From owner-freebsd-current@freebsd.org  Mon Apr 16 12:20:22 2018
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF2C4FA5AF0
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Mon, 16 Apr 2018 12:20:21 +0000 (UTC) (envelope-from tsoome@me.com)
Received: from st13p35im-asmtp001.me.com (st13p35im-asmtp001.me.com
 [17.164.199.64])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7C0886E36E;
 Mon, 16 Apr 2018 12:20:21 +0000 (UTC) (envelope-from tsoome@me.com)
Received: from process-dkim-sign-daemon.st13p35im-asmtp001.me.com by
 st13p35im-asmtp001.me.com
 (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built Jun  7
 2017)) id <0P7A00C00248XD00@st13p35im-asmtp001.me.com>; Mon,
 16 Apr 2018 12:19:58 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=me.com; s=04042017;
 t=1523881198; bh=oUSRkIDHXFNYWEbdh8bVqq730vDYJ3EawxLtEGKKqsA=;
 h=Content-type:MIME-version:Subject:From:Date:Message-id:To;
 b=PvFizmVp67pAedT29Kj+hxfh/DpRDQft8XIxNIOB/oo62E39ljUdi7O0QCqerYKPG
 tX3pWnCK4+JHo0CeSuYNxCNvwdYfUlDHP9mHKF/249p7EK7lBkKrMZoaHgcJPHx8kr
 vJVKifQw45pG873sQkglmfPG6O/h8yvTYY1D1D+zN2b3DSOvoZ1w0PIA5Eby+J/1Zd
 XRs/sYeGhplA2dZKT0o79n/khgQIWzSszBBIdVy5O08h/pjtREfgewEIeKiyc1S6IP
 qrAtFA9onjKmvStxINu+dAZzpM3B+tLq8B2GACIfmguywN9FZI4/jxCv/RS/4VyNXD
 FJ6VGnd4j3e0Q==
Received: from icloud.com ([127.0.0.1]) by st13p35im-asmtp001.me.com
 (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built Jun  7
 2017)) with ESMTPSA id <0P7A00GRS295DJ10@st13p35im-asmtp001.me.com>; Mon,
 16 Apr 2018 12:19:56 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,,
 definitions=2018-04-16_07:,, signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 clxscore=1011 suspectscore=2 malwarescore=0 phishscore=0 adultscore=0
 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1707230000 definitions=main-1804160118
Content-type: text/plain; charset=us-ascii
MIME-version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Subject: Re: anyone running with ngroups increased from 16?
From: Toomas Soome <tsoome@me.com>
In-reply-to: <YQBPR0101MB1042669A07D6EB23958ADD4EDDB00@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM>
Date: Mon, 16 Apr 2018 15:19:53 +0300
Cc: Julian Elischer <julian@freebsd.org>,
 freebsd-current <freebsd-current@freebsd.org>
Content-transfer-encoding: quoted-printable
Message-id: <458372AF-081B-4508-910A-BCB46EB5D955@me.com>
References: <ee1ec98f-2214-36d5-97e4-00475c697593@freebsd.org>
 <e5ccdc48-d454-17d8-1c54-e7c13a312400@freebsd.org>
 <YQBPR0101MB1042669A07D6EB23958ADD4EDDB00@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM>
To: Rick Macklem <rmacklem@uoguelph.ca>
X-Mailer: Apple Mail (2.3445.6.18)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2018 12:20:22 -0000



> On 16 Apr 2018, at 15:12, Rick Macklem <rmacklem@uoguelph.ca> wrote:
>=20
> Julian Elischer wrote:
>> On 16/4/18 6:37 pm, Julian Elischer wrote:
>>> Windows users seem to have an almost unlimited number of groups and
>>> soem places seem to use them a LOT.
>>> This gives Posix systems problems with deciding how to handle them
>>> all. Especially when getting
>>> user credentials from winbindd (samba).
>>>=20
>>> Does anyone know of any work done to either bypass this limit or to
>>> at least expand it?
>>=20
>> I mean with the other applications such NFS usages etc.
>> I know mountd explodes with > 16..  has anyone done a cleaning pass?
> 16 is the limit "on-the-wire" per RFCs for Sun RPC. You can use
> nfsuserd --manage-gids (see "man nfsuserd")
> on the NFS server so that the daemon uses the group list for the uid =
in the RPC instead of the list of groups (limited to 16) in the RPC =
header. Works fine so
> long as the server knows the same group list for a uid as the =
client(s) do.
>=20
> And, yes, this applies to NFSv3 as well as NFSv4.
>=20

it is not entirely exact. The number of supplemental groups is the limit =
of AUTH_SYS (aka AUTH_UNIX) authentication mechanism used by ONC+ RPC. =
So anything using/supporting this auth mechanism, has this limit too.

Therefore, on paper, there is 2 possible ways to overcome the issue - =
either use alternate authentication mechanism (such as AUTH_GSS), or =
implement workaround for AUTH_SYS.

rgds,
toomas=