Bug 1191 - a workaround when windows PDC has #groups> NGROUPS_MAX on unix
a workaround when windows PDC has #groups> NGROUPS_MAX on unix
Status: RESOLVED WONTFIX
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.2a
All Solaris
: P3 enhancement
: none
Assigned To: Samba Bugzilla Account
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-16 02:09 UTC by Leon
Modified: 2005-09-29 08:21 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Leon 2004-03-16 02:09:00 UTC
see bug 279, my idea on a workaround/solution; I understand this is not a 
bug ; it is caused by a limitation in the unix operating system; however this 
is not a reason not trying to find a solution for it.

as winbind strives to integrate a windows domain with a samba unix member... 
think we should tackle the NGROUPS_MAX limit.

In the case where I have a samba 3 domain MEMBER of a windows Active Directory.

I would be very happy with a facility to setup a groups_mapping.txt file which 
lists all the groups that I want to "accept" on the unix side. The other 
groups that a user may have will simply be filtered out.

On the domain where I'm testing samba as a domain member I find 119 groups 
defined; ofcourse a user does not have all these groups but it is likely that 
for all kind of windows-related reasons a user gets assigned > 16 groups (the 
limit on Solaris 8..!).

For the users accessing my share on unix I'm only interested to test 1 
specific group; the share I'm using will set "force group=+sambagroup" so that 
only windows users that have this specific sambagroup can see and use this 
share and see each other's documents on this share.

If any user has more than 16 groups currently the whole implementation of 
winbind needs to be cancelled in the current version; winbind will become 
unreliable as you never know which groups will be shown in the first 
16 'visible' unix groups and which not...!

A mapping file should never contain more than NGROUPS_MAX entries.

winbind should check NGROUPS_MAX and give a severy warning if any user has 
more than NGROUPS_MAX groups assigned...

something needs to be done on this :--)
Comment 1 John Klinger 2004-03-24 14:49:29 UTC
Check https://bugzilla.samba.org/show_bug.cgi?id=1184 for another possible
solution. With that patch, you can apply an ldap filter, or change the ou search
path to limit the groups returned.
Comment 2 Gerald (Jerry) Carter 2005-09-29 08:21:25 UTC
Sorry.  No static mapping files.