Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1827: Samba server stop responding when AD user belongs to more than 16 AD groups

Auditing and Monitoring Service ,   Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:02 AM

Applies to: Centrify-Enabled Samba Version 3.3.9-4.3.1 on Solaris 10

Problem:
Trying to access a samba share with an AD user that belongs to more than 16 AD groups will get the following error:

Receiving SMB: Server stopped responding
tree connect failed: Call returned zero bytes (EOF)

And log.smbd will throw the following message:

[2009/08/04 15:06:28, 0] lib/util.c:smb_panic(1673)
    PANIC (pid 22067): sys_setgroups failed

Cause:
Solaris has a limit to the number of groups that can be passed into the setgroups(). In order to avoid truncating the group, Samba.org hard coded to check the number of groups that user belongs to and drop the connection if number of groups exceed the max value.

 

When a user logs on to a samba server, it fails to set the user's groups if groups exceeds 16(NGROUP_MAX) limit.  Usually on Linux platforms, NGROUP_MAX in linux supports at most 65535 groups(32 groups before linux-2.6.4), it should be enough for most cases. However for Solaris, this has a much more possibility to cause a panic, Solaris only supports at most 16 groups.


Resolution:
Set "ignore syssetgroups error = yes" to ignore the number of groups checking.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-3925: How to add Centrify parameter to a group policy articleKB-1771: Unable to read/write to a NFS/Samba share when user is more than 16 groups articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?