Date: Thu, 8 Dec 2005 16:50:10 +1030 From: Ian Moore <no-spam@swiftdsl.com.au> To: freebsd-questions@freebsd.org Cc: "Michael P. Soulier" <msoulier@digitaltorque.ca>, Jon Falconer <jfalconer@puc.edu> Subject: Re: Changing maximum number of groups in FBSD - is it feasible? Message-ID: <200512081650.16894.no-spam@swiftdsl.com.au> In-Reply-To: <200512071741.57495.no-spam@swiftdsl.com.au> References: <200512071741.57495.no-spam@swiftdsl.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2800964.WdK2pXaoQt Content-Type: text/plain; charset="cp 850" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 07 December 2005 17:41, Ian Moore wrote: > Hi, > > I'm toying with the idea of increasing the maximum number of groups a user > can belong to on one of my servers - we have a rather complex organisation > and we're hitting the 15 group limit for some people. > > There seems to be differing opinions on how to do this and if it's actual= ly > > feasible. One post I found said: > > in src/sys/sys/syslimits.h there is a constant named 'NGROUPS_MAX'. > > change it to however many you need (within reason), rebuild/install wor= ld > > and kernel. > > Another said you have to change all sorts of things in the source, modify= a > kernel parameter, rebuild world and rebuild any port that uses NGROUPS - > which probably means a portupgrade -fa. > > There is talk of a maxgroups() parameter in the kernel, but NOTES makes no > mention of this. > > I wonder too if some apps would need their own configuration altered to > allow them to work with the higher limit. > > So I just wanted to ask if anyone has successfully raised the NGROUPS_MAX > limit, especially when running samba & nfs on the system? > > If not, I'll work around the problem a different way. > > (BTW I'm running 5.4-RELEASE) > > Cheers, > Ian, >=20 > Since you are running FreeBSD 5.x, have you considered using ACLs? See the > handbook section 14.12. >=20 > Have you considered cascading groups? That's the normal workaround on > Enterprise Unix systems like HP-UX and Solaris. >=20 > Instead of putting everyong in "group", do this instead. >=20 > group:*:100:group1,group2 > group1:*:101:user1,user2 > group2:*:102:user3, user4 >=20 > Thus, the users are all transitively in group, and you work around the=20 limit. >=20 > Mike Thanks for the suggestions guys. I had considered ACLs as one possible=20 workaround and I'd said to a mate of mine "gee, it'd be really good if you= =20 could make a group a member of another group", not thinking you actually=20 could do that! That's very handy. Since there doesn't seem to be anyone so far that's saying they have=20 successfully increased the group limit, it looks like I'll be using one of= =20 those workarounds.... Cheers, =2D-=20 Ian gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc --nextPart2800964.WdK2pXaoQt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDl9CgPUlnmbKkJ6ARAvDAAJwI3HqLXuQpHxycIIxFPjaBk767igCgpJGe SlLeP/7MbvWerRVuV1PQem4= =UFSa -----END PGP SIGNATURE----- --nextPart2800964.WdK2pXaoQt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512081650.16894.no-spam>