[Samba] Problem with number of groups of AD User (token size ?)

Jeremy Allison jra at samba.org
Thu Feb 4 16:02:08 MST 2010


On Thu, Feb 04, 2010 at 10:07:57AM +0100, Joe Ammann wrote:
> Hi all
> 
> On a CentOS 5.4 system with Samba 3.0.33 (member server of an AD domain in 
> 2003 native mode) I have the problem that certain users can't use the shares 
> (can't logon), while others can.
> 
> I *think* this is related to the fact that those users unable to connect are 
> member of a huge number of groups (100+).
> 
> We know from experience that this is a problem in Windows itsself (need to set 
> MaxTokenSize as discussed here http://support.microsoft.com/kb/327825) or with 
> Apache mod_auth_kerb (need to set LimitRequestFieldSize in Apache). 
> 
> Unfortunately, I was unable to find any clear indication that this might also 
> be a problem with Samba/Winbind, let alone find a solution for it. And I must 
> admit that I don't have any log entries that actually point me in this 
> direction, so it's more of a "feeling" :-/
> 
> I just wanted to ask if that (users being member of a huge number of AD groups 
> and thus there Kerberos ticket getting really big) can be at all a problem 
> with Samba/Winbind and that I should investigate more thouroughly along this 
> line?

It could be. We depend on the underlying krb5 libraries to
do this right (fallback to TCP to get the ticket if it's too
large for UDP). What error messages do you get in the logs ?

Jeremy.


More information about the samba mailing list