[Samba] AD Group update lag / cache, firewall related?

A. James Lewis james at fsck.co.uk
Fri Aug 25 16:00:28 UTC 2017 

That seems to count out the kernel ... I guess the 128 number could be a co-incidence... 

Actually I made a mistake below... 

I used "wbinfo -g user", where I should have used "wbinfo -r user"..... 

In fact wbinfo fails to show the group membership I expect... where I said before that it succeeded.

wbinfo shows that the group exists, but not that the user is a member of it....

for i in `wbinfo -r fred`; do getent group $i | grep $i; done | grep problem-group

Other groups are visible using that command.

James
.



August 25, 2017 4:25 PM, "mathias dufresne via samba" <samba at lists.samba.org> wrote:

> It seems maximum groups per user was 32 until 2.6.3 kernel. Then it is not
> clear for same limit on recent kernel.
> https://askubuntu.com/questions/300049/is-there-a-maximum-number-of-groups
> 
> 2017-08-25 16:58 GMT+02:00 A. James Lewis via samba <samba at lists.samba.org>:
> 
>> August 25, 2017 3:12 PM, "Rowland Penny via samba" <samba at lists.samba.org>
>> wrote:
>> 
>> On Fri, 25 Aug 2017 13:54:21 +0000
>> "A. James Lewis" <james at fsck.co.uk> wrote:
>> 
>> It's not offline.... and groups do usually filter through...
>> sometimes immediately, sometimes never... but usually with a
>> significant delay...
>> 
>> I originally put this down to the ancient version of Samba or Winbind
>> that was shipped with the OS, but it seems I was wrong...
>> 
>> Winbind can see the group, and even the group membership... and the
>> group is passed on to the OS, but not the group membership.
>> 
>> eg:-
>> 
>> wbinfo -g user | grep group <-- successful
>> 
>> getent group group <-- successful
>> 
>> however
>> 
>> groups user | grep group <-- fails
>> 
>> I was wondering if there's a limit on the number of groups, since the
>> new machine using "groups", shows that the user has 128 groups, while
>> a machine that's been around for a while shows 156 groups... and
>> another machine that's local to the AD controller shows 174 groups.
>> 
>> Hmm, try reading this:
>> 
>> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed
>> 
>> Under 'Samba 4.6.0' --> winbind changes
>> 
>> Does 'groups user' show any groups ?
>> 
>> Yes, however I have 4 servers and they each show a different number of
>> groups, 128, 154, 169 and 174...
>> 
>> # for i in `groups user`; do echo $i; done | wc -l
>> 
>> The Samba 4.6 box shows 128, which makes me think perhaps there is a limit
>> to the number of groups that are processed somewhere... 128 being a
>> suspicious number!..... but that's a pure guess!.
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot but people
>> built perfectly good brick walls long before they knew why cement works."
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list