set_unix_security_ctx is causing crashes on Solaris 10, because it tries to pass in too many groups, causing a crash.
Created attachment 5587 [details]
Proposed patch to fix the issue.
Sorry, we will not apply this patch. This is a Solaris problem that Oracle is about to fix in a future release. You might contact Oracle about this problem to get a preliminary patch.
I just built 3.6 on Nexenta (basically OpenSolaris b134), and the issue is not fixed. That is what 2010.3 will be based on roughly. Do you have the bug number for this issue?
Otherwise, my patch does obey the standards, as I understand them. I only clamp to the number of groups that the system says we are allowed.
Re-assigning to Jeremy. I have already rejected this patch and Jeremy right now in very close cooperation with you anyway. Maybe he wants to comment on this patch and has a different view on me refusing to apply this patch.
This is a broken patch IMHO. It simply drops the groups that are over the system limit. I don't think we can do that. Solaris must fix the limited group list. This isn't something we can fix in Samba. The problem is if we simply truncate there is no way a user will know what groups they are in or not, depending on the sort order of the list of groups returned from nsswitch, thus getting random access denied errors that we get blamed for.
BTW, I still think this patch is wrong, but I was not heard. Rejecting it a second time won't help, I'm not going to play REJECT/REOPEN pingpong.
Just for the reason why I've re-assigned it to Jeremy.
Also, with ZFS and negative ACLs you run into security problems by just dropping group memberships.
have to re-open to correctly close as WONTFIX
Closing again as WONTFIX. Lets see how long we can play this game :-)
The real work around (at least on OpenSolaris, I'll see if I can test it on Solaris at some point also...)
set ngroups_max = 64
It may be worth documenting somewhere appropriate. Leave the resolution alone. The work around I have now is correct.
is the bug with the needed data from Oracle, in case anyone wants to know if their version of OpenSolaris or Solaris has this fixed, or to talk to Oracle about patches.