[prev in list] [next in list] [prev in thread] [next in thread]
List: pam-list
Subject: RE: pam list size limit?
From: "Wendy Palm" <wendy () cray ! com>
Date: 2009-02-04 23:56:52
Message-ID: 925346A443D4E340BEB20248BAFCDBDF097E8873 () CFEVS1-IP ! americas ! cray ! com
[Download RAW message or body]
--===============1725636134==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C98724.40CB7FBA"
This is a multi-part message in MIME format.
Getent shows the correct group entries, so I think PAM is still the
problem.
I was able to reproduce the whole problem on local SLES9sp2 and
SLES10sp1 systems
I created 4000 users named user1000-user4999 (uid1000-4999)
Users have a primary group of some other group, and the secondary group
of "allowed"
Set up PAM as the following (obviously extremely basic):
/etc/security/access.conf
# allow root from anywhere
+:root:ALL
# the only non-root users allowed are in the group "allowed"
+:allowed:ALL
# disallow all other logins
-:ALL:ALL
/etc/pam.d/sshd
account required pam_access.so
On the SLES9sp2 system, I was able to put all 4000 users into the
"allowed" group, and
all 4000 users were able log in with no problem.
I repeated the experiment on the SLES10sp1 system, and ran into a
problem at user1962.
Not only does user1962 have problems, but ALL the users in the group
fail.
add users user1000-user1961 to "allowed" in /etc/group, see user1961 can
log in (from the /var/log/messages file)
Feb 4 17:35:54 src@blox sshd 26 [auth.info] sshd[21697]: Accepted
keyboard-interactive/pam for user1961 from 172.30.31.44 port 23054 ssh2
add user1962 to group "allowed" & try to ssh user1962, then try to ssh
user1961 (which just got in a minute before)
Feb 4 17:36:11 src@blox sshd 53 [authpriv.err] sshd[21791]:
pam_access(sshd:account): access denied for user `user1962\' from
`iss-eth100.us.cray.com\'
Feb 4 17:36:11 src@blox sshd 23 [auth.err] sshd[21789]: error: PAM:
Permission denied for user1962 from iss-eth100.us.cray.com
Feb 4 17:36:27 src@blox sshd 53 [authpriv.err] sshd[21816]:
pam_access(sshd:account): access denied for user `user1961\' from
`iss-eth100.us.cray.com\'
Feb 4 17:36:27 src@blox sshd 23 [auth.err] sshd[21814]: error: PAM:
Permission denied for user1961 from iss-eth100.us.cray.com
"grep allowed /etc/group" shows the whole line, including
user1000-user1962
wendy@blox:~> grep allowed /etc/group | wc -c
8682
"getent group allowed" shows the whole group entry, including
user1000-user1962
wendy@blox:~> getent group allowed | wc -c
8682
I can't find anything else having problems in the system.
I wondered if this might be related to some kind of side-effect of ksh
changing over from pdksh to ksh, but I can't figure out how.
It seems more like the build Novell did added some kind of limit that
I can't find here.
From: pam-list-bounces@redhat.com [mailto:pam-list-bounces@redhat.com]
On Behalf Of Jon Miller
Sent: Wednesday, January 28, 2009 7:38 PM
To: Pluggable Authentication Modules
Subject: Re: pam list size limit?
The 'getent' command is independent of any other operations occurring on
your machine, so it is quite harmless to test. For example, logging into
your machine and running "getent group root" should simply show you the
'root' group entry. Now substitute 'root' for your group name and see
how many members you see.
You can have 'awk' count them for you. In the case of the 'root' group,
I can issue the command "getent group root | awk -F, '{ print NF }'".
See if the count is what you are expecting. If you are not getting the
expected +2500 entries then you know it is not a PAM issue.
-- Jon Miller
2009/1/28 Wendy Palm <wendy@cray.com>
I can't test the getent command right now. we have a workaround in
place that I'd have to disengage to test it out.
I'm at SP1. Pam version in SP1 is 0.99.6.3-28.8 and didn't change in
sp2 - are there any specific packages you might recommend updating to
sp2? It's not feasible for me to wholesale change the whole system to
sp2, so targeting packages for experimentation would be easier.
From: pam-list-bounces@redhat.com [mailto:pam-list-bounces@redhat.com]
On Behalf Of Jon Miller
Sent: Wednesday, January 28, 2009 6:06 PM
To: Pluggable Authentication Modules
Subject: Re: pam list size limit?
Are you sure the issue is with pam_access? How many entries do you get
when you run "getent group <grpname>" ?
Finally, what level SP are you at on your SLES10 machine? If you're not
at SP2, you could try updating to that. I've found SP2 to have solved a
lot of issues.
-- Jon Miller
2009/1/28 Wendy Palm <wendy@cray.com>
We have a site that uses pam to regulate user logins, and has a unix
group in excess of 2500 user entries which is specified in the
access.conf file.
