Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Apr 2018 15:19:53 +0300
From:      Toomas Soome <tsoome@me.com>
To:        Rick Macklem <rmacklem@uoguelph.ca>
Cc:        Julian Elischer <julian@freebsd.org>, freebsd-current <freebsd-current@freebsd.org>
Subject:   Re: anyone running with ngroups increased from 16?
Message-ID:  <458372AF-081B-4508-910A-BCB46EB5D955@me.com>
In-Reply-To: <YQBPR0101MB1042669A07D6EB23958ADD4EDDB00@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM>
References:  <ee1ec98f-2214-36d5-97e4-00475c697593@freebsd.org> <e5ccdc48-d454-17d8-1c54-e7c13a312400@freebsd.org> <YQBPR0101MB1042669A07D6EB23958ADD4EDDB00@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help 


> On 16 Apr 2018, at 15:12, Rick Macklem <rmacklem@uoguelph.ca> wrote:
>=20
> Julian Elischer wrote:
>> On 16/4/18 6:37 pm, Julian Elischer wrote:
>>> Windows users seem to have an almost unlimited number of groups and
>>> soem places seem to use them a LOT.
>>> This gives Posix systems problems with deciding how to handle them
>>> all. Especially when getting
>>> user credentials from winbindd (samba).
>>>=20
>>> Does anyone know of any work done to either bypass this limit or to
>>> at least expand it?
>>=20
>> I mean with the other applications such NFS usages etc.
>> I know mountd explodes with > 16..  has anyone done a cleaning pass?
> 16 is the limit "on-the-wire" per RFCs for Sun RPC. You can use
> nfsuserd --manage-gids (see "man nfsuserd")
> on the NFS server so that the daemon uses the group list for the uid =
in the RPC instead of the list of groups (limited to 16) in the RPC =
header. Works fine so
> long as the server knows the same group list for a uid as the =
client(s) do.
>=20
> And, yes, this applies to NFSv3 as well as NFSv4.
>=20

it is not entirely exact. The number of supplemental groups is the limit =
of AUTH_SYS (aka AUTH_UNIX) authentication mechanism used by ONC+ RPC. =
So anything using/supporting this auth mechanism, has this limit too.

Therefore, on paper, there is 2 possible ways to overcome the issue - =
either use alternate authentication mechanism (such as AUTH_GSS), or =
implement workaround for AUTH_SYS.

rgds,
toomas=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?458372AF-081B-4508-910A-BCB46EB5D955>