From owner-freebsd-questions@FreeBSD.ORG Thu Dec 8 06:20:26 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B65316A41F for ; Thu, 8 Dec 2005 06:20:26 +0000 (GMT) (envelope-from no-spam@swiftdsl.com.au) Received: from smtp.ade.swiftdsl.com.au (smtp.ade.swiftdsl.com.au [218.214.228.98]) by mx1.FreeBSD.org (Postfix) with SMTP id AD66143D45 for ; Thu, 8 Dec 2005 06:20:21 +0000 (GMT) (envelope-from no-spam@swiftdsl.com.au) Received: (qmail 32171 invoked from network); 8 Dec 2005 06:20:20 -0000 Received: from unknown (HELO daemon.foo.lan) (218.214.176.70) by smtp.ade.swiftdsl.com.au with SMTP; 8 Dec 2005 06:20:20 -0000 From: Ian Moore To: freebsd-questions@freebsd.org Date: Thu, 8 Dec 2005 16:50:10 +1030 User-Agent: KMail/1.8.3 References: <200512071741.57495.no-spam@swiftdsl.com.au> In-Reply-To: <200512071741.57495.no-spam@swiftdsl.com.au> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2800964.WdK2pXaoQt"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200512081650.16894.no-spam@swiftdsl.com.au> Cc: "Michael P. Soulier" , Jon Falconer Subject: Re: Changing maximum number of groups in FBSD - is it feasible? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2005 06:20:26 -0000 --nextPart2800964.WdK2pXaoQt Content-Type: text/plain; charset="cp 850" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 07 December 2005 17:41, Ian Moore wrote: > Hi, > > I'm toying with the idea of increasing the maximum number of groups a user > can belong to on one of my servers - we have a rather complex organisation > and we're hitting the 15 group limit for some people. > > There seems to be differing opinions on how to do this and if it's actual= ly > > feasible. One post I found said: > > in src/sys/sys/syslimits.h there is a constant named 'NGROUPS_MAX'. > > change it to however many you need (within reason), rebuild/install wor= ld > > and kernel. > > Another said you have to change all sorts of things in the source, modify= a > kernel parameter, rebuild world and rebuild any port that uses NGROUPS - > which probably means a portupgrade -fa. > > There is talk of a maxgroups() parameter in the kernel, but NOTES makes no > mention of this. > > I wonder too if some apps would need their own configuration altered to > allow them to work with the higher limit. > > So I just wanted to ask if anyone has successfully raised the NGROUPS_MAX > limit, especially when running samba & nfs on the system? > > If not, I'll work around the problem a different way. > > (BTW I'm running 5.4-RELEASE) > > Cheers, > Ian, >=20 > Since you are running FreeBSD 5.x, have you considered using ACLs? See the > handbook section 14.12. >=20 > Have you considered cascading groups? That's the normal workaround on > Enterprise Unix systems like HP-UX and Solaris. >=20 > Instead of putting everyong in "group", do this instead. >=20 > group:*:100:group1,group2 > group1:*:101:user1,user2 > group2:*:102:user3, user4 >=20 > Thus, the users are all transitively in group, and you work around the=20 limit. >=20 > Mike Thanks for the suggestions guys. I had considered ACLs as one possible=20 workaround and I'd said to a mate of mine "gee, it'd be really good if you= =20 could make a group a member of another group", not thinking you actually=20 could do that! That's very handy. Since there doesn't seem to be anyone so far that's saying they have=20 successfully increased the group limit, it looks like I'll be using one of= =20 those workarounds.... Cheers, =2D-=20 Ian gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc --nextPart2800964.WdK2pXaoQt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDl9CgPUlnmbKkJ6ARAvDAAJwI3HqLXuQpHxycIIxFPjaBk767igCgpJGe SlLeP/7MbvWerRVuV1PQem4= =UFSa -----END PGP SIGNATURE----- --nextPart2800964.WdK2pXaoQt--