They were running SLES9 (pam-0.77-221.4) and had no problems. However,
updating to SLES10 (pam-0.99.6.3-28.8), they are now having problems
with the group list truncating at about 1100 user entries.
Was some default limit changed? I checked the archives, but didn't see
anything blatent announcing this. I checked the ChangeLog in the source
code and found an entry that is suspicious (2005-12-21 Tomas Mraz
simplifying evaluate_ingroup), but again, nothing blatent.
What is the limit? How can I change it (preferably without
recompiling)? Is this at all possible?
Thanks,
Wendy
---------------------------------
Wendy Palm
Security Software Engineer
wendy at cray dot com
_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:x="urn:schemas-microsoft-com:office:excel" \
xmlns:p="urn:schemas-microsoft-com:office:powerpoint" \
xmlns:a="urn:schemas-microsoft-com:office:access" \
xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" \
xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" \
xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" \
xmlns:b="urn:schemas-microsoft-com:office:publisher" \
xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" \
xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" \
xmlns:odc="urn:schemas-microsoft-com:office:odc" \
xmlns:oa="urn:schemas-microsoft-com:office:activation" \
xmlns:html="http://www.w3.org/TR/REC-html40" \
xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" \
xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" \
xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" \
xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" \
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" \
xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" \
xmlns:udc="http://schemas.microsoft.com/data/udc" \
xmlns:xsd="http://www.w3.org/2001/XMLSchema" \
xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" \
xmlns:ec="http://www.w3.org/2001/04/xmlenc#" \
xmlns:sp="http://schemas.microsoft.com/sharepoint/" \
xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" \
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" \
xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" \
xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" \
xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" \
xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" \
xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" \
xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" \
xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" \
xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" \
xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" \
xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" \
xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" \
xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" \
xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" \
xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Arial","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Getent shows the correct group entries, so I think PAM is still
the problem.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>I was able to reproduce the whole problem on local SLES9sp2 and
SLES10sp1 systems<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>I created 4000 users named user1000-user4999 \
(uid1000-4999)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Users have a primary group of some other group, and the
secondary group of "allowed"<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Set up PAM as the following (obviously extremely \
basic):<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>/etc/security/access.conf <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'># allow root from anywhere<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>+:root:ALL<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'># the only non-root users allowed are in the group
"allowed"<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>+:allowed:ALL<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'># disallow all other logins<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>-:ALL:ALL<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>/etc/pam.d/sshd<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>account
required pam_access.so<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>On the SLES9sp2 system, I was able to put all 4000 users into
the "allowed" group, and<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>all 4000 users were able log in with no problem.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>I repeated the experiment on the SLES10sp1 system, and ran into
a problem at user1962.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Not only does user1962 have problems, but ALL the users in the
group fail. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>add users user1000-user1961 to "allowed" in
/etc/group, see user1961 can log in (from the /var/log/messages \
file)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Feb 4 17:35:54 src@blox sshd 26 [auth.info] sshd[21697]:
Accepted keyboard-interactive/pam for user1961 from 172.30.31.44 port 23054
ssh2<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>add user1962 to group "allowed" & try to ssh
user1962, then try to ssh user1961 (which just got in a minute \
before)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Feb 4 17:36:11 src@blox sshd 53 [authpriv.err]
sshd[21791]: pam_access(sshd:account): access denied for user `user1962\' from
`iss-eth100.us.cray.com\'<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Feb 4 17:36:11 src@blox sshd 23 [auth.err] sshd[21789]:
error: PAM: Permission denied for user1962 from \
iss-eth100.us.cray.com<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Feb 4 17:36:27 src@blox sshd 53 [authpriv.err]
sshd[21816]: pam_access(sshd:account): access denied for user `user1961\' from
`iss-eth100.us.cray.com\'<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Feb 4 17:36:27 src@blox sshd 23 [auth.err] sshd[21814]:
error: PAM: Permission denied for user1961 from \
iss-eth100.us.cray.com<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>"grep allowed /etc/group" shows the whole line,
including user1000-user1962<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>wendy@blox:~> grep allowed /etc/group | wc -c<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>8682<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>"getent group allowed" shows the whole group entry,
including user1000-user1962<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>wendy@blox:~> getent group allowed | wc -c<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>8682<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>I can't find anything else having problems in the \
system.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>I wondered if this might be related to some kind of side-effect
of ksh changing over from pdksh to ksh, but I can't figure out \
how.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'> It seems more like the build Novell did added some kind
of limit that I can't find here.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> \
pam-list-bounces@redhat.com [mailto:pam-list-bounces@redhat.com] <b>On Behalf Of \
</b>Jon Miller<br> <b>Sent:</b> Wednesday, January 28, 2009 7:38 PM<br>
<b>To:</b> Pluggable Authentication Modules<br>
<b>Subject:</b> Re: pam list size limit?<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>The 'getent' command is
independent of any other operations occurring on your machine, so it is quite
harmless to test. For example, logging into your machine and running
"getent group root" should simply show you the 'root' group entry.
