Discussion:
anyone running with ngroups increased from 16?
(too old to reply)
Julian Elischer
2018-04-16 10:37:53 UTC
Permalink
Windows users seem to have an almost unlimited number of groups and
soem places seem to use them a LOT.
This gives Posix systems problems with deciding how to handle them
all. Especially when getting
user credentials from winbindd (samba).

Does anyone know of any work done to either bypass this limit or to at
least expand it?

Thanks

Julian
Julian Elischer
2018-04-16 11:26:05 UTC
Permalink
On 16/4/18 6:37 pm, Julian Elischer wrote:
> Windows users seem to have an almost unlimited number of groups and
> soem places seem to use them a LOT.
> This gives Posix systems problems with deciding how to handle them
> all. Especially when getting
> user credentials from winbindd (samba).
>
> Does anyone know of any work done to either bypass this limit or to
> at least expand it?

I mean with the other applications such NFS usages etc.
I know mountd explodes with > 16..  has anyone done a cleaning pass?

>
> Thanks
>
> Julian
>
> _______________________________________________
> freebsd-***@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to
> "freebsd-current-***@freebsd.org"
>
Rick Macklem
2018-04-16 12:12:53 UTC
Permalink
Julian Elischer wrote:
>On 16/4/18 6:37 pm, Julian Elischer wrote:
>> Windows users seem to have an almost unlimited number of groups and
>> soem places seem to use them a LOT.
>> This gives Posix systems problems with deciding how to handle them
>> all. Especially when getting
>> user credentials from winbindd (samba).
>>
>> Does anyone know of any work done to either bypass this limit or to
>> at least expand it?
>
>I mean with the other applications such NFS usages etc.
>I know mountd explodes with > 16.. has anyone done a cleaning pass?
16 is the limit "on-the-wire" per RFCs for Sun RPC. You can use
nfsuserd --manage-gids (see "man nfsuserd")
on the NFS server so that the daemon uses the group list for the uid in the RPC instead of the list of groups (limited to 16) in the RPC header. Works fine so
long as the server knows the same group list for a uid as the client(s) do.

And, yes, this applies to NFSv3 as well as NFSv4.

rick
Toomas Soome
2018-04-16 12:19:53 UTC
Permalink
> On 16 Apr 2018, at 15:12, Rick Macklem <***@uoguelph.ca> wrote:
>
> Julian Elischer wrote:
>> On 16/4/18 6:37 pm, Julian Elischer wrote:
>>> Windows users seem to have an almost unlimited number of groups and
>>> soem places seem to use them a LOT.
>>> This gives Posix systems problems with deciding how to handle them
>>> all. Especially when getting
>>> user credentials from winbindd (samba).
>>>
>>> Does anyone know of any work done to either bypass this limit or to
>>> at least expand it?
>>
>> I mean with the other applications such NFS usages etc.
>> I know mountd explodes with > 16.. has anyone done a cleaning pass?
> 16 is the limit "on-the-wire" per RFCs for Sun RPC. You can use
> nfsuserd --manage-gids (see "man nfsuserd")
> on the NFS server so that the daemon uses the group list for the uid in the RPC instead of the list of groups (limited to 16) in the RPC header. Works fine so
> long as the server knows the same group list for a uid as the client(s) do.
>
> And, yes, this applies to NFSv3 as well as NFSv4.
>

it is not entirely exact. The number of supplemental groups is the limit of AUTH_SYS (aka AUTH_UNIX) authentication mechanism used by ONC+ RPC. So anything using/supporting this auth mechanism, has this limit too.

Therefore, on paper, there is 2 possible ways to overcome the issue - either use alternate authentication mechanism (such as AUTH_GSS), or implement workaround for AUTH_SYS.

rgds,
toomas
Brooks Davis
2018-04-16 15:49:03 UTC
Permalink
On Mon, Apr 16, 2018 at 06:37:53PM +0800, Julian Elischer wrote:
> Windows users seem to have an almost unlimited number of groups and
> soem places seem to use them a LOT.
> This gives Posix systems problems with deciding how to handle them
> all. Especially when getting
> user credentials from winbindd (samba).
>
> Does anyone know of any work done to either bypass this limit or to at
> least expand it?

I fixed this in 2009 for everything but NFS AUTH_SYS. NGROUPS_MAX is
1023. IIRC the usual hack employed in storage systems is to ignore the
groups provided by AUTH_SYS and get them from winbindd. I don't know of
a public implementation of that.

-- Brooks
Rick Macklem
2018-04-17 00:11:51 UTC
Permalink
Brooks Davis wrote:
>On Mon, Apr 16, 2018 at 06:37:53PM +0800, Julian Elischer wrote:
>> Windows users seem to have an almost unlimited number of groups and=20
>> soem places seem to use them a LOT.
>> This gives Posix systems problems with deciding how to handle them=20
>> all. Especially when getting
>> user credentials from winbindd (samba).
>>=20
>> Does anyone know of any work done to either bypass this limit or to at=20
>> least expand it?
>
>I fixed this in 2009 for everything but NFS AUTH_SYS. NGROUPS_MAX is
>1023. IIRC the usual hack employed in storage systems is to ignore the
>groups provided by AUTH_SYS and get them from winbindd. I don't know of
>a public implementation of that.
If winbindd gets the information from LDAP, then you can get the same effect
from "nfsuserd -manage-gids" for AUTH_SYS (or as Toomas Soome noted, the gssd
does the same thing for Kerberized mounts).

Both of these utilities use getgrouplist() on the NFS server to acquire the list
of groups for the user. As such, anything configured for the library call, such
as LDAP, will provide the list of groups.

rick
Loading...