Hi
I am new to the list. I have been trying to get a definitive statement from NetApp about the maximum number of groups a user can belong to if we rely on the /etc/group and /etc/passwd files on the filer.
The setup we have tested has CIFS clients (Windows2000) with the filer part of a workgroup. We rely on unix group permissions for access to data directories. We are not using any NFS, NIS, LDAP or NT domain - all local authentication etc.
I have done some testing and it appears the limit is 32 (not a surprising number) but have not been able to get this confirmed.
Has anyone tried/done this before?
We are migrating from samba servers running on FreeBSD with modified kernels which allow users to be in thousands of groups (don't laugh; I don't want to go into the reasons) because this facilitates our companies working practices.
Thanks
Francois
Is it possible the limit is not the number of groups, but actually the literal size of the line in the groups file? I have vague memories of running into some limits of that sort in the distant past in the unix world. That each line in the groups file could not be larger than X characters.
The only documentation that I have found (which is 4 years old) points to 32 as a maximum. I'm going to keep digging and see if this has changed.
http://now.netapp.com/Knowledgebase/solutionarea.asp?id=ntapcs6330
Hth
Vic
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Sphar, Mike Sent: Thursday, March 01, 2007 1:56 PM To: toasters@mathworks.com Subject: RE: Maximum number of groups per user
Is it possible the limit is not the number of groups, but actually the literal size of the line in the groups file? I have vague memories of running into some limits of that sort in the distant past in the unix world. That each line in the groups file could not be larger than X characters.
-- Michael W. Sphar - IS&T - Lead Systems Administrator SMBU Engineering Support Services, BMC Software
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Francois Joubert Sent: Thursday, March 01, 2007 9:49 AM To: toasters@mathworks.com Subject: Maximum number of groups per user
Hi
I am new to the list. I have been trying to get a definitive statement from NetApp about the maximum number of groups a user can belong to if we rely on the /etc/group and /etc/passwd files on the filer.
The setup we have tested has CIFS clients (Windows2000) with the filer part of a workgroup. We rely on unix group permissions for access to data directories. We are not using any NFS, NIS, LDAP or NT domain - all local authentication etc.
I have done some testing and it appears the limit is 32 (not a surprising number) but have not been able to get this confirmed.
Has anyone tried/done this before?
We are migrating from samba servers running on FreeBSD with modified kernels which allow users to be in thousands of groups (don't laugh; I don't want to go into the reasons) because this facilitates our companies working practices.
Thanks
Francois
Sphar, Mike wrote:
Is it possible the limit is not the number of groups, but actually the literal size of the line in the groups file? I have vague memories of running into some limits of that sort in the distant past in the unix world. That each line in the groups file could not be larger than X characters.
Yes. Our group file is structure in such a way as to avoid this limit, i.e. each line is less than X characters (I can't remember the character limit right now).
On Thu, Mar 01, 2007 at 05:49:25PM +0000, Francois Joubert wrote:
I have done some testing and it appears the limit is 32 (not a surprising number) but have not been able to get this confirmed.
32 is the limit.
N.B. The limit for classic NFS operations is 16.
Right, saw this, I thought the point was NetApp documentation.
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Michael van Elst Sent: Thursday, March 01, 2007 2:48 PM To: Francois Joubert Cc: toasters@mathworks.com Subject: Re: Maximum number of groups per user
On Thu, Mar 01, 2007 at 05:49:25PM +0000, Francois Joubert wrote:
I have done some testing and it appears the limit is 32 (not a surprising number) but have not been able to get this confirmed.
32 is the limit.
N.B. The limit for classic NFS operations is 16.
I'm 99% sure the limit for ONTAP is 32.
-- Adam Fox adamfox@netapp.com
-----Original Message----- From: owner-dl-toasters@jhereg.corp.netapp.com [mailto:owner-dl-toasters@jhereg.corp.netapp.com] On Behalf Of Francois Joubert Sent: Thursday, March 01, 2007 12:49 PM To: toasters@mathworks.com Subject: Maximum number of groups per user
Hi
I am new to the list. I have been trying to get a definitive statement from NetApp about the maximum number of groups a user can belong to if we rely on the /etc/group and /etc/passwd files on the filer.
The setup we have tested has CIFS clients (Windows2000) with the filer part of a workgroup. We rely on unix group permissions for access to data directories. We are not using any NFS, NIS, LDAP or NT domain - all local authentication etc.
