Re: Old user can't log in
On Thursday 12 February 2009 19:17:05 Da Rock wrote: I've been following this thread with interest: are you saying FreeBSD logins cannot handle more than 16 groups? If so, why? Because the kernel needs to keep this info. At the time of conception, 16 shorts (16*4=64) per login and maxusers of 10, is only 640 bytes kernel memory. When working with 32MB physical memory per machine those 640 bytes sound a lot more invasive. The variable is defined in sys/sys/syslimits.h, in case you need to tune your kernel. In any case, work is being done to make this a sysctl runtime tuneable: http://lists.freebsd.org/pipermail/freebsd-hackers/2009-February/027738.html -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old user can't log in
On Feb 13, 2009, at 1:21 AM, Da Rock wrote: On Thu, 2009-02-12 at 21:52 -0800, Chuck Swiger wrote: On Feb 12, 2009, at 8:52 PM, Da Rock wrote: With reasonable organization, and appropriate use of sudo or setgid binaries for things like people who use SVN or CVS, there generally isn't reason or need for a user to be in so many groups. For the exceptional cases, switching to using a full ACL system rather than the traditional Unix permission model is probably going to be a better solution. Interesting. What would you suggest for full ACL? Well, it depends on what you're doing in terms of user requirements and systems (ie, are the FreeBSD boxes fileservers, clients, or both?), but the stuff which comes with FreeBSD is documented in acl(3), getfacl, setfacl, etc. Other choices might involve something like the Andrew File System / Transarc DFS stuff, or Windows Active Directory and Samba/CIFS on the FreeBSD boxes Regards, So you're talking in terms of the FS only? I thought you said the kernel wasn't capable? I'll have to look into this a more thoroughly, I'm intrigued to say the least. Not to say I'll ever probably use it, but it does present a limitation. I only ran up against the problem because I added this user to a bunch of other user's groups, so that she could edit those user's files. Easily refactored into something more sensible. -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old user can't log in
On Feb 12, 2009, at 10:21 PM, Da Rock wrote: So you're talking in terms of the FS only? Nope. A filesystem might have ACL capability available in it's specification, but without kernel and userland support, that capability isn't accessible or meaningful. I thought you said the kernel wasn't capable? Yes, I said that the kernel has a compile-time limit as to how many groups are supported per user. I'll have to look into this a more thoroughly, I'm intrigued to say the least. Not to say I'll ever probably use it, but it does present a limitation. Sure. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old user can't log in
On Fri, Feb 13, 2009 at 5:17 AM, Da Rock rock_on_the_...@comcen.com.au wrote: On Thu, 2009-02-12 at 21:48 -0500, John Almberg wrote: I've been following this thread with interest: are you saying FreeBSD logins cannot handle more than 16 groups? If so, why? Is this mitigated by using other authentication methods (ie kerberos, ldap, etc)? In fact the real limit is 14 groups, which is a long standing bug in the libc+kernel. So beware :) Regards, Timur ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old user can't log in
On Feb 12, 2009, at 3:14 PM, John Almberg wrote: Just ran into a strange problem... I have a long-standing user account on my FreeBSD box that no longer works. She can't ssh into the box, and I can't even su to her account. $ su jessica Password: su: setusercontext: Invalid argument Does group 1022 exist in /etc/groups? Is the user a member of more than 16 groups? -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old user can't log in
On Feb 12, 2009, at 7:19 PM, Chuck Swiger wrote: On Feb 12, 2009, at 3:14 PM, John Almberg wrote: Just ran into a strange problem... I have a long-standing user account on my FreeBSD box that no longer works. She can't ssh into the box, and I can't even su to her account. $ su jessica Password: su: setusercontext: Invalid argument Does group 1022 exist in /etc/groups? Yes Is the user a member of more than 16 groups? Actually, 15 plus it's own group, so yes, I guess exactly 16. I can guess what you're going to say next. Frack... Okay, I guess I can reorganize groups to eliminate this problem. Thanks for the hint (as they say, a hint to the wise is sufficient...) -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old user can't log in
