[Samba] Problem with number of groups of AD User (token size ?)
joe at pyx.ch
Thu Feb 4 02:07:57 MST 2010
On a CentOS 5.4 system with Samba 3.0.33 (member server of an AD domain in
2003 native mode) I have the problem that certain users can't use the shares
(can't logon), while others can.
I *think* this is related to the fact that those users unable to connect are
member of a huge number of groups (100+).
We know from experience that this is a problem in Windows itsself (need to set
MaxTokenSize as discussed here http://support.microsoft.com/kb/327825) or with
Apache mod_auth_kerb (need to set LimitRequestFieldSize in Apache).
Unfortunately, I was unable to find any clear indication that this might also
be a problem with Samba/Winbind, let alone find a solution for it. And I must
admit that I don't have any log entries that actually point me in this
direction, so it's more of a "feeling" :-/
I just wanted to ask if that (users being member of a huge number of AD groups
and thus there Kerberos ticket getting really big) can be at all a problem
with Samba/Winbind and that I should investigate more thouroughly along this
More information about the samba