Date: Mon, 16 Apr 2018 15:19:53 +0300 From: Toomas Soome <tsoome@me.com> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: Julian Elischer <julian@freebsd.org>, freebsd-current <freebsd-current@freebsd.org> Subject: Re: anyone running with ngroups increased from 16? Message-ID: <458372AF-081B-4508-910A-BCB46EB5D955@me.com> In-Reply-To: <YQBPR0101MB1042669A07D6EB23958ADD4EDDB00@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM> References: <ee1ec98f-2214-36d5-97e4-00475c697593@freebsd.org> <e5ccdc48-d454-17d8-1c54-e7c13a312400@freebsd.org> <YQBPR0101MB1042669A07D6EB23958ADD4EDDB00@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 16 Apr 2018, at 15:12, Rick Macklem <rmacklem@uoguelph.ca> wrote: > > Julian Elischer wrote: >> On 16/4/18 6:37 pm, Julian Elischer wrote: >>> Windows users seem to have an almost unlimited number of groups and >>> soem places seem to use them a LOT. >>> This gives Posix systems problems with deciding how to handle them >>> all. Especially when getting >>> user credentials from winbindd (samba). >>> >>> Does anyone know of any work done to either bypass this limit or to >>> at least expand it? >> >> I mean with the other applications such NFS usages etc. >> I know mountd explodes with > 16.. has anyone done a cleaning pass? > 16 is the limit "on-the-wire" per RFCs for Sun RPC. You can use > nfsuserd --manage-gids (see "man nfsuserd") > on the NFS server so that the daemon uses the group list for the uid in the RPC instead of the list of groups (limited to 16) in the RPC header. Works fine so > long as the server knows the same group list for a uid as the client(s) do. > > And, yes, this applies to NFSv3 as well as NFSv4. > it is not entirely exact. The number of supplemental groups is the limit of AUTH_SYS (aka AUTH_UNIX) authentication mechanism used by ONC+ RPC. So anything using/supporting this auth mechanism, has this limit too. Therefore, on paper, there is 2 possible ways to overcome the issue - either use alternate authentication mechanism (such as AUTH_GSS), or implement workaround for AUTH_SYS. rgds, toomas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?458372AF-081B-4508-910A-BCB46EB5D955>