On Thu, 2009-02-12 at 21:48 -0500, John Almberg wrote: On Feb 12, 2009, at 7:19 PM, Chuck Swiger wrote: On Feb 12, 2009, at 3:14 PM, John Almberg wrote: Just ran into a strange problem... I have a long-standing user account on my FreeBSD box that no longer works. She can't ssh into the box, and I can't even su to her account. $ su jessica Password: su: setusercontext: Invalid argument Does group 1022 exist in /etc/groups? Yes Is the user a member of more than 16 groups? Actually, 15 plus it's own group, so yes, I guess exactly 16. I can guess what you're going to say next. Frack... Okay, I guess I can reorganize groups to eliminate this problem. Thanks for the hint (as they say, a hint to the wise is sufficient...) -- John I've been following this thread with interest: are you saying FreeBSD logins cannot handle more than 16 groups? If so, why? Is this mitigated by using other authentication methods (ie kerberos, ldap, etc)? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old user can't log in
On Feb 12, 2009, at 8:17 PM, Da Rock wrote: I've been following this thread with interest: are you saying FreeBSD logins cannot handle more than 16 groups? If so, why? Is this mitigated by using other authentication methods (ie kerberos, ldap, etc)? There's a compile-time limit of the relevant kernel data structures as to how many groups a user can be in, described by sysctl kern.ngroups. It's possible to recompile the kernel with a larger number, but doing so will break NFS (and possibly other things). It doesn't matter whether you use Kerberos, LDAP, etc to set up the groups; while those things do not have a 16-group limit, the FreeBSD kernel [1] does. With reasonable organization, and appropriate use of sudo or setgid binaries for things like people who use SVN or CVS, there generally isn't reason or need for a user to be in so many groups. For the exceptional cases, switching to using a full ACL system rather than the traditional Unix permission model is probably going to be a better solution. Regards, -- -Chuck [1]: And almost all other Unixes... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old user can't log in
On Thu, 2009-02-12 at 20:37 -0800, Chuck Swiger wrote: On Feb 12, 2009, at 8:17 PM, Da Rock wrote: I've been following this thread with interest: are you saying FreeBSD logins cannot handle more than 16 groups? If so, why? Is this mitigated by using other authentication methods (ie kerberos, ldap, etc)? There's a compile-time limit of the relevant kernel data structures as to how many groups a user can be in, described by sysctl kern.ngroups. It's possible to recompile the kernel with a larger number, but doing so will break NFS (and possibly other things). It doesn't matter whether you use Kerberos, LDAP, etc to set up the groups; while those things do not have a 16-group limit, the FreeBSD kernel [1] does. With reasonable organization, and appropriate use of sudo or setgid binaries for things like people who use SVN or CVS, there generally isn't reason or need for a user to be in so many groups. For the exceptional cases, switching to using a full ACL system rather than the traditional Unix permission model is probably going to be a better solution. Interesting. What would you suggest for full ACL? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old user can't log in
On Feb 12, 2009, at 8:52 PM, Da Rock wrote: With reasonable organization, and appropriate use of sudo or setgid binaries for things like people who use SVN or CVS, there generally isn't reason or need for a user to be in so many groups. For the exceptional cases, switching to using a full ACL system rather than the traditional Unix permission model is probably going to be a better solution. Interesting. What would you suggest for full ACL? Well, it depends on what you're doing in terms of user requirements and systems (ie, are the FreeBSD boxes fileservers, clients, or both?), but the stuff which comes with FreeBSD is documented in acl(3), getfacl, setfacl, etc. Other choices might involve something like the Andrew File System / Transarc DFS stuff, or Windows Active Directory and Samba/CIFS on the FreeBSD boxes Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old user can't log in
On Thu, 2009-02-12 at 21:52 -0800, Chuck Swiger wrote: On Feb 12, 2009, at 8:52 PM, Da Rock wrote: With reasonable organization, and appropriate use of sudo or setgid binaries for things like people who use SVN or CVS, there generally isn't reason or need for a user to be in so many groups. For the exceptional cases, switching to using a full ACL system rather than the traditional Unix permission model is probably going to be a better solution. Interesting. What would you suggest for full ACL? Well, it depends on what you're doing in terms of user requirements and systems (ie, are the FreeBSD boxes fileservers, clients, or both?), but the stuff which comes with FreeBSD is documented in acl(3), getfacl, setfacl, etc. Other choices might involve something like the Andrew File System / Transarc DFS stuff, or Windows Active Directory and Samba/CIFS on the FreeBSD boxes Regards, So you're talking in terms of the FS only? I thought you said the kernel wasn't capable? I'll have to look into this a more thoroughly, I'm intrigued to say the least. Not to say I'll ever probably use it, but it does present a limitation. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org