[Samba] Problem with number of groups of AD User (token size ?)

Joe Ammann joe at pyx.ch
Thu Feb 4 02:07:57 MST 2010


Hi all

On a CentOS 5.4 system with Samba 3.0.33 (member server of an AD domain in 
2003 native mode) I have the problem that certain users can't use the shares 
(can't logon), while others can.

I *think* this is related to the fact that those users unable to connect are 
member of a huge number of groups (100+).

We know from experience that this is a problem in Windows itsself (need to set 
MaxTokenSize as discussed here http://support.microsoft.com/kb/327825) or with 
Apache mod_auth_kerb (need to set LimitRequestFieldSize in Apache). 

Unfortunately, I was unable to find any clear indication that this might also 
be a problem with Samba/Winbind, let alone find a solution for it. And I must 
admit that I don't have any log entries that actually point me in this 
direction, so it's more of a "feeling" :-/

I just wanted to ask if that (users being member of a huge number of AD groups 
and thus there Kerberos ticket getting really big) can be at all a problem 
with Samba/Winbind and that I should investigate more thouroughly along this 
line?

-- 
	CU, Joe


More information about the samba mailing list