The Samba-Bugzilla – Bug 1191
a workaround when windows PDC has #groups> NGROUPS_MAX on unix
Last modified: 2005-09-29 08:21:25 UTC
see bug 279, my idea on a workaround/solution; I understand this is not a
bug ; it is caused by a limitation in the unix operating system; however this
is not a reason not trying to find a solution for it.
as winbind strives to integrate a windows domain with a samba unix member...
think we should tackle the NGROUPS_MAX limit.
In the case where I have a samba 3 domain MEMBER of a windows Active Directory.
I would be very happy with a facility to setup a groups_mapping.txt file which
lists all the groups that I want to "accept" on the unix side. The other
groups that a user may have will simply be filtered out.
On the domain where I'm testing samba as a domain member I find 119 groups
defined; ofcourse a user does not have all these groups but it is likely that
for all kind of windows-related reasons a user gets assigned > 16 groups (the
limit on Solaris 8..!).
For the users accessing my share on unix I'm only interested to test 1
specific group; the share I'm using will set "force group=+sambagroup" so that
only windows users that have this specific sambagroup can see and use this
share and see each other's documents on this share.
If any user has more than 16 groups currently the whole implementation of
winbind needs to be cancelled in the current version; winbind will become
unreliable as you never know which groups will be shown in the first
16 'visible' unix groups and which not...!
A mapping file should never contain more than NGROUPS_MAX entries.
winbind should check NGROUPS_MAX and give a severy warning if any user has
more than NGROUPS_MAX groups assigned...
something needs to be done on this :--)
Check https://bugzilla.samba.org/show_bug.cgi?id=1184 for another possible
solution. With that patch, you can apply an ldap filter, or change the ou search
path to limit the groups returned.
Sorry. No static mapping files.