Discussions
Categories
Groups
Community Home
Categories
INTERNAL ENABLEMENT
POPULAR
THRUST SERVICES & TOOLS
CLOUD EDITIONS
Quick Links
MY LINKS
HELPFUL TIPS
Back to website
Home
Web CMS (TeamSite)
Poll - too many groups for solaris?
jonwood
Hello all,
We just ran into problems with this recently and I wondered how the everyone else is handling it. The problem is the 16 group limitation on solaris. We have a production box running TS 552 and solaris 7. There are ~800 users & ~800 groups. (one group per branch/website) Well, there are quite a few users that belong to 50+ groups (aka branches) and some users that have access to ALL 800 groups. This all works fine.
However, now we're building a TS 6.5, solaris 9 box. And it now appears that if one user belongs to more than 16 groups, the user cannot access the goups not in the first 16 (as reported by 'groups username').
I am very interested to know how others are managing users belonging to many groups on solaris.
Thank you.
Find more posts tagged with
Comments
nipper
That is a well known limit. TS 6.5 has new functionality to manage the number of groups
used within TeamSite. Check the admin manual.
BTW, IIRC, the limit is not in Solaris, but in NFS and should not have worked correctly in Solaris
2.7.
Andy
mike_jaixen
Our LDAP repository on Solaris 8 bombed out at around 100 groups, so we've been forced to create fewer, larger groups and share groups across larger areas of the company.
jonwood
nipper - Why 800+ groups worked with NFS on our solaris 7 box, the world may never know. But it worked, and it worked well, so it was unchanged. ...something about a gift horse, you know?
mike - I can relate to "bombed out", but why did you not go with tsgroups instead?
others - Are we the only ones with a "magic" solaris 7 box that handled 800+ groups? Also, I'd like to hear how tsgroups work for those who went that route.
skip11
Hi,
tsgroups allows you to pull the entries for users out of /etc/group and put them into a black box
where the group on the branch is then set to iwglobal. Some shortcomings I have experienced
(just niggles, but not serious enough to turn from use of the tool when we go to 6.5) is that
any modification on a unix implementation must be done as root or with sudo. The iwgroup
commandline tool allows for all senarios to add, delete, modify, and a nice feature to do all that
with a switch to read in an xml based file. You can also output to an xml file. So if you have all your
users primary GID the same (for unix set in /etc/passwd) the /etc/group file will be effectively
entirely bypassed and the flaw in Berkeley NFS is not a bother any more.
Regards,
R.Barger
Credit Suisse Group
Zurich, Switzerland
Adam Stoller
FYI - if you see anything here that would impact you - contact support and have your organization's name added to the bug/feature request:
Bug #
59728
- iwgroup listgroups output issues
Given sudo iwgroup listgroups -a
Warnings about invalid OS users is sent to STDOUT rather than STDERR
The output begins with the string [on STDOUT] "Listing all groups"
Both of these are problems because it makes it significantly less convenient to use the output from this command as the input to another command via pipes (standard UNIX CLT usage)
The output does not show the gid [number] associated with each group
This (a) should be optional, controlled by an additional command line flag, and (b) matters when trying to correlate information between OS groups and TS groups.
Bug #
59107
- iwgroup deletemember cannot be used to fix invalid userid errors
Our initial load of the group information into the system via iwgroup contained a userid, which is no longer valid, as a member of several groups. When the server starts up / when we run the iwgroup command - we see messages such as:
Warning:Invalid OS user hstewart in osdfs
However, if I try to remove this user from the group using: sudo iwgroup deletemember -u hsteward osdfsI get the following error (followed by the usage information - which tends to obscure the error since it scrolls it off the screen!):
-u <user> has to be a valid OS user
Coseqently - I am forced to HAND-EDIT the iwhome/conf/tsgroups.xml file to remove the offending entry -- this should not be required as it introduced the possibility of messing up the contents of the file to make it syntactically incorrect which may break other things.
FR #
57864
- TS6.5 iwgroup - need ability to run as non-root
While I can understand the reason to limit access to the creation and modification aspects of this command to root -- we have need to be able to access the querying capabilities of this command as non-root and this does not seem possible.
A significant portion of our workflow operation centers on determining what groups a user is a member of - and this is usally done by externaltask code which is run as the logged-in user.
In 5.5.2, we used the OS groups and were able to *read* /etc/group as any user to perform this kind of querying operation.
In 6.5, we would like to use the new iwgroup functionality, but we will *not* be able to do so if we cannot access operations like 'listgroups' and 'listmembers' as non-root users.
Bug #
58412
- TS6.5 iwgroup - unable to read symlink
We have three similar but different environments (DEV, TEST, PROD) as such we will have similar but different group entries for each environment. We are planning to use TeamSite groups to manage this.
I create three files (groups.DEV, group.TEST, groups.PROD) all of which are XML files following the DTD as specified for iwgroup addmembers command.
As part of our maintenance/release process I have the three variant files versioned in TeamSite and use OpenDeploy to transfer them to the local disk (into IWHOME/etc/ in this case)
My plan was to create a symlink in that directory to point to the specific variant that the server represents so that I don't have to figure that out on the fly in order to do a file copy or some such as part of the deployment -- so I do essentially: ln -s $IWHOME/etc/groups.PROD $IWHOME/etc/groups.xmlAs myself (not root) I can do: head $IWHOME/etc/groups.xmland see the contents of the file.
I then run: sudo iwgroup addmembers -if $IWHOME/etc/groups.xmland iwgroup errors out saying that it was "Unable to open file ...../groups.xml"
--fish
Senior Consultant, Quotient Inc.
http://www.quotient-inc.com
