On Wednesday 07 December 2005 17:41, Ian Moore wrote: > Hi, > > I'm toying with the idea of increasing the maximum number of groups a user > can belong to on one of my servers - we have a rather complex organisation > and we're hitting the 15 group limit for some people. > > There seems to be differing opinions on how to do this and if it's actually > > feasible. One post I found said: > > in src/sys/sys/syslimits.h there is a constant named 'NGROUPS_MAX'. > > change it to however many you need (within reason), rebuild/install world > > and kernel. > > Another said you have to change all sorts of things in the source, modify a > kernel parameter, rebuild world and rebuild any port that uses NGROUPS - > which probably means a portupgrade -fa. > > There is talk of a maxgroups() parameter in the kernel, but NOTES makes no > mention of this. > > I wonder too if some apps would need their own configuration altered to > allow them to work with the higher limit. > > So I just wanted to ask if anyone has successfully raised the NGROUPS_MAX > limit, especially when running samba & nfs on the system? > > If not, I'll work around the problem a different way. > > (BTW I'm running 5.4-RELEASE) > > Cheers, > Ian, > > Since you are running FreeBSD 5.x, have you considered using ACLs? See the > handbook section 14.12. > > Have you considered cascading groups? That's the normal workaround on > Enterprise Unix systems like HP-UX and Solaris. > > Instead of putting everyong in "group", do this instead. > > group:*:100:group1,group2 > group1:*:101:user1,user2 > group2:*:102:user3, user4 > > Thus, the users are all transitively in group, and you work around the limit. > > Mike
Thanks for the suggestions guys. I had considered ACLs as one possible workaround and I'd said to a mate of mine "gee, it'd be really good if you could make a group a member of another group", not thinking you actually could do that! That's very handy. Since there doesn't seem to be anyone so far that's saying they have successfully increased the group limit, it looks like I'll be using one of those workarounds.... Cheers, -- Ian gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc
pgpdlQUdmJnl0.pgp
Description: PGP signature
