On Tue, 13 Oct 2009 casper....@sun.com wrote:
> So why not the built-in CIFS support in OpenSolaris? Probably has a
> similar issue, but still.
I wouldn't think it has this same issue; presumably it won't support more
than the kernel limit of 32 groups, but I can't imagine that in the case
when a user is in more than 32 active directory groups it would simply
discard all group membership :(. I haven't tested it, but I would guess it
would behave like the underlying operating system and simply truncate the
group list at 32, with the user losing any additional privileges granted by
the rest of the groups.
I definitely have my eye on transitioning to OpenSolaris, hopefully
sometime in mid to late next year. Unfortunately, OpenSolaris wasn't quite
enterprise ready when we went into production with this system, and while I
think by now it's pretty close if not there, it's going to take some time
to put together a prototype, sell management on it, and migrate production
services.
> That's not nice and that should be fixed even when the OS doesn't support
> more than 32 bits. How many groups do you want?
All of them :). I think currently the most groups any single user is in is
about 100. 64 would probably cover everyone except a handful of users.
Linux currently supports a maximum of 65536 groups per user, while I won't
make the mistake of saying no one would ever need more than that ;), I
don't think we would exceed that any time soon.
> I'm actually working on fixing this in OpenSolaris and we may even
> backport this to S10.
Really? Cool. Any timeline on getting it into a development build? What's
the current maximum number of groups you're working towards? Better group
support would be another bullet point for transitioning to openSolaris.
Regarding Solaris 10, my understanding was that the current 32 group limit
could only be changed by modifying internal kernel structures that would
break backwards compatibility, which wouldn't happen because Solaris
guarantees backwards binary compatibility. I could most definitely be
mistaken though.
> What's the bug number?
There is no bug number :(, as they refuse to classify it as a bug -- they
keep insisting it is an RFE, and pointing towards the existing RFE #'s for
increasing the number of groups supported by Solaris.
The service request is #71547904, although now that I think about it they
haven't been keeping the ticket updated. I'll send you a copy of the thread
I've had with the support engineers directly.
Here's the patch I submitted. It adds three lines, one of which is blank
8-/. I'm just really confused why they'd rather spend months arguing it
isn't a bug rather than just spending five minutes applying this simple
patch <sigh>. I'd just run the version I compiled locally, but it's fairly
clear that the source code provided is not the same as the source code used
to generate the production binary, so I'd really prefer an official fix.
r...@niblet /usr/sfw/src/samba/source/auth # diff -u auth_util.c.orig
auth_util.c
--- auth_util.c.orig Fri Sep 11 16:18:46 2009
+++ auth_util.c Fri Sep 11 16:25:56 2009
@@ -1042,6 +1042,7 @@
TALLOC_CTX *mem_ctx;
NTSTATUS status;
size_t i;
+ int ngroups_max = groups_max();
mem_ctx = talloc_new(NULL);
@@ -1099,6 +1100,8 @@
}
add_gid_to_array_unique(server_info, gid,
&server_info->groups,
&server_info->n_groups);
+
+ if (server_info->n_groups == ngroups_max) break;
}
debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | hen...@csupomona.edu
California State Polytechnic University | Pomona CA 91768
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
