Date: Thu, 12 Feb 2009 20:37:34 -0800 From: Chuck Swiger <cswiger@mac.com> To: Da Rock <rock_on_the_web@comcen.com.au> Cc: freebsd-questions@freebsd.org Subject: Re: Old user can't log in Message-ID: <470E75B0-C7E9-4F05-A112-62DF01F1EA1D@mac.com> In-Reply-To: <1234498626.13067.96.camel@laptop1.herveybayaustralia.com.au> References: <325E4EC8-BD2B-45C1-978C-4922D16D3A94@identry.com> <9391FD2D-59ED-455A-8C87-2854C7EF1E52@mac.com> <ECDF6933-47F6-4D67-AC5C-5E149590D971@identry.com> <1234498626.13067.96.camel@laptop1.herveybayaustralia.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 12, 2009, at 8:17 PM, Da Rock wrote: > I've been following this thread with interest: are you saying FreeBSD > logins cannot handle more than 16 groups? If so, why? Is this > mitigated > by using other authentication methods (ie kerberos, ldap, etc)? There's a compile-time limit of the relevant kernel data structures as to how many groups a user can be in, described by "sysctl kern.ngroups". It's possible to recompile the kernel with a larger number, but doing so will break NFS (and possibly other things). It doesn't matter whether you use Kerberos, LDAP, etc to set up the groups; while those things do not have a 16-group limit, the FreeBSD kernel [1] does. With reasonable organization, and appropriate use of sudo or setgid binaries for things like people who use SVN or CVS, there generally isn't reason or need for a user to be in so many groups. For the exceptional cases, switching to using a full ACL system rather than the traditional Unix permission model is probably going to be a better solution. Regards, -- -Chuck [1]: And almost all other Unixes...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?470E75B0-C7E9-4F05-A112-62DF01F1EA1D>