On 08/ 4/10 10:35 PM, David Magda wrote:
On Wed, August 4, 2010 10:33, Gaiseric Vandal wrote:
the ngroup_max issue isn't specific to an active directory
environment. I found with samba 3.0.x, if you were in more than 16
groups, you might not have all the access you thought you should but you
could still logon. (samba didn't check the system ngroups_max.) With
samba 3.5.x if you are in more groups than "ngroups_max" you won't even
be able to logon to windows.
Well, I actually observed that user was able to login to windows.
Problems started when he tried to access share where permissions was
granted only for users groups (except primary or user itself). It could
be Sambas bug/problem or it could be OpenSolaris, or maybe mix of both.
I will try to investigate this further in my spare time
(https://bugzilla.samba.org/show_bug.cgi?id=7588)
NFS is the limiting factor for ngroups_max. If you aren't using nfs you
can up ngroups_max. Of if you are using nfs with kerberos
authentication then I think you should also be able to up ngroups_max.
If you up ngroups_max and a user has> 16 groups, he would be able to
login to windows BUT non-krb nfs would be broken.
ngroups_max has been expanded in recent versions of OpenSolaris, but this
has not (yet?) been back-ported Solaris 10:
Yes, sorry, forgot you're using Solaris10, ngroups_max limit increased
to 1024 sometime near OpenSolaris snv_129, I think.
http://www.c0t0d0s0.org/archives/6135-At-last-or-NGROUPS-revisited.html
This change was done to help with the creation of the built-in CIFS server
in OpenSolaris. The new limit is 1024, which is the same maximum as
Windows has for groups.
Actually for the case where I was unlucky with samba, built in CIFS
didn't have problems with group limits. Even when the ngroups_max was
left to default "16". I have some suspicion/idea that this might be due
to EUID/EGID each daemon runs - samba is dropping privileges, don't know
about smb/server, but suspect that it runs privileged all the time.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
