-
Title
Incomplete group membership of an AD user or sudo -l -Unot working -
Description
Listing users with the unix id command shows an incomplete group membership of an AD user. It shows the primary group but not all seconday groups are shown. sudo -l -U <user> does not show data. Cannot access samba share but should be allowed as part of the group.
-
Cause
This is due to a third party OS limitation
-
Resolution
This can cause issues when controlling access through secondary groups (i.e. Samba).
For example, when the user below runs a id -a, some of his seconday groups are not being incldued.
bash-3.00# id -a user1
ash-3.00# id -a user1
uid=1011(user1) gid=999(pg) groups=1001(grp1), 1002(grp2), 1003(grp3), 1004(grp4), 1005(grp5), 1006(grp6), 1007(grp7), 1008(grp8), 1009(grp9), 1010(grp10), 1011(grp11), 1012(grp12), 1013(grp13), 1014(grp14), 1015(grp15), 1016(grp16), 1017(grp17), 1018(grp18), 1019(grp19), 1020(grp20)
bash-3.00# su user1
bash-3.00$ id -a
uid=1011(user1) gid=999(pg) groups=999(pg), 1001(grp1), 1002(grp2), 1003(grp3), 1004(grp4), 1005(grp5), 1006(grp6), 1007(grp7), 1008(grp8), 1009(grp9), 1010(grp10), 1011(grp11), 1012(grp12), 1013(grp13), 1014(grp14), 1015(grp15)You can retreive the maximum number of seconday groups by runningbash-3.00# getconf NGROUPS_MAX
16
This is an operating system limitation, please contact the OS vendor for more information on increasing this limit. -
Additional Information
OS : NGROUPS_MAX default
AIX 5.2 : 64
AIX 5.3 / 6.1 : 128
HP-UX : 20
Linux : 65536 (Kernel 2.6 upwards)
MacOSX : 16
SunOS : 16
Tru64 : 32