Prev: RAW_ACLS smbtorture test
Next: [Samba] Auto directory creation not working
From: Mārcis Lielturks on 14 Jul 2010 17:30
Thanks, machine wont provide NFS or ssh login services, so fiddling with max
groups should do no harm!

I googled a bit at found that samba should be recompiled to take advantage
of new NGROUPS_MAX. "./configure" logs also suggested that NGROUPS_MAX is
evaluated only at compile time.

Can anybody share experience on compiling samba on OpenSolaris? What's the
most painless way? I'm considering to use latest 3.5.5 but maybe I should
use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2
servers, which already replicate storage, so ID mapping must be consistent
between both Samba servers. Servers have to provide shares also to trusted
domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not
supported to provide mappings for more than one domain, so anything newer
than 3.0.37 sounds like the right choice.

On 14 July 2010 19:46, Gaiseric Vandal <gaiseric.vandal(a)gmail.com> wrote:

> Here is the catch (at least for some people.)
>
> This can break NFS stuff. On my PDC I made a similar change. Home
> directories are not on the PDC. This fixed the problem of people getting
> login failures when logging into windows if they had more than 16 groups.
> But if a user tries to ssh into the PDC, and he is in more than 16 groups,
> his login will fail because the home directory can not be mounted. But if
> your samba server is not functioning as an nfs client then it shouldn't be
> an issue.
>
>
> My PDC is samba 3.4.x. The BDC's are 3.0.x. Samba 3.0.x domain
> controllers didn't check if your Windows groups exceeded the system group
> max. You could login- you might not have all the access to directories
> you thought you should since your effective group list was still getting
> truncated.
>
> With Samba 3.4.x, samba checks to see how may groups you are in, and if the
> exceeds the ngroups_max it aborts your login. I don't know why. It isn't
> like it is fixing a security hole. It just gets people mad at me.
>
>
>
>
>
>
>
> On 07/14/2010 07:39 AM, Marcis Lielturks wrote:
>
>> Hi!
>>
>> Running OpenSolaris snv_134 with Samba 3.0.37. Samba is successfully
>> joined to AD domain. AD user "user1" is member in 17 AD groups including
>> "group1", but he cannot access Samba share which have read permissions for
>> "group1". If user account is modified and "group1" becomes users primary
>> group, then he can access shares. If user is member of only 16 groups, then
>> permissions work as expected regardless of users primary group.
>>
>> Operating systems "ngroups_max" is set to 1024. I tested with local user
>> and was able to add user to 1024 local groups.
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>



--
ML
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Mārcis Lielturks on 14 Jul 2010 17:40
On 15 July 2010 00:28, Jeremy Allison <jra(a)samba.org> wrote:

> On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote:
> > Thanks, machine wont provide NFS or ssh login services, so fiddling with
> max
> > groups should do no harm!
> >
> > I googled a bit at found that samba should be recompiled to take
> advantage
> > of new NGROUPS_MAX. "./configure" logs also suggested that NGROUPS_MAX is
> > evaluated only at compile time.
>
> Yep. Recompilation should do the trick once the kernel understands
> large numbers of groups.
>
> > Can anybody share experience on compiling samba on OpenSolaris? What's
> the
> > most painless way? I'm considering to use latest 3.5.5 but maybe I should
> > use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba
> on 2
> > servers, which already replicate storage, so ID mapping must be
> consistent
> > between both Samba servers. Servers have to provide shares also to
> trusted
> > domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is
> not
> > supported to provide mappings for more than one domain, so anything newer
> > than 3.0.37 sounds like the right choice.
>
> The only reason they use 3.0.x is they're still unable to cope
> with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle
> Linux has been shipping GPLv3 Samba for a while. But it's a big
> company, you can't expect one part to know what another part is
> up to :-).
>

Yeah, I read about that, but still, I was thinking that as they ship 3.0.37,
it should also be easier to compile because OS has all that's necessary for
3.0.37. Newer Samba versions may have some dependencies (new libs or newer
version of libs), that might be harder to satisfy. I have never compiled
samba so far and all I know at the moment (from documentation) is that AD
support requires krb5 and openldap development libraries and files.

>
> Jeremy.
>



--
ML
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: RAW_ACLS smbtorture test
Next: [Samba] Auto directory creation not working