I assume the question is in regards to current Nevada builds, versus
something older such as pre s10u4. In current Nevada builds, results
returned from groups lookups can be up to 512K bytes in length.
Internally the system can theoretically handle buffers up to 2^64 bytes,
but we currently set a physical limit at 512k to prevent DoS and
other issues.
That limit for groups translates to the length of a group data buffer
as you would see it in:
struct group *getgrnam_r(const char *name, struct group *grp,
char *buffer, int bufsize);
where bufsize needs to be <= 512*1024.
To remain generic (POSIX), one should always use:
sysconf(_SC_GETGR_R_SIZE_MAX) [which currently returns 512*1024]
as the guide to determine the maximum size buffer for a groups request.
The number of names varies based on the length of the individual group
names in the repository.
Doug.
HUGE | Rob Terhaar wrote:
>>> On Mon, Sep 29, 2008 at 04:30:17PM -0400, HUGE | Rob Terhaar wrote:
>>> Hello all,
>>>
>>> Appologies if this has been discussed already, but we're having problems
>>> doing ldap lookups via ldap client to a group in AD with a lot of members.
>>> We're seeing the following error message in the logs:
>>>
>>> Sep 29 16:11:37 nynas1 idmap[320]: [ID 869372 daemon.warning]
>>> ns_lookup_byname: getgrnam_r(huge-group) failed (Result too large).
>>> Sep 29 16:11:37 nynas1 smbd[492]: [ID 118120 daemon.error] smb_token_create:
>>> idmap failed
>>>
>>> Is there a way to push this limit up, or increase the cache size?
>
>> On 9/29/08 5:22 PM, "Nicolas Williams" <[EMAIL PROTECTED]> wrote:
>> Another question for Doug :) Doug?
>>
>> Doug,
>>
>> idmapd is using getgrnam_r() here as part of name-based ID mapping.
>> It's looking up the GID of a Unix group that's actually an AD group
>> being access via nss_ldap w/ schema mapping to the AD SFU schema.
>>
>> Evidently the number of members in that group is... too large for
>> nss_ldap. Is there a workaround?
>>
>> Nico
>> --
>
> Hi All,
> Does anyone out there know what the limit is for members in an LDAP group
> with solaris nss_ldap? Is there even a limit? Are we running into another
> problem? (like ad does not allow queries with x number of responses) We
> have not been able to figure out how to increase the soft limit/cache.
>
>
>
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
