Re: [Samba] number of groups of NT account causes authenticationproblems
Finally, I found that this problem is due to limitation of Solaris OS.
By default, the kernel parameter NGROUPS_MAX ( # getconf NGROUPS_MAX) is
set to 16 (/usr/include/limits.h), which can be changed to a maximum of
32 by putting a line:
set ngroups_max=32
in /etc/system file and rebooting the server. If you do this, the server
complains about some NFS problems:
# dmesg | grep -i ngroups
Mar 5 17:50:25 chevette unix: [ID 953839 kern.warning] WARNING:
ngroups_max of 32 16, NFS AUTH_SYS will not work properly
But again, the cap is raised to 32 from 16.
To increase the parameter 'ngroups_max' beyond 32, one needs to modify
the files '/usr/include/limits.h, /usr/include/sys/param.h', and rebuild
the kernel. But there is no way to compile the new kernel on solaris by
using this modified files. The 'boot -r' from the boot prom level will
not recompile the kernel, it just loads the existing kernel using
'/etc/system' parameters which are limited by the parameters set by
'/usr/include/sys/param.h' during the original compilation.
-Gopal
Michael G. Noble wrote:
Solaris has a 15 member limit to groups. Since you are under that
limit, it should not be a problem. I have Samba running on an Ultra
60 with Solaris8, samba version 2.2.5. I have users who are members
of at least 14 groups and not having any problems accessing shared
folders.
Mike
On Tue, 2003-03-04 at 13:35, Gopal Bhat wrote:
I am facing a strange problem related to authentication of NT users
accessing the SAMBA server.
Here are the details:
Server: Solaris 9, SUN Ultra 60, SAMBA 2.2.7a with PAM and WINBIND
Client: Windows XP, NT4.0, 2000
Symptoms:
Created a share \\server\test (UNIX: /export/SMB/test) with access to
group 'TestGoup' where 'TestUser' is a member.
'TestUser' is a member of 10 more groups along with 'TestGroup' (Total
number of TestUser's group = 11)
With the above settings 'TestUser' can't access the share
'\\server\test', and the following message shows up in the Client.log:
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
Unable to initgroups. Error was Not owner
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
This is probably a problem with the account domain\testuser
[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
client (10.81.105.121) Can't change directory to /export/SMB/test
(Permission denied)
If I change the number of groups the user 'TestUser' belongs from 11 to
8 ('TestGroup' + 7 other groups), the user can access the share
'\\server\test' without any problems.
It looks like there is some limitation on number of NT group memberships
'smbd' can handle.
Note: 'wbinfo' returns all the right groups of the user without any
problems.
Is there anyone out there who is aware of this problem and knows a
workaround/solution to this?
I really appreciate any help from the prestigious SAMBA Team.
Thanks,
Gopal
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] number of groups of NT account causes authenticationproblems
Is there anyway to increase this limit of 15? Using /etc/system or any
other configuration file/parameter?
I will post this question on SUN BigAdmin also, if I am able to find an
answer, it will be great.
Thanks!
Michael G. Noble wrote:
Solaris has a 15 member limit to groups. Since you are under that
limit, it should not be a problem. I have Samba running on an Ultra
60 with Solaris8, samba version 2.2.5. I have users who are members
of at least 14 groups and not having any problems accessing shared
folders.
Mike
On Tue, 2003-03-04 at 13:35, Gopal Bhat wrote:
I am facing a strange problem related to authentication of NT users
accessing the SAMBA server.
Here are the details:
Server: Solaris 9, SUN Ultra 60, SAMBA 2.2.7a with PAM and WINBIND
Client: Windows XP, NT4.0, 2000
Symptoms:
Created a share \\server\test (UNIX: /export/SMB/test) with access to
group 'TestGoup' where 'TestUser' is a member.
'TestUser' is a member of 10 more groups along with 'TestGroup' (Total
number of TestUser's group = 11)
With the above settings 'TestUser' can't access the share
'\\server\test', and the following message shows up in the Client.log:
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
Unable to initgroups. Error was Not owner
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
This is probably a problem with the account domain\testuser
[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
client (10.81.105.121) Can't change directory to /export/SMB/test
(Permission denied)
If I change the number of groups the user 'TestUser' belongs from 11 to
8 ('TestGroup' + 7 other groups), the user can access the share
'\\server\test' without any problems.
It looks like there is some limitation on number of NT group memberships
'smbd' can handle.
Note: 'wbinfo' returns all the right groups of the user without any
problems.
