[Samba] Samba and ZFS

Marcis Lielturks marcis.lielturks at gmail.com
Thu Aug 5 00:56:24 MDT 2010

On 08/ 4/10 10:35 PM, David Magda wrote:
> On Wed, August 4, 2010 10:33, Gaiseric Vandal wrote:
>> the ngroup_max issue isn't specific to an active directory
>> environment.    I found with samba 3.0.x, if you were in more than 16
>> groups, you might not have all the access you thought you should but you
>> could still logon.  (samba didn't check the system ngroups_max.)  With
>> samba 3.5.x if you are in more groups than "ngroups_max" you won't even
>> be able to logon to windows.
Well, I actually observed that user was able to login to windows. 
Problems started when he tried to access share where permissions was 
granted only for users groups (except primary or user itself). It could 
be Sambas bug/problem or it could be OpenSolaris, or maybe mix of both. 
I will try to investigate this further in my spare time 
>> NFS is the limiting factor for ngroups_max.  If you aren't using nfs you
>> can up ngroups_max.  Of if you are using nfs with kerberos
>> authentication then I think you should also be able to up ngroups_max.
>> If you up ngroups_max  and a user has>  16 groups, he would be able to
>> login to windows BUT non-krb nfs would be broken.
> ngroups_max has been expanded in recent versions of OpenSolaris, but this
> has not (yet?) been back-ported Solaris 10:

Yes, sorry, forgot you're using Solaris10, ngroups_max limit increased 
to 1024 sometime near OpenSolaris snv_129, I think.
> http://www.c0t0d0s0.org/archives/6135-At-last-or-NGROUPS-revisited.html
> This change was done to help with the creation of the built-in CIFS server
> in OpenSolaris. The new limit is 1024, which is the same maximum as
> Windows has for groups.
Actually for the case where I was unlucky with samba, built in CIFS 
didn't have problems with group limits. Even when the ngroups_max was 
left to default "16". I have some suspicion/idea that this might be due 
to EUID/EGID each daemon runs - samba is dropping privileges, don't know 
about smb/server, but suspect that it runs privileged all the time.

More information about the samba mailing list