From owner-freebsd-hackers@FreeBSD.ORG Thu Jul 19 16:08:40 2007 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F2E3216A401 for ; Thu, 19 Jul 2007 16:08:39 +0000 (UTC) (envelope-from rapopp@eastcentral.edu) Received: from ecmail.eastcentral.edu (ecmail.eastcentral.edu [198.209.216.1]) by mx1.freebsd.org (Postfix) with ESMTP id D252913C46B for ; Thu, 19 Jul 2007 16:08:39 +0000 (UTC) (envelope-from rapopp@eastcentral.edu) Received: from barbados.eastcentral.edu (unknown [10.15.0.132]) by ecmail.eastcentral.edu (Postfix) with ESMTP id 1E9F339949; Thu, 19 Jul 2007 10:51:13 -0500 (CDT) From: "Reuben A. Popp" To: Michael Vince Date: Thu, 19 Jul 2007 10:54:00 -0500 User-Agent: KMail/1.9.4 References: <200706051149.45787.rapopp@eastcentral.edu> <4665B28A.7060608@elischer.org> <469ECA49.8050101@thebeastie.org> In-Reply-To: <469ECA49.8050101@thebeastie.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200707191054.02109.rapopp@eastcentral.edu> X-Mailman-Approved-At: Thu, 19 Jul 2007 16:26:01 +0000 Cc: freebsd-hackers@freebsd.org, Julian Elischer Subject: Re: kern.ngroups question X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rapopp@eastcentral.edu List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 16:08:40 -0000 On Wednesday 18 July 2007 21:19, Michael Vince wrote: > Julian Elischer wrote: > > Reuben A. Popp wrote: > >> Hello all, > >> > >> Can someone explain to me the rationale behind having ngroups_max set > >> to 16 by default? > > > > NFS only supports this much by default (from memory). > > > > Samba (in the guise of Jeremy Allison) > > has asked us to follow Linux's lead and support an arbitrary number of > > Groups > > but it hasn't happened yet, Partly due to the question of "what to do > > about NFS" and partly just due to ENOTIME. > > I think at the very least that there should be some more obvious > warnings about this potentially serious limitation in either release > notes of FreeBSD and or Samba. > > I just had to deal with this limitation and it was quite annoying to say > the least, it appears Samba is somewhat deliberately designed to give > you a hard time when you run into this limit, because as soon as you add > a user to more than 16 groups it declares the group file unreadable and > as a security measure shuts down all shares and authentication which > wrecks a network which relies on Samba. > > Also as far as I know Solaris and Linux has long gone past this limitation. > > Mike Running into a problem nearly identical to Mike's is what caused me to start researching ngroups in the first place. Granted, in our Samba implementation, there isn't really anyone who hits the limitation (short of the admin), but the problem is still a definite show stopper. I imagine this will become even more of an issue once Samba 4.x is completed and sees deployment. Maybe this weekend I can write a small blurb for the handbook I guess the next question I have would be about the limit in NFS. I did a little sleuthing and found out that the actual culprit is not necessarily NFS, but the underlying RPC calls. IF I'm reading this correctly (excuse me if I'm wrong.. I'm just now getting my feet wet with c/c++), the limit is set in the auth_unix structure (taken from RFC 1057): struct auth_unix { unsigned int stamp; string machinename<255>; unsigned int uid; unsigned int gid; unsigned int gids<16>; }; If the value for gids were to be changed, that obviously would mean that the RPC implementation would be out of whack with the standard. How then are the other *nixes getting around this issue? Thanks again Reuben A. Popp Just a note: As I said above, I'm still just now getting my feet wet in any kind of programming (other than shell scripting). If I make an incorrect assumption or a pretty stupid mistake, all I ask is to be kind :) -- Reuben A. Popp Systems Administrator Information Technology Department East Central College 1+ 636 583 5195 x2480