From owner-freebsd-hackers@FreeBSD.ORG Wed Apr 14 02:35:31 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35B02106564A for ; Wed, 14 Apr 2010 02:35:31 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (lor.one-eyed-alien.net [69.66.77.232]) by mx1.freebsd.org (Postfix) with ESMTP id E09E58FC14 for ; Wed, 14 Apr 2010 02:35:30 +0000 (UTC) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.3/8.14.3) with ESMTP id o3E2YE80096540; Tue, 13 Apr 2010 21:34:14 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.3/8.14.3/Submit) id o3E2YEC5096539; Tue, 13 Apr 2010 21:34:14 -0500 (CDT) (envelope-from brooks) Date: Tue, 13 Apr 2010 21:34:14 -0500 From: Brooks Davis To: Knowledge Seeker Message-ID: <20100414023414.GD81708@lor.one-eyed-alien.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7DO5AaGCk89r4vaK" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (lor.one-eyed-alien.net [127.0.0.1]); Tue, 13 Apr 2010 21:34:14 -0500 (CDT) Cc: freebsd-hackers@freebsd.org Subject: Re: RPC and NFS more than 16 groups X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2010 02:35:31 -0000 --7DO5AaGCk89r4vaK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 13, 2010 at 11:00:48PM +0000, Knowledge Seeker wrote: > Hi, > I need to have my NFS server to authenticate more than 16 groups when the= re > is a file access. >=20 > I would like to know if I can just redefine my MACROS to accomplish that. >=20 > The macro would be: NGRPS, because it is tested against the variable > ngroups which comes from NGROUPS value. >=20 > /* gids compose part of a credential; there may not be more than 16 of th= em > */ > #define NGRPS 16 >=20 > In: >=20 > sys/rpc/authunix_prot.c > sys/rpc/svc_auth_unix.c > usr.sbin/rpc.lockd/kern.c > include/rpc/auth_unix.h > lib/libc/rpc/PSD.doc/xdr.nts.ms >=20 > Is there any critical issue in change the defs and recompile the kernel a= nd > the world? It won't work unless you also change the clients and then you will be sending invalid RPC packets over the wire. If you can live with that it may well work. The real answer is switch to NFSv4 and GSSAPI authentication where the group checking all takes place on the server where it belongs in the first place. -- Brooks --7DO5AaGCk89r4vaK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFLxSmlXY6L6fI4GtQRArepAKCK+BJrgxV6veRR/Gsq05LZzzxztgCfX6N1 KQri5YK/ALW/dqkkemPfuQI= =YRkI -----END PGP SIGNATURE----- --7DO5AaGCk89r4vaK--