• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Increasing NGROUPS_MAX
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Increasing NGROUPS_MAX


  • Subject: Re: Increasing NGROUPS_MAX
  • From: Terry Lambert <email@hidden>
  • Date: Wed, 23 Sep 2009 03:08:36 -0700

On Sep 23, 2009, at 2:29 AM, Kristan Klett <email@hidden> wrote:
I'm using dovecot as imap mailserver on my Desktop Mac Mini. Since my upgrade to SL I cannot login to imap mailserver because my account is defined to more than 16 groups since having upgraded to SL (not the Server Edition). I can find 19 groups where at least 14 are groups introduced for sharepoint connectivity.

dovecot fails with the systemroutine setgroups() Error EINVAL.
How can I increase the systemvariable NGROUPS_MAX in order to support 32 groups with the systemcall systemgroups() ?


I'd like to increase this without recompiling the Kernel ;-)

You can't do that, and you should not be trying.

Directory services supports an arbitrary numbers of group memberships, including groups of groups, and it does so by virtue of the question of enumeration of the groups list for a given user (mostly) never coming up.

Instead, all kernel authorization operations around the Tiger timeframe were modified to ask the question "can actor A perform operation B on object C?". At the same time a new field, cr_gmuid was added to the BSD credential, and then the question that gets asked is "is kauth_cred_t a member of group X?" to make group membership based authorization decisions. The first line of inquiry is test_gid vs. cr_groups[0..cr_ngroups], and then if the answer is "no" and cr_gmuid is set, it calls out to user space to ask "is cr_gmuid a member of group X?", which directory services then answers.

None of this should keep you out of your IMAP server, since your IMAP server could care less who you really are, so long as your mail client presents a valid account name and SASL password and you get an appropriate euid and egid for file permissions enforcement.

However, instead of just being what it's good at and IMAPing away, it looks like your server is calling setgroups() in order to try and be an authentication gatekeeper process and establish real local credentials, instead of the minimum credential that would work. If it's going to do that, it should be a good citizen and use the PAM modules to authenticate against directory services, instead of trying to fake up a credential on its own. If on the other hand it's something like sshd or telnetd, it should be internally running /bin/ login to do its session management. For one thing, it will have an incredibly tough time of it unless it calls initgroups instead of setgroups. Even then, it's still going to have a tough time of it because there is a very specific order of operations required to opt a newly created credential into external group membership resolution by directory services, part of which require that both the client and server are bound into the same security association. This is necessary so that the vended group list is identical in both places so directory services gives the same answer to the "is cr_gmuid a member of group X?" question.

-- Terry
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


  • Follow-Ups:
    • Re: Increasing NGROUPS_MAX
      • From: Kristan Klett <email@hidden>
References: 
 >Increasing NGROUPS_MAX (From: Kristan Klett <email@hidden>)

  • Prev by Date: Re: VNOP_PAGEIN doubt
  • Next by Date: Re: VNOP_PAGEIN doubt
  • Previous by thread: Increasing NGROUPS_MAX
  • Next by thread: Re: Increasing NGROUPS_MAX
  • Index(es):
    • Date
    • Thread