Topic
4 replies Latest Post - ‏2012-07-06T14:43:49Z by SystemAdmin
YannickBergeron
YannickBergeron
1 Post
ACCEPTED ANSWER

Pinned topic What is the limit on the maximum number of groups a user can be a member of

‏2011-01-13T16:49:37Z |
I'm currently reading
http://publib.boulder.ibm.com/infocenter/clresctr/vxrx/topic/com.ibm.cluster.gpfs.doc/gpfs_faqs/gpfsclustersfaq.pdf

One of the faq is
"What is the limit on the maximum number of groups a user can be a member of when accessing a GPFS file system?"

The short answer for AIX is 128.
However, I'm wondering if it's still the case.
AIX 6.1 TL6 and AIX 7.1 now support 2048 groups per user.
Is GPFS 3.4 still limited to 128?
If so, any ETA of when this could be modified to target an higher value, like 2048?
Updated on 2012-07-06T14:43:49Z at 2012-07-06T14:43:49Z by SystemAdmin
  • bhartner
    bhartner
    3 Posts
    ACCEPTED ANSWER

    Re: What is the limit on the maximum number of groups a user can be a member of

    ‏2011-01-25T03:15:13Z  in response to YannickBergeron
    Limit is still 128 with no ETA of increasing.
  • Tucks
    Tucks
    2 Posts
    ACCEPTED ANSWER

    Re: What is the limit on the maximum number of groups a user can be a member of

    ‏2012-07-06T11:11:20Z  in response to YannickBergeron
    Another related issue that you might not be aware of is the number of groups that can be correctly enumated by LDAP is 16 or 32 reagarding on your UNIX flavour/age.

    You can be a member of > 16/32 groups, but if you try to write into a ddirectory which is owned by the 17th/33rd+ group in your group list, where you are not an owner, then you will not have permission to do so.
    • SystemAdmin
      SystemAdmin
      8 Posts
      ACCEPTED ANSWER

      Re: What is the limit on the maximum number of groups a user can be a member of

      ‏2012-07-06T14:43:49Z  in response to Tucks
      The 16-group limit is part of the NFS protocol, not necessarily a limit when accessing local filesystems or for any other uses of group membership (and I'm not aware of LDAP query limits on the number of groups).

      See: http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-limitation.html

      I assume that GPFS uses NFS-like mechanisms, particularly since clients report NFS related errors in response to some GPFS events.

      The most practical work-around to the group membership limit is to use file Access Control Lists to apply permissions, rather than groups. In our environment, we continue to maintain traditional groups in the NIS directory service, as they are easy to query (yp-commands, getent, etc.) and widely used. However, we read the group data and use that to generate commands to set ACLs. Thus, adding or removing users continues to use the standard (or local) tools, and the group permissions are defined in one place (NIS), and those permissions are applied to directories whenever the group is updated.
  • Tucks
    Tucks
    2 Posts
    ACCEPTED ANSWER

    Re: What is the limit on the maximum number of groups a user can be a member of

    ‏2012-07-06T11:11:43Z  in response to YannickBergeron
    Another related issue that you might not be aware of is the number of groups that can be correctly enumated by LDAP is 16 or 32 reagarding on your UNIX flavour/age.

    You can be a member of > 16/32 groups, but if you try to write into a directory which is owned by the 17th/33rd+ group in your group list, where you are not an owner, then you will not have permission to do so.