Date: Fri, 13 Feb 2009 14:52:12 +1000 From: Da Rock <rock_on_the_web@comcen.com.au> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: Re: Old user can't log in Message-ID: <1234500741.13067.111.camel@laptop1.herveybayaustralia.com.au> In-Reply-To: <470E75B0-C7E9-4F05-A112-62DF01F1EA1D@mac.com> References: <325E4EC8-BD2B-45C1-978C-4922D16D3A94@identry.com> <9391FD2D-59ED-455A-8C87-2854C7EF1E52@mac.com> <ECDF6933-47F6-4D67-AC5C-5E149590D971@identry.com> <1234498626.13067.96.camel@laptop1.herveybayaustralia.com.au> <470E75B0-C7E9-4F05-A112-62DF01F1EA1D@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2009-02-12 at 20:37 -0800, Chuck Swiger wrote: > On Feb 12, 2009, at 8:17 PM, Da Rock wrote: > > I've been following this thread with interest: are you saying FreeBSD > > logins cannot handle more than 16 groups? If so, why? Is this > > mitigated > > by using other authentication methods (ie kerberos, ldap, etc)? > > There's a compile-time limit of the relevant kernel data structures as > to how many groups a user can be in, described by "sysctl > kern.ngroups". It's possible to recompile the kernel with a larger > number, but doing so will break NFS (and possibly other things). It > doesn't matter whether you use Kerberos, LDAP, etc to set up the > groups; while those things do not have a 16-group limit, the FreeBSD > kernel [1] does. > > With reasonable organization, and appropriate use of sudo or setgid > binaries for things like people who use SVN or CVS, there generally > isn't reason or need for a user to be in so many groups. For the > exceptional cases, switching to using a full ACL system rather than > the traditional Unix permission model is probably going to be a better > solution. Interesting. What would you suggest for full ACL?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1234500741.13067.111.camel>