Is there anyone out there who is aware of this problem and knows a
workaround/solution to this?
I really appreciate any help from the prestigious SAMBA Team.
Thanks,
Gopal
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] number of groups of NT account causes authenticationproblems
Finally, I found that this problem is due to limitation of Solaris OS.
By default, the kernel parameter NGROUPS_MAX ( # getconf NGROUPS_MAX) is
set to 16 (/usr/include/limits.h), which can be changed to a maximum of
32 by putting a line:
set ngroups_max=32
in /etc/system file and rebooting the server. If you do this, the server
complains about some NFS problems:
# dmesg | grep -i ngroups
Mar 5 17:50:25 chevette unix: [ID 953839 kern.warning] WARNING:
ngroups_max of 32 16, NFS AUTH_SYS will not work properly
But again, the cap is raised to 32 from 16.
To increase the parameter 'ngroups_max' beyond 32, one needs to modify
the files '/usr/include/limits.h, /usr/include/sys/param.h', and rebuild
the kernel. But there is no way to compile the new kernel on solaris by
using this modified files. The 'boot -r' from the boot prom level will
not recompile the kernel, it just loads the existing kernel using
'/etc/system' parameters which are limited by the parameters set by
'/usr/include/sys/param.h' during the original compilation.
-Gopal
Michael G. Noble wrote:
Solaris has a 15 member limit to groups. Since you are under that
limit, it should not be a problem. I have Samba running on an Ultra
60 with Solaris8, samba version 2.2.5. I have users who are members
of at least 14 groups and not having any problems accessing shared
folders.
Mike
On Tue, 2003-03-04 at 13:35, Gopal Bhat wrote:
I am facing a strange problem related to authentication of NT users
accessing the SAMBA server.
Here are the details:
Server: Solaris 9, SUN Ultra 60, SAMBA 2.2.7a with PAM and WINBIND
Client: Windows XP, NT4.0, 2000
Symptoms:
Created a share \\server\test (UNIX: /export/SMB/test) with access to
group 'TestGoup' where 'TestUser' is a member.
'TestUser' is a member of 10 more groups along with 'TestGroup' (Total
number of TestUser's group = 11)
With the above settings 'TestUser' can't access the share
'\\server\test', and the following message shows up in the Client.log:
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
Unable to initgroups. Error was Not owner
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
This is probably a problem with the account domain\testuser
[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
client (10.81.105.121) Can't change directory to /export/SMB/test
(Permission denied)
If I change the number of groups the user 'TestUser' belongs from 11 to
8 ('TestGroup' + 7 other groups), the user can access the share
'\\server\test' without any problems.
It looks like there is some limitation on number of NT group memberships
'smbd' can handle.
Note: 'wbinfo' returns all the right groups of the user without any
problems.
Is there anyone out there who is aware of this problem and knows a
workaround/solution to this?
I really appreciate any help from the prestigious SAMBA Team.
Thanks,
Gopal
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] number of groups of NT account causes authenticationproblems
Is there anyway to increase this limit of 15? Using /etc/system or any
other configuration file/parameter?
I will post this question on SUN BigAdmin also, if I am able to find an
answer, it will be great.
Thanks!
Michael G. Noble wrote:
Solaris has a 15 member limit to groups. Since you are under that
limit, it should not be a problem. I have Samba running on an Ultra
60 with Solaris8, samba version 2.2.5. I have users who are members
of at least 14 groups and not having any problems accessing shared
folders.
Mike
On Tue, 2003-03-04 at 13:35, Gopal Bhat wrote:
I am facing a strange problem related to authentication of NT users
accessing the SAMBA server.
Here are the details:
Server: Solaris 9, SUN Ultra 60, SAMBA 2.2.7a with PAM and WINBIND
Client: Windows XP, NT4.0, 2000
Symptoms:
Created a share \\server\test (UNIX: /export/SMB/test) with access to
group 'TestGoup' where 'TestUser' is a member.
'TestUser' is a member of 10 more groups along with 'TestGroup' (Total
number of TestUser's group = 11)
With the above settings 'TestUser' can't access the share
'\\server\test', and the following message shows up in the Client.log:
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
Unable to initgroups. Error was Not owner
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
This is probably a problem with the account domain\testuser
[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
client (10.81.105.121) Can't change directory to /export/SMB/test
(Permission denied)
If I change the number of groups the user 'TestUser' belongs from 11 to
8 ('TestGroup' + 7 other groups), the user can access the share
'\\server\test' without any problems.