I have done some testing and it appears the limit is 32 (not a surprising number) but have not been able to get this confirmed.
Has anyone tried/done this before?
We are migrating from samba servers running on FreeBSD with modified kernels which allow users to be in thousands of groups (don't laugh; I don't want to go into the reasons) because this facilitates our companies working practices.
Thanks
Francois
ONTAP (WAFL really) supports a maximum of 32 supplemental group ids in a credential, plus the one primary group id.
NFS over AUTH_SYS (aka weak authentication, sec=sys on the exportfs command line) is limited to 16 supplemental groups.
NFS over Kerberos authentication (sec=krb5) is limited by WAFL to 32 supplemental group ids.
I am 100% sure.
My blog has more details.
http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-limitation.ht...
-mre I work for NetApp but post with a non-NetApp email address to keep my spa life separate from my work life.
--- "Fox, Adam" Adam.Fox@netapp.com wrote:
I'm 99% sure the limit for ONTAP is 32.
-- Adam Fox adamfox@netapp.com
-----Original Message----- From: owner-dl-toasters@jhereg.corp.netapp.com [mailto:owner-dl-toasters@jhereg.corp.netapp.com] On Behalf Of Francois Joubert Sent: Thursday, March 01, 2007 12:49 PM To: toasters@mathworks.com Subject: Maximum number of groups per user
Hi
I am new to the list. I have been trying to get a definitive statement from NetApp about the maximum number of groups a user can belong to if we rely on the /etc/group and /etc/passwd files on the filer.
The setup we have tested has CIFS clients (Windows2000) with the filer part of a workgroup. We rely on unix group permissions for access to data directories. We are not using any NFS, NIS, LDAP or NT domain - all local authentication etc.
I have done some testing and it appears the limit is 32 (not a surprising number) but have not been able to get this confirmed.
Has anyone tried/done this before?
We are migrating from samba servers running on FreeBSD with modified kernels which allow users to be in thousands of groups (don't laugh; I don't want to go into the reasons) because this facilitates our companies working practices.
Thanks
Francois
Thank you to all who responded. I am going with 32 as the limit. It means we have to re-organise our company filing plan. I am told I can get around this by using ACLS and moving to LDAP but this was not meant to be part of the the solution.
For interest's sake, this is the summary of my current users' group memberships (1 group per job number):
# following is a group list showing for each job # the users which have read/write access to that job # there are 5430 groups: j0001 to j5430 # there are 661 users: u0001 to u0661
# ** JOBS # 5430 jobs, average 5.78 users per job # jobs with 1-9 users: 4723 # jobs with 10-99 users: 698 # jobs with 100-999 users: 9 # jobs with 1000-9999 users: 0 # jobs with 10000-99999 users: 0 # # ** USERS # 661 users, average 47.45 jobs per user # users with 1-9 jobs: 242 # users with 10-99 jobs: 351 # users with 100-999 jobs: 64 # users with 1000-9999 jobs: 4 # users with 10000-99999 jobs: 0
We currently run this group setup on FreeBSD servers (with modified kernel) with samba for CIFS access and it works very well - too much work to change :(
Regards Francois
Mike Eisler wrote:
ONTAP (WAFL really) supports a maximum of 32 supplemental group ids in a credential, plus the one primary group id.
NFS over AUTH_SYS (aka weak authentication, sec=sys on the exportfs command line) is limited to 16 supplemental groups.
NFS over Kerberos authentication (sec=krb5) is limited by WAFL to 32 supplemental group ids.
I am 100% sure.
My blog has more details.
Just to clarify, if you are using UNIX style authentication for CIFS clients then there is a limit of 32 groups per username.
I've seen this information in a NetApp knowledge base article, sorry I don't have the reference handy.
If you are using NFS to access the filer then the limit is determined by the client OS. The limit is 32 for most UNIX versions (e.g. Linux), but 16 for some such as MacOS X. This limit includes the primary group.
Additionally, NIS imposes a limit of 1024 characters in a record (line). This is a limitation of NIS, not the UNIX group system per se. The work-around is to have multiple groups with the same GID but slightly different names.
HTH, Jeremy
-- Jeremy Webber Senior Systems Engineer Animal Logic Pty Ltd Phone: +61 2 9383 4837 Fax: +61 2 9383 4801 Switch: +61 2 9383 4800
-
Fox, Adam -
Francois Joubert -
Jeremy Webber -
Michael van Elst -
Mike Eisler -
Rozumny, Vic -
Sphar, Mike