Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1827: Samba server stop responding when AD user belongs to more than 16 AD groups

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:02 AM

Applies to: Centrify-Enabled Samba Version 3.3.9-4.3.1 on Solaris 10

Problem:
Trying to access a samba share with an AD user that belongs to more than 16 AD groups will get the following error:


Receiving SMB: Server stopped responding
tree connect failed: Call returned zero bytes (EOF)


And log.smbd will throw the following message:

[2009/08/04 15:06:28, 0] lib/util.c:smb_panic(1673)
    PANIC (pid 22067): sys_setgroups failed


Cause:
Solaris has a limit to the number of groups that can be passed into the setgroups(). In order to avoid truncating the group, Samba.org hard coded to check the number of groups that user belongs to and drop the connection if number of groups exceed the max value.

 

When a user logs on to a samba server, it fails to set the user's groups if groups exceeds 16(NGROUP_MAX) limit.  Usually on Linux platforms, NGROUP_MAX in linux supports at most 65535 groups(32 groups before linux-2.6.4), it should be enough for most cases. However for Solaris, this has a much more possibility to cause a panic, Solaris only supports at most 16 groups.


Resolution:
Set "
ignore syssetgroups error = yes" to ignore the number of groups checking.

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.