It looks like there is some limitation on number of NT group memberships
'smbd' can handle.
Note: 'wbinfo' returns all the right groups of the user without any
problems.
Is there anyone out there who is aware of this problem and knows a
workaround/solution to this?
I really appreciate any help from the prestigious SAMBA Team.
Thanks,
Gopal
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: number of groups of NT account causes authenticationproblems
Hi,
I did more experiments with this problem and found that 'SMBD' fails to
authenticate when the Number of Groups an NT user belongs grows more
than 14 (i.e. 15 or more).
Thanks,
Gopal
Gopal Bhat wrote:
I am facing a strange problem related to authentication of NT users
accessing the SAMBA server.
Here are the details:
Server: Solaris 9, SUN Ultra 60, SAMBA 2.2.7a with PAM and WINBIND
Client: Windows XP, NT4.0, 2000
Symptoms:
Created a share \\server\test (UNIX: /export/SMB/test) with access to
group 'TestGoup' where 'TestUser' is a member.
'TestUser' is a member of 14 more groups along with 'TestGroup' (Total
number of TestUser's group = 15)
With the above settings 'TestUser' can't access the share
'\\server\test', and the following message shows up in the Client.log:
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
Unable to initgroups. Error was Not owner
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
This is probably a problem with the account domain\testuser
[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
client (10.81.105.121) Can't change directory to /export/SMB/test
(Permission denied)
If I change the number of groups the user 'TestUser' belongs from 15
to 8 ('TestGroup' + 7 other groups), the user can access the share
'\\server\test' without any problems.
It looks like there is some limitation on number of NT group
memberships 'smbd' can handle. Note: 'wbinfo' returns all the right
groups of the user without any problems.
Is there anyone out there who is aware of this problem and knows a
workaround/solution to this?
I really appreciate any help from the prestigious SAMBA Team.
Thanks,
Gopal
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: number of groups of NT account causes authentication problems
Hi,
I did more experiments with this problem and found that 'SMBD' fails to
authenticate when the Number of Groups an NT user belongs grows more
than 14 (i.e. 15 or more).
Thanks,
Gopal
Gopal Bhat wrote:
I am facing a strange problem related to authentication of NT users
accessing the SAMBA server.
Here are the details:
Server: Solaris 9, SUN Ultra 60, SAMBA 2.2.7a with PAM and WINBIND
Client: Windows XP, NT4.0, 2000
Symptoms:
Created a share \\server\test (UNIX: /export/SMB/test) with access to
group 'TestGoup' where 'TestUser' is a member.
'TestUser' is a member of 14 more groups along with 'TestGroup' (Total
number of TestUser's group = 15)
With the above settings 'TestUser' can't access the share
'\\server\test', and the following message shows up in the Client.log:
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
Unable to initgroups. Error was Not owner
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
This is probably a problem with the account domain\testuser
[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
client (10.81.105.121) Can't change directory to /export/SMB/test
(Permission denied)
If I change the number of groups the user 'TestUser' belongs from 15
to 8 ('TestGroup' + 7 other groups), the user can access the share
'\\server\test' without any problems.
It looks like there is some limitation on number of NT group
memberships 'smbd' can handle. Note: 'wbinfo' returns all the right
groups of the user without any problems.
Is there anyone out there who is aware of this problem and knows a
workaround/solution to this?
I really appreciate any help from the prestigious SAMBA Team.
