From owner-freebsd-hackers@FreeBSD.ORG Tue Apr 27 21:03:40 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 484581065670 for ; Tue, 27 Apr 2010 21:03:40 +0000 (UTC) (envelope-from knoseeker@googlemail.com) Received: from mail-pz0-f201.google.com (mail-pz0-f201.google.com [209.85.222.201]) by mx1.freebsd.org (Postfix) with ESMTP id 1C2C28FC13 for ; Tue, 27 Apr 2010 21:03:39 +0000 (UTC) Received: by pzk39 with SMTP id 39so1959136pzk.7 for ; Tue, 27 Apr 2010 14:03:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=SXyF0EwyMW+ZXoC1vFS3YG4EtyMy2FHjHkDVKiS8Tv8=; b=oYAD7DTdyfvIzTMafL7mr55w8vZqw4h1tWEkXHkOs6kSZwnleWcveL5iUZx9a1Z+q8 4khgg0blyLLCw6CE5ONe+VTt3dP4uIZE0slzZkNwCOqYHbri0k8irz+5Oo9Ek1CMyuEG N5aj6+WJNUtfZcOpj4KHMAAAz3pN9yb8DPlgY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=E4/nf6Ozz4nyJtaWGx2/V3BQsh3PEM3IHuSXhHpFuIa8/q5p+mn0DgdD2frkiFYoYh OzNlAD0Muf4RVtbDnoWpe/Fb6YavpQZEVHL2/2u4qEK4rUeExFU8v3aCBPpWJBg3Cay5 xnpRipgsyWyBCXpUxq/lrMrDHp+Sh74kyGkDs= MIME-Version: 1.0 Received: by 10.140.87.41 with SMTP id k41mr2152889rvb.109.1272402216911; Tue, 27 Apr 2010 14:03:36 -0700 (PDT) Received: by 10.150.139.17 with HTTP; Tue, 27 Apr 2010 14:03:36 -0700 (PDT) In-Reply-To: <20100414023414.GD81708@lor.one-eyed-alien.net> References: <20100414023414.GD81708@lor.one-eyed-alien.net> Date: Tue, 27 Apr 2010 21:03:36 +0000 Message-ID: From: Knowledge Seeker To: Brooks Davis Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-hackers@freebsd.org Subject: Re: RPC and NFS more than 16 groups X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2010 21:03:40 -0000 Hi, I made the changes in 2 FreeBSD 8.0 stable boxes. One I've configured one as a server and the other as the client. But the 16 groups limit persists. Even when I tried using a GNU/Linux Debian machine as a client with a Kernel patched to work with the number of groups advertised by the server (kernel-patch-nfs-ngroups), it does not work. The files and lines changed in FreeBSD src were: include/rpc/auth_unix.h:#define NGRPS 64 lib/libc/rpc/PSD.doc/xdr.nts.ms:#define NGRPS 64 lib/libc/rpc/PSD.doc/xdr.nts.ms:#define NGRPS 64 sys/rpc/authunix_prot.c:#define NGRPS 64 sys/rpc/svc_auth_unix.c:#define NGRPS 64 I wish to do that as a temporary solution, once we intend to do a complete migration to OpenAFS soon. But now, It's really important to have this working. Migrate to NFSv4 first, will be too much work, especially on clients. (Only the server is a FreeBSD machine) Thanks in advance. Regards -- Knoseeker On Wed, Apr 14, 2010 at 2:34 AM, Brooks Davis wrote: > On Tue, Apr 13, 2010 at 11:00:48PM +0000, Knowledge Seeker wrote: > > Hi, > > I need to have my NFS server to authenticate more than 16 groups when > there > > is a file access. > > > > I would like to know if I can just redefine my MACROS to accomplish that. > > > > The macro would be: NGRPS, because it is tested against the variable > > ngroups which comes from NGROUPS value. > > > > /* gids compose part of a credential; there may not be more than 16 of > them > > */ > > #define NGRPS 16 > > > > In: > > > > sys/rpc/authunix_prot.c > > sys/rpc/svc_auth_unix.c > > usr.sbin/rpc.lockd/kern.c > > include/rpc/auth_unix.h > > lib/libc/rpc/PSD.doc/xdr.nts.ms > > > > Is there any critical issue in change the defs and recompile the kernel > and > > the world? > > It won't work unless you also change the clients and then you will be > sending invalid RPC packets over the wire. If you can live with that it > may well work. The real answer is switch to NFSv4 and GSSAPI > authentication where the group checking all takes place on the server > where it belongs in the first place. > > -- Brooks >