Wandering Thoughts archives

2014-05-29

The state of limits on how many groups you can be in (especially for NFS)

It is an article of vague Unix folklore that your users can only be in so many groups before they may start having weird problems or things just fail outright. Depending on who you ask and what conditions you're operating under, this limit might be 16 groups, 32 groups, or a lot more. There are actually two limits: the local system limit and a limit imposed by many NFS configurations.

On modern Unixes that you'll want to use, the local limit is generally high. Based on reading manpages and include headers, on current Linux machines it's 64K groups and on current FreeBSD it's 1023 groups. OpenBSD appears to be quite old fashioned with a 16-group restriction. Current Illumos source defaults to a 16-group limit but this can be tuned in /etc/system with 'set ngroups_max=...' if I'm reading the source code correctly.

(See also this resource for other systems and older releases.)

But all of this local optimism is moot in the face of a long standing NFS restriction. Commonly used parts of the NFS protocol are restricted to using 16 groups at most. This limit appeared in the original NFS but it has not been raised in NFS v3 or even, sort of, in NFS v4. More specifically, this limitation is part of the default 'plain Unix permissions' authentication, called AUTH_SYS, that is normally used in NFS v3 and may still be used in NFS v4. In theory you can switch NFS v3 to use something else, but in practice Mike Eisler notes that NLM locking may still cause you problems (that article is a good background in general and discusses potential workarounds).

If you have Linux NFS servers there is a potential workaround where you can make the server ignore the list of groups that the clients send and look up group information locally. There is still a size limit but it's much larger. See Kyle Anderson's Solving the NFS 16-Group Limit Problem for the details. I haven't tested this, partly because our NFS servers don't run Linux so I can't use it.

So, in short, we're going to keep bumping into the 16-group limit every so often for some people here and there is no good workaround for us.

(Every so often I set out to investigate something and wind up finding out that there is no good news and things are exactly as my vague memory of folklore thought they were. Today is one of those cases.)

unix/GroupLimitState written at 01:31:04; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.