Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1771: Unable to read/write to a NFS/Samba share when user is more than 16 groups

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:12 AM

Applies to: All versions of Centrify DirectControl on all platforms

Problem:

A Centrify user who is a member of more than 16 groups is unable to write to a NFS/NAS/Samba share. In Samba level 10 debug logs, the following messages may be seen:
  •  [2011/10/20 17:53:03.290707,  0] lib/util.c:1468(smb_panic) PANIC (pid 6543): sys_setgroups failed
Is there any reason for this?


Cause:
  • NFS (version 3) is sensitive to the number of groups a user belongs to. Further investigation indicates it is only able to recognize the first 16 groups.
  • So if a user is a member of more than 16 AD groups, which in turn are mapped to Unix groups within a Zone, access will be denied from group number 17 onwards.
  • The user will not have any permissions to read/write/execute on say a NAS share which requires the 17th group membership.

Workaround:

Reduce the number of groups or use the adsetgroups command (see man pages on usage) to change the group ordering. 
 
For Samba, there are a couple of options:
  1. Reduce the zone enabled group count per AD user to below 16 
  2. In the [global] section of smb.conf set the following
    • ignore syssetgroups error = Yes
    • (This means the groups will not be applied.  If the user is expecting group membership enforcement then this will be a problem, but samba will work.)
  3. Use an O/S platform such as a modern day Linux (2.6 kernel) where 65535 groups are supported.
Note:
  • This is a temporary solution. For local users, the groups are returned based on the order in which the groups are defined in /etc/group file.
  • For example if Group01 - Group16 are defined in incremental order in /etc/groups, running the groups command will display the groups in the same order. Mixing up the order in the file will be reflected in the command accordingly. For AD users, it is dependent on the ordering and it is alphabetic 

Resolution: 

This is a non-Centrify as this will happen on systems with or without Centrify installed.
At the time of writing, reducing the number of groups, or using NFS V4 (which has been reported to not have this limitation) is the only known solution.

For further reference, please also refer to the following links:

(All external links provided as a courtesy)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.