:25 PM
> To: Michael G. Noble; don_mccall at hp.com
> Cc: samba; samba-technical
> Subject: Re: [Samba] number of groups of NT account causes
> authentication problems
>
>
> Finally, I found that this problem is due to limitation of
> Solaris OS.
> By default, the kernel parameter NGROUPS_MAX ( # getconf
> NGROUPS_MAX) is
> set to 16 (/usr/include/limits.h), which can be changed to a
> maximum of
> 32 by putting a line:
> set ngroups_max=32
> in /etc/system file and rebooting the server. If you do this,
> the server
> complains about some NFS problems:
> # dmesg | grep -i ngroups
> Mar 5 17:50:25 chevette unix: [ID 953839 kern.warning] WARNING:
> ngroups_max of 32 > 16, NFS AUTH_SYS will not work properly
>
> But again, the cap is raised to 32 from 16.
> To increase the parameter 'ngroups_max' beyond 32, one needs
> to modify
> the files '/usr/include/limits.h, /usr/include/sys/param.h',
> and rebuild
> the kernel. But there is no way to compile the new kernel on
> solaris by
> using this modified files. The 'boot -r' from the boot prom
> level will
> not recompile the kernel, it just loads the existing kernel using
> '/etc/system' parameters which are limited by the parameters set by
> '/usr/include/sys/param.h' during the original compilation.
>
> -Gopal
>
> Michael G. Noble wrote:
>
> >Solaris has a 15 member limit to groups. Since you are under that
> >limit, it should not be a problem. I have Samba running on an Ultra
> >60 with Solaris8, samba version 2.2.5. I have users who are members
> >of at least 14 groups and not having any problems accessing shared
> >folders.
> >
> >Mike
> >
> >On Tue, 2003-03-04 at 13:35, Gopal Bhat wrote:
> >
> >
> >>I am facing a strange problem related to authentication of NT users
> >>accessing the SAMBA server.
> >>Here are the details:
> >>Server: Solaris 9, SUN Ultra 60, SAMBA 2.2.7a with PAM and WINBIND
> >>Client: Windows XP, NT4.0, 2000
> >>
> >>Symptoms:
> >>Created a share \\server\test (UNIX: /export/SMB/test)
> with access to
> >>group 'TestGoup' where 'TestUser' is a member.
> >>'TestUser' is a member of 10 more groups along with
> 'TestGroup' (Total
> >>number of TestUser's group = 11)
> >>
> >>With the above settings 'TestUser' can't access the share
> >>'\\server\test', and the following message shows up in the
> Client.log:
> >>
> >>[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
> >> Unable to initgroups. Error was Not owner
> >>[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
> >> This is probably a problem with the account domain\testuser
> >>[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
> >> client (10.81.105.121) Can't change directory to /export/SMB/test
> >>(Permission denied)
> >>
> >>If I change the number of groups the user 'TestUser'
> belongs from 11
> >>to
> >>8 ('TestGroup' + 7 other groups), the user can access the share
> >>'\\server\test' without any problems.
> >>
> >>It looks like there is some limitation on number of NT group
> >>memberships
> >>'smbd' can handle.
> >>Note: 'wbinfo' returns all the right groups of the user without any
> >>problems.
> >>
> >>Is there anyone out there who is aware of this problem and knows a
> >>workaround/solution to this?
> >>I really appreciate any help from the prestigious SAMBA Team.
> >>
> >>Thanks,
> >>Gopal
> >>
> >>--
> >>To unsubscribe from this list go to the following URL and read the
> >>instructions: http://lists.samba.org/mailman/listinfo/samba
> >>
> >>
> >
> >
> >
> >
>
More information about the samba
mailing list