subject:"anyone running with ngroups increased from 16\?"

Re: anyone running with ngroups increased from 16?

2018-04-16 Thread Rick Macklem

Brooks Davis wrote:
>On Mon, Apr 16, 2018 at 06:37:53PM +0800, Julian Elischer wrote:
>> Windows users seem to have an almost unlimited number of groups and=20
>> soem places seem to use them a LOT.
>> This gives Posix systems problems with deciding how to handle them=20
>> all. Especially when getting
>> user credentials from winbindd (samba).
>>=20
>> Does anyone know of any work done to either bypass this limit or to at=20
>> least expand it?
>
>I fixed this in 2009 for everything but NFS AUTH_SYS.  NGROUPS_MAX is
>1023.  IIRC the usual hack employed in storage systems is to ignore the
>groups provided by AUTH_SYS and get them from winbindd.  I don't know of
>a public implementation of that.
If winbindd gets the information from LDAP, then you can get the same effect
from "nfsuserd -manage-gids" for AUTH_SYS (or as Toomas Soome noted, the gssd
does the same thing for Kerberized mounts).

Both of these utilities use getgrouplist() on the NFS server to acquire the list
of groups for the user. As such, anything configured for the library call, such
as LDAP, will provide the list of groups.

rick
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: anyone running with ngroups increased from 16?

2018-04-16 Thread Brooks Davis

On Mon, Apr 16, 2018 at 06:37:53PM +0800, Julian Elischer wrote:
> Windows users seem to have an almost unlimited number of groups and 
> soem places seem to use them a LOT.
> This gives Posix systems problems with deciding how to handle them 
> all. Especially when getting
> user credentials from winbindd (samba).
> 
> Does anyone know of any work done to either bypass this limit or to at 
> least expand it?

I fixed this in 2009 for everything but NFS AUTH_SYS.  NGROUPS_MAX is
1023.  IIRC the usual hack employed in storage systems is to ignore the
groups provided by AUTH_SYS and get them from winbindd.  I don't know of
a public implementation of that.

-- Brooks

signature.asc
Description: PGP signature

Re: anyone running with ngroups increased from 16?

2018-04-16 Thread Toomas Soome



> On 16 Apr 2018, at 15:12, Rick Macklem  wrote:
> 
> Julian Elischer wrote:
>> On 16/4/18 6:37 pm, Julian Elischer wrote:
>>> Windows users seem to have an almost unlimited number of groups and
>>> soem places seem to use them a LOT.
>>> This gives Posix systems problems with deciding how to handle them
>>> all. Especially when getting
>>> user credentials from winbindd (samba).
>>> 
>>> Does anyone know of any work done to either bypass this limit or to
>>> at least expand it?
>> 
>> I mean with the other applications such NFS usages etc.
>> I know mountd explodes with > 16..  has anyone done a cleaning pass?
> 16 is the limit "on-the-wire" per RFCs for Sun RPC. You can use
> nfsuserd --manage-gids (see "man nfsuserd")
> on the NFS server so that the daemon uses the group list for the uid in the 
> RPC instead of the list of groups (limited to 16) in the RPC header. Works 
> fine so
> long as the server knows the same group list for a uid as the client(s) do.
> 
> And, yes, this applies to NFSv3 as well as NFSv4.
> 

it is not entirely exact. The number of supplemental groups is the limit of 
AUTH_SYS (aka AUTH_UNIX) authentication mechanism used by ONC+ RPC. So anything 
using/supporting this auth mechanism, has this limit too.

Therefore, on paper, there is 2 possible ways to overcome the issue - either 
use alternate authentication mechanism (such as AUTH_GSS), or implement 
workaround for AUTH_SYS.

rgds,
toomas
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: anyone running with ngroups increased from 16?

2018-04-16 Thread Rick Macklem

Julian Elischer wrote:
>On 16/4/18 6:37 pm, Julian Elischer wrote:
>> Windows users seem to have an almost unlimited number of groups and
>> soem places seem to use them a LOT.
>> This gives Posix systems problems with deciding how to handle them
>> all. Especially when getting
>> user credentials from winbindd (samba).
>>
>> Does anyone know of any work done to either bypass this limit or to
>> at least expand it?
>
>I mean with the other applications such NFS usages etc.
>I know mountd explodes with > 16..  has anyone done a cleaning pass?
16 is the limit "on-the-wire" per RFCs for Sun RPC. You can use
nfsuserd --manage-gids (see "man nfsuserd")
on the NFS server so that the daemon uses the group list for the uid in the RPC 
instead of the list of groups (limited to 16) in the RPC header. Works fine so
long as the server knows the same group list for a uid as the client(s) do.

And, yes, this applies to NFSv3 as well as NFSv4.

rick
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: anyone running with ngroups increased from 16?

2018-04-16 Thread Julian Elischer


On 16/4/18 6:37 pm, Julian Elischer wrote:
Windows users seem to have an almost unlimited number of groups and 
soem places seem to use them a LOT.
This gives Posix systems problems with deciding how to handle them 
all. Especially when getting

user credentials from winbindd (samba).

Does anyone know of any work done to either bypass this limit or to 
at least expand it?


I mean with the other applications such NFS usages etc.
I know mountd explodes with > 16..  has anyone done a cleaning pass?



Thanks

Julian

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to 
"freebsd-current-unsubscr...@freebsd.org"




___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

anyone running with ngroups increased from 16?

2018-04-16 Thread Julian Elischer

Windows users seem to have an almost unlimited number of groups and 
soem places seem to use them a LOT.
This gives Posix systems problems with deciding how to handle them 
all. Especially when getting

user credentials from winbindd (samba).

Does anyone know of any work done to either bypass this limit or to at 
least expand it?


Thanks

Julian

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: anyone running with ngroups increased from 16?

Re: anyone running with ngroups increased from 16?

Re: anyone running with ngroups increased from 16?

Re: anyone running with ngroups increased from 16?

Re: anyone running with ngroups increased from 16?

anyone running with ngroups increased from 16?

6 matches

Site Navigation

Mail list logo

Footer information