Bug 4150 - samba (ldap) don't allow login for users if he exists in many groups
samba (ldap) don't allow login for users if he exists in many groups
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.23c
x86 FreeBSD
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-04 07:18 UTC by Gennady G. Marchenko
Modified: 2006-10-04 08:41 UTC (History)
0 users

See Also:


Attachments
debug 5 from win machine tryes to login with testing user (70.78 KB, text/plain)
2006-10-04 07:22 UTC, Gennady G. Marchenko
no flags Details
LDAP searching log in this moment (24.29 KB, text/plain)
2006-10-04 07:24 UTC, Gennady G. Marchenko
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gennady G. Marchenko 2006-10-04 07:18:16 UTC
Base info:

I create new user in domain "testing" with smbldap-tools. Successfuly.
Now I try to login to domain itvgroup.cxm from one of domain machine with user testing. Successfuly.
Now I add user testing to many groups. Now I try to login - and can't do it. :(
If I delete him from one or two groups - all start working fine.
I add user to other group (not used in first case) - error login again.

I think it does because search result too big or something like this 



two logs in attachment:

debug.log - debug info of ldap accesses
g-marchenko.smb - log of samba client who tryes to login with test user (without success)
Comment 1 Gennady G. Marchenko 2006-10-04 07:22:51 UTC
Created attachment 2172 [details]
debug 5 from win machine tryes to login with testing user
Comment 2 Gennady G. Marchenko 2006-10-04 07:24:57 UTC
Created attachment 2173 [details]
LDAP searching log in this moment
Comment 3 Volker Lendecke 2006-10-04 08:13:44 UTC
How many groups do you have exactly where it stops working? And, you are aware that many Unixes (dunno about FreeBSD) have a hard limit of 16 or 32 groups per user?

And, to diagnose this we would need the debug level 10 log of the DC.

Volker
Comment 4 Gennady G. Marchenko 2006-10-04 08:40:27 UTC
Ou! Thanks a lot! 

It over 16een groups, and seem that it's hardcode of freebsd :(
But if I run id testing it returns users ok, with all of his groups.
Why? if it hardcode....

Now I try to make log on errlvl 10

Comment 5 Volker Lendecke 2006-10-04 08:41:54 UTC
debug level 10 does not help anymore, if the FreeBSD limit is 16 then your stuck.

Closing the bug as invalid, this is a system restriction, not a Samba one.

Volker