The values are hardwired and cannot be changed, even if nscd is disabled. Part of the wiring is currently in libc as well as nscd.
Until we fix the issue with smf/nscd configuration, there is no way to circumvent the limits. It was specifically put in place to avoid DoS attacks on naming services. The maximum limit at this time is 512K bytes. Doug. HUGE | Rob Terhaar wrote: > > Nicolas Williams wrote: >>> On Mon, Sep 29, 2008 at 04:30:17PM -0400, HUGE | Rob Terhaar wrote: >>>> Hello all, >>>> >>>> Appologies if this has been discussed already, but we're having problems >>>> doing ldap lookups via ldap client to a group in AD with a lot of members. >>>> We're seeing the following error message in the logs: >>>> >>>> Sep 29 16:11:37 nynas1 idmap[320]: [ID 869372 daemon.warning] >>>> ns_lookup_byname: getgrnam_r(huge-group) failed (Result too large). >>>> Sep 29 16:11:37 nynas1 smbd[492]: [ID 118120 daemon.error] >>>> smb_token_create: >>>> idmap failed >>>> >>>> Is there a way to push this limit up, or increase the cache size? >>> Another question for Doug :) Doug? >>> >>> Doug, >>> >>> idmapd is using getgrnam_r() here as part of name-based ID mapping. >>> It's looking up the GID of a Unix group that's actually an AD group >>> being access via nss_ldap w/ schema mapping to the AD SFU schema. >>> >>> Evidently the number of members in that group is... too large for >>> nss_ldap. Is there a workaround? >>> >>> Nico >>> -- >> On 9/30/08 4:48 PM, "Doug Leavitt" <[EMAIL PROTECTED]> wrote: >> We currently set an upper bounds of 512k max for a buffer. >> Internally the system can handle more, but we physically cap it to >> prevent other problems like DoS. The decision to cap it >> was the result of security reviews. >> >> At the moment that cap is fixed, but considerably larger than the >> pre-sparks physical limit of 8k. >> >> The plan it to eventually add a SMF configuration value to nscd >> so admins can change the hard coded value to a value that can be >> updated upon reboot [due to POSIX restrictions]. This will take some >> additional development in nscd and possibly SMF, that is still TBD. >> >> Doug. > > So our problem is related the cache size being set too small in NSCD? Can > this be adjusted in /etc/nscd.conf via "suggested-size cachename value" or " > suggested-size cachename value" ? > > Or is it advisable to just disable NSCD? > > > > > _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
