Hi, I think it's UNIX history, I guess the 16 users limit of NFS is probably because it is coded in 4 bits somewhere, but this is just a guess, I haven't looked at the source.
My tests were done on Solaris, where the limit can be rised to 32, but still not enough, as some users are members of 80-100 groups. I haven't investigated more, no time for now. Just waiting that someone else scratch their own itch :-) Charles On Sun, 08 Aug 2004 00:19:36 -0400 Jim Ross <[EMAIL PROTECTED]> wrote: > > Hey Charles, do you have any ideas where the 32 group limit comes > from? > I thought I had this pegged to NGROUPS_MAX being 32, but I seem to > run into the same issue of Fedora Core too, where NGROUPS_MAX is over > 64k. I'm at a loss on it, but have plenty of users in more than 32 > groups. I haven't seen anyone in the list mention it but you did, so > I thought you might have an idea on this. > > Thanks, > Jim Ross > > > > Charles Bueche wrote: > > > Hi, > > > > you max out the 32 group limit of your UNIX (02-33), and the group > > you want is over 33. Check how many Windows groups you are in. > > > > Charles > > > > On Wed, 4 Aug 2004 07:46:22 -0500 > > "Ziller, James" <[EMAIL PROTECTED]> wrote: > > > > > >>After some more screwing around with leaving and rejoining the ADS > >>domain I was finally able to access a share with "valid users =" set > >>to a domain group I was a member of. The _only_ change I made after > >>this was to add yet another group to the valid users on the share > >and>restart samba...after that I could no longer access the share. > >I>removed the additional group, restarted samba and could still not > >>access the share. I then tried adding my domain username to "valid > >>users=" and it worked fine. So im back in the same boat again, > >users>work, groups don't. Has anyone seen this problem before? Or > >does>anyone have advice for tracking down the root of this problem. > >I've>had this problem with samba 3.0.4 and samba 3.0.5, recently > >upgraded>kerberos from 1.2.7 to 1.3.3 but see no difference. Running > >winbindd>in debug doesn't seem to indicate any problem. Heres the > >output of>winbindd anyway, with debug level 3 after a failed login > >attempt from>windows: > >> > >>[ 2627]: getgrnam QG+TEST > >>rpc: name_to_sid name=TEST > >>name_to_sid [rpc] TEST for domain QG > >>ads: dn_lookup > >>ads: dn_lookup > >>ads: dn_lookup > >>ads: dn_lookup > >>ads: dn_lookup > >>ads lookup_groupmem for > >>sid=S-1-5-21-842925246-1647877149-1417001333-57015 > >>[ 2627]: getgrnam QG+TEST > >>[ 2627]: getgrnam QG+TEST > >>[ 2629]: request interface version > >>[ 2629]: request location of privileged pipe > >>[ 2629]: domain_info [QG.COM] > >>[ 2629]: getpwnam qg+jzillera > >>rpc: name_to_sid name=jzillera > >>name_to_sid [rpc] jzillera for domain QG > >>ads: query_user > >>ads query_user gave JZILLERA > >>[ 2629]: getgroups QG+jzillera > >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29979 for > >>domain QG > >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-53735 for > >>domain QG > >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29156 for > >>domain QG > >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-55130 for > >>domain QG > >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-20629 for > >>domain QG > >>[ 2629]: gid to sid 10002 > >>[ 2629]: gid to sid 10003 > >>[ 2629]: gid to sid 10004 > >>[ 2629]: gid to sid 10005 > >>[ 2629]: gid to sid 10006 > >>[ 2629]: gid to sid 10007 > >>[ 2629]: gid to sid 10008 > >>[ 2629]: gid to sid 10009 > >>[ 2629]: gid to sid 10010 > >>[ 2629]: gid to sid 10011 > >>[ 2629]: gid to sid 10012 > >>[ 2629]: gid to sid 10013 > >>[ 2629]: gid to sid 10014 > >>[ 2629]: gid to sid 10015 > >>[ 2629]: gid to sid 10016 > >>[ 2629]: gid to sid 10017 > >>[ 2629]: gid to sid 10018 > >>[ 2629]: gid to sid 10019 > >>[ 2629]: gid to sid 10020 > >>[ 2629]: gid to sid 10021 > >>[ 2629]: gid to sid 10022 > >>[ 2629]: gid to sid 10023 > >>[ 2629]: gid to sid 10024 > >>[ 2629]: gid to sid 10025 > >>[ 2629]: gid to sid 10026 > >>[ 2629]: gid to sid 10027 > >>[ 2629]: gid to sid 10028 > >>[ 2629]: gid to sid 10029 > >>[ 2629]: gid to sid 10030 > >>[ 2629]: gid to sid 10031 > >>[ 2629]: gid to sid 10032 > >>[ 2629]: gid to sid 10033 > >>[ 2629]: getpwnam QG+jzillera > >>[ 2629]: getgrnam QG+TEST > >> > >>That's it. > >> > >>Again, the output of 'getent group' shows my user as being a member > >of>QG+TEST: > >> > >>QG+TEST:x:10000:QG+JZILLERA > >> > >> If you would like anymore info please ask....thanks! > >> > >> -James > >> > >> > >>> -----Original Message----- > >>>From: Ziller, James > >>>Sent: Monday, August 02, 2004 4:08 PM > >>>To: '[EMAIL PROTECTED]' > >>>Subject: Problems w/ winbind and AD group membership > >>> > >>>Hello friends, > >>> > >>>I am using samba to join a linux box to an active directory domain > >>>to use as a file server. I would like to be able to control access > >>>to shares based on AD domain groups. However, even though winbind > >>>seems to be seeing the groups fine, samba is not granting access to > >>>users who are members of the group. I am able to successfully join > >>>the system to the domain and granting access to shares based on > >>>Windows usernames works fine. > >>> > >>>getent group returns: > >>>QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG > >>>+PL YNCHA > >>> > >>>However an id lookup of my windows username doesn't list me as a > >>>group member of QG+TEST.(shouldn't it?) > >>> > >>>[EMAIL PROTECTED] root]# id qg+jzillera > >>>uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) > >>>groups=10000(QG+Domain Users) > >>> > >>>System Details: > >>>Redhat 9 > >>>samba-3.0.5-2 > >>>krb5-libs-1.2.7-10 > >>>krb5-devel-1.2.7-10 > >>>krb5-workstation-1.2.7-10 > >>>pam_krb5-1.60-1 > >>> > >>>[EMAIL PROTECTED] root]# wbinfo -t > >>>checking the trust secret via RPC calls succeeded > >>> > >>>[EMAIL PROTECTED] root]# testparm > >>>Load smb config files from /etc/samba/smb.conf > >>>Processing section "[test]" > >>>Loaded services file OK. > >>>Server role: ROLE_DOMAIN_MEMBER > >>>Press enter to see a dump of your service definitions > >>> > >>># Global parameters > >>>[global] > >>> workgroup = QG > >>> realm = QG.COM > >>> server string = Samba Server > >>> security = ADS > >>> obey pam restrictions = Yes > >>> password server = wadc2 > >>> log file = /var/log/samba/log.%m > >>> max log size = 50 > >>> load printers = No > >>> printcap name = /etc/printcap > >>> local master = No > >>> domain master = No > >>> dns proxy = No > >>> wins support = Yes > >>> idmap uid = 10000-30000 > >>> idmap gid = 10000-30000 > >>> winbind separator = + (tried with # and \ as well) > >>> winbind use default domain = Yes (tried with No) > >>> > >>>[test] > >>> comment = testing > >>> path = /mnt/qdsfsl01/resources/testing > >>> valid users = @QG+TEST > >>> write list = @QG+TEST > >>> > >>>Winbind logs show nothing that indicates any error, even when run > >>>with debug level 3. Ive been beating myself over the head with > >this>>problem for months...any help or suggestions would be greatly > >>>appreciated. > >>> > >>>Thanks! > >>> > >>>James Ziller > >>>Systems Administrator > >>> > >>>Quad/Graphics - Q/DS > >>>West Allis, Wisconsin > >>>[EMAIL PROTECTED] > >>> > >> > >>-- > >>To unsubscribe from this list go to the following URL and read the > >>instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > -- Charles Bueche <[EMAIL PROTECTED]> sand, snow, wave, wind and net -surfer -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