Now substitute 'root' for your group name and see how many members you see. <br>
<br>
You can have 'awk' count them for you. In the case of the 'root' group, I can
issue the command "getent group root | awk -F, '{ print NF }'". See
if the count is what you are expecting. If you are not getting the expected
+2500 entries then you know it is not a PAM issue.<br>
<br>
-- Jon Miller<o:p></o:p></p>
<div>
<p class=MsoNormal>2009/1/28 Wendy Palm <<a \
href="mailto:wendy@cray.com">wendy@cray.com</a>><o:p></o:p></p>
<div>
<div>
<p><span style='font-size:10.0pt;color:#1F497D'>I can't test the getent command
right now. we have a workaround in place that I'd have to disengage to
test it out.</span><o:p></o:p></p>
<p><span style='font-size:10.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:10.0pt;color:#1F497D'>I'm at SP1. Pam version
in SP1 is 0.99.6.3-28.8 and didn't change in sp2 – are there any specific
packages you might recommend updating to sp2? It's not feasible for me to
wholesale change the whole system to sp2, so targeting packages for
experimentation would be easier.</span><o:p></o:p></p>
<p><span style='font-size:10.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid windowtext 1.5pt;padding:0in 0in 0in 4.0pt;
border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color blue'>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:pam-list-bounces@redhat.com" \
target="_blank">pam-list-bounces@redhat.com</a> [mailto:<a \
href="mailto:pam-list-bounces@redhat.com" \
target="_blank">pam-list-bounces@redhat.com</a>] <b>On Behalf Of </b>Jon Miller<br>
<b>Sent:</b> Wednesday, January 28, 2009 6:06 PM<br>
<b>To:</b> Pluggable Authentication Modules<br>
<b>Subject:</b> Re: pam list size limit?</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<p style='margin-bottom:12.0pt'>Are you sure the issue is with pam_access? How
many entries do you get when you run "getent group <grpname>" ?<br>
Finally, what level SP are you at on your SLES10 machine? If you're not at SP2,
you could try updating to that. I've found SP2 to have solved a lot of issues. <br>
<br>
-- Jon Miller<o:p></o:p></p>
<div>
<p>2009/1/28 Wendy Palm <<a href="mailto:wendy@cray.com" \
target="_blank">wendy@cray.com</a>><o:p></o:p></p>
<div>
<div>
<p><span style='font-size:10.0pt'>We have a site that uses pam to regulate user
logins, and has a unix group in excess of 2500 user entries which is specified
in the access.conf file.</span><o:p></o:p></p>
<p><span style='font-size:10.0pt'> </span><o:p></o:p></p>
<p><span style='font-size:10.0pt'>They were running SLES9 (pam-0.77-221.4) and
had no problems. However, updating to SLES10 (pam-0.99.6.3-28.8), they are
now having problems with the group list truncating at about 1100 user \
entries.</span><o:p></o:p></p>
<p><span style='font-size:10.0pt'> </span><o:p></o:p></p>
<p><span style='font-size:10.0pt'>Was some default limit changed? I
checked the archives, but didn't see anything blatent announcing this. I
checked the ChangeLog in the source code and found an entry that is suspicious
(2005-12-21 Tomas Mraz simplifying evaluate_ingroup), but again, nothing
blatent.</span><o:p></o:p></p>
<p><span style='font-size:10.0pt'> </span><o:p></o:p></p>
<p><span style='font-size:10.0pt'>What is the limit? How can I change it
(preferably without recompiling)? Is this at all \
possible?</span><o:p></o:p></p>
<p><span style='font-size:10.0pt'> </span><o:p></o:p></p>
<p><span style='font-size:10.0pt'>Thanks,</span><o:p></o:p></p>
<p><span style='font-size:10.0pt'>Wendy</span><o:p></o:p></p>
<p><span style='font-size:10.0pt'> </span><o:p></o:p></p>
<p><span style='font-size:10.0pt'> </span><o:p></o:p></p>
<p> <o:p></o:p></p>
<p>---------------------------------<o:p></o:p></p>
<p>Wendy Palm<o:p></o:p></p>
<p>Security Software Engineer<o:p></o:p></p>
<p>wendy at cray dot com<o:p></o:p></p>
<p> <o:p></o:p></p>
</div>
</div>
<p><br>
_______________________________________________<br>
Pam-list mailing list<br>
<a href="mailto:Pam-list@redhat.com" target="_blank">Pam-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pam-list" \
target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><br>
_______________________________________________<br>
Pam-list mailing list<br>
<a href="mailto:Pam-list@redhat.com">Pam-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pam-list" \
target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>
_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
--===============1725636134==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic