On Feb 12, 2009, at 8:17 PM, Da Rock wrote:
I've been following this thread with interest: are you saying FreeBSD
logins cannot handle more than 16 groups? If so, why? Is this mitigated
by using other authentication methods (ie kerberos, ldap, etc)?

There's a compile-time limit of the relevant kernel data structures as to how many groups a user can be in, described by "sysctl kern.ngroups". It's possible to recompile the kernel with a larger number, but doing so will break NFS (and possibly other things). It doesn't matter whether you use Kerberos, LDAP, etc to set up the groups; while those things do not have a 16-group limit, the FreeBSD kernel [1] does.

With reasonable organization, and appropriate use of sudo or setgid binaries for things like people who use SVN or CVS, there generally isn't reason or need for a user to be in so many groups. For the exceptional cases, switching to using a full ACL system rather than the traditional Unix permission model is probably going to be a better solution.


[1]: And almost all other Unixes...

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to