From owner-freebsd-questions@FreeBSD.ORG Fri Feb 13 04:52:22 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 169EB1065676 for ; Fri, 13 Feb 2009 04:52:22 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from angel.comcen.com.au (angel.comcen.com.au [203.23.236.69]) by mx1.freebsd.org (Postfix) with ESMTP id CEEE28FC1E for ; Fri, 13 Feb 2009 04:52:21 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from [192.168.0.192] (unknown [202.172.126.254]) by angel.comcen.com.au (Postfix) with ESMTP id EB9CB5C2E5DA; Fri, 13 Feb 2009 15:53:44 +1100 (EST) From: Da Rock To: Chuck Swiger In-Reply-To: <470E75B0-C7E9-4F05-A112-62DF01F1EA1D@mac.com> References: <325E4EC8-BD2B-45C1-978C-4922D16D3A94@identry.com> <9391FD2D-59ED-455A-8C87-2854C7EF1E52@mac.com> <1234498626.13067.96.camel@laptop1.herveybayaustralia.com.au> <470E75B0-C7E9-4F05-A112-62DF01F1EA1D@mac.com> Content-Type: text/plain Date: Fri, 13 Feb 2009 14:52:12 +1000 Message-Id: <1234500741.13067.111.camel@laptop1.herveybayaustralia.com.au> Mime-Version: 1.0 X-Mailer: Evolution 2.24.4 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Old user can't log in X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2009 04:52:22 -0000 On Thu, 2009-02-12 at 20:37 -0800, Chuck Swiger wrote: > On Feb 12, 2009, at 8:17 PM, Da Rock wrote: > > I've been following this thread with interest: are you saying FreeBSD > > logins cannot handle more than 16 groups? If so, why? Is this > > mitigated > > by using other authentication methods (ie kerberos, ldap, etc)? > > There's a compile-time limit of the relevant kernel data structures as > to how many groups a user can be in, described by "sysctl > kern.ngroups". It's possible to recompile the kernel with a larger > number, but doing so will break NFS (and possibly other things). It > doesn't matter whether you use Kerberos, LDAP, etc to set up the > groups; while those things do not have a 16-group limit, the FreeBSD > kernel [1] does. > > With reasonable organization, and appropriate use of sudo or setgid > binaries for things like people who use SVN or CVS, there generally > isn't reason or need for a user to be in so many groups. For the > exceptional cases, switching to using a full ACL system rather than > the traditional Unix permission model is probably going to be a better > solution. Interesting. What would you suggest for full ACL?