Thanks,
Gopal
unsuscribe
unsuscribe Juergen Hasch wrote: Hi, I installed heimdal-0.5.1 on my Linux box. When compiling Samba HEAD with gcc 3.2 I get lots of warning messages like these : In file included from include/includes.h:421, from smbd/notify.c:22: /usr/include/heimdal/gssapi.h:625: warning: declaration of `open' shadows a global declaration /usr/include/fcntl.h:70: warning: shadowed declaration is here Anybody else seen this ? ...Juergen
[Samba] getent group returns only few groups on solaris
Hi All, I was able to get 'winbind' configured on my Solaris-9 system and authenticate Windows domain users, but I have three problems: Server OS; Solaris 9, MU2 SAmba version: 2.2.7(also tried 2.2.8prel , but same problem) Tried 'winbind enum users/groups' both true and false Client OS: Windows XP, WinNT4.0 nsswitch.conf entries:passwd:files winbind group: files winbind nscd is turned off on the Solaris System. Number of Users in NT domain: 2 Number of Groups in NT domain: 7000 1) 'getent passwd' works great, and returns all the users from local files and windows domain as well, but 'getent group' returns all the groups in the /etc/group file and only few groups from the WinNT Domain. Is there a way to make 'getent group' return all the groups in winNt Domain? 2) I can share a directory from the Solaris 9 system with WinNT/WinXP clients without any problem. But, whenever I make changes to ACLs using Windows File Property - Security editor (on Win XP), I can not do 'ls -l' on the same directory by logging into Solaris system(as root or the owner of the file). Also, 'getfacl filename' fails on the same directory, where as I can see the changed File ACLs from my Windows XP system without any problem. 3) I don't know wether the following problem is related to the one of the above two, but here is the thrid problem: I created a SAMBA share \\server\TestShare (On UNIX it is /export/SMB/TestShare) with owner as 'DOMAIN\TestUser'. root# ls -ld TestShare drwxrws---+ 3 DOMAIN\TestUser other512 Feb 27 10:33 TestShare I modified the ACLs on this share by logging in as user: 'DOMAIN\TestUser' from my WinXP client to allow the members of group 'DOMAIN\TestGroup' to read and list this share. When I log in as a different user 'DOMAIN\TestUser1' (Member of DOMAIN\TestGroup) to my WinXP(or NT) and try to access this share I get the error Access Denied or Network Name Not Found. Also, the client log on the server shows the following: [2003/02/27 13:13:40, 0] smbd/sec_ctx.c:initialise_groups(244) Unable to initgroups. Error was Not owner [2003/02/27 13:13:40, 0] smbd/sec_ctx.c:initialise_groups(247) This is probably a problem with the account domain\testuser1 [2003/02/27 13:13:40, 0] smbd/service.c:make_connection(599) kka6trvy-a (10.81.105.121) Can't change directory to /export/SMB Any tips towards solving these problems will be greatly appreciated. Can anyone post Sparc/Solaris compiled binary of libnss_winbind.so and pam_winbind.so? Thanks, Gopal -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
getent group returns only few groups on solaris
Hi All, I was able to get 'winbind' configured on my Solaris-9 system and authenticate Windows domain users, but I have three problems: Server OS; Solaris 9, MU2 SAmba version: 2.2.7(also tried 2.2.8prel , but same problem) Tried 'winbind enum users/groups' both true and false Client OS: Windows XP, WinNT4.0 nsswitch.conf entries:passwd:files winbind group: files winbind nscd is turned off on the Solaris System. Number of Users in NT domain: 2 Number of Groups in NT domain: 7000 1) 'getent passwd' works great, and returns all the users from local files and windows domain as well, but 'getent group' returns all the groups in the /etc/group file and only few groups from the WinNT Domain. Is there a way to make 'getent group' return all the groups in winNt Domain? 2) I can share a directory from the Solaris 9 system with WinNT/WinXP clients without any problem. But, whenever I make changes to ACLs using Windows File Property - Security editor (on Win XP), I can not do 'ls -l' on the same directory by logging into Solaris system(as root or the owner of the file). Also, 'getfacl filename' fails on the same directory, where as I can see the changed File ACLs from my Windows XP system without any problem. 3) I don't know wether the following problem is related to the one of the above two, but here is the thrid problem: I created a SAMBA share \\server\TestShare (On UNIX it is /export/SMB/TestShare) with owner as 'DOMAIN\TestUser'. root# ls -ld TestShare drwxrws---+ 3 DOMAIN\TestUser other512 Feb 27 10:33 TestShare I modified the ACLs on this share by logging in as user: 'DOMAIN\TestUser' from my WinXP client to allow the members of group 'DOMAIN\TestGroup' to read and list this share. When I log in as a different user 'DOMAIN\TestUser1' (Member of DOMAIN\TestGroup) to my WinXP(or NT) and try to access this share I get the error Access Denied or Network Name Not Found. Also, the client log on the server shows the following: [2003/02/27 13:13:40, 0] smbd/sec_ctx.c:initialise_groups(244) Unable to initgroups. Error was Not owner [2003/02/27 13:13:40, 0] smbd/sec_ctx.c:initialise_groups(247) This is probably a problem with the account domain\testuser1 [2003/02/27 13:13:40, 0] smbd/service.c:make_connection(599) kka6trvy-a (10.81.105.121) Can't change directory to /export/SMB Any tips towards solving these problems will be greatly appreciated. Thanks, Gopal
