pam list size limit?
Jon Miller
jonebird at gmail.com
Thu Jan 29 01:37:51 UTC 2009
The 'getent' command is independent of any other operations occurring on
your machine, so it is quite harmless to test. For example, logging into
your machine and running "getent group root" should simply show you the
'root' group entry. Now substitute 'root' for your group name and see how
many members you see.
You can have 'awk' count them for you. In the case of the 'root' group, I
can issue the command "getent group root | awk -F, '{ print NF }'". See if
the count is what you are expecting. If you are not getting the expected
+2500 entries then you know it is not a PAM issue.
-- Jon Miller
2009/1/28 Wendy Palm <wendy at cray.com>
> I can't test the getent command right now. we have a workaround in place
> that I'd have to disengage to test it out.
>
>
>
> I'm at SP1. Pam version in SP1 is 0.99.6.3-28.8 and didn't change in sp2 –
> are there any specific packages you might recommend updating to sp2? It's
> not feasible for me to wholesale change the whole system to sp2, so
> targeting packages for experimentation would be easier.
>
>
>
> *From:* pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] *On
> Behalf Of *Jon Miller
> *Sent:* Wednesday, January 28, 2009 6:06 PM
> *To:* Pluggable Authentication Modules
> *Subject:* Re: pam list size limit?
>
>
>
> Are you sure the issue is with pam_access? How many entries do you get when
> you run "getent group <grpname>" ?
> Finally, what level SP are you at on your SLES10 machine? If you're not at
> SP2, you could try updating to that. I've found SP2 to have solved a lot of
> issues.
>
> -- Jon Miller
>
> 2009/1/28 Wendy Palm <wendy at cray.com>
>
> We have a site that uses pam to regulate user logins, and has a unix group
> in excess of 2500 user entries which is specified in the access.conf file.
>
>
>
> They were running SLES9 (pam-0.77-221.4) and had no problems. However,
> updating to SLES10 (pam-0.99.6.3-28.8), they are now having problems with
> the group list truncating at about 1100 user entries.
>
>
>
> Was some default limit changed? I checked the archives, but didn't see
> anything blatent announcing this. I checked the ChangeLog in the source
> code and found an entry that is suspicious (2005-12-21 Tomas Mraz
> simplifying evaluate_ingroup), but again, nothing blatent.
>
>
>
> What is the limit? How can I change it (preferably without recompiling)?
> Is this at all possible?
>
>
>
> Thanks,
>
> Wendy
>
>
>
>
>
>
>
> ---------------------------------
>
> Wendy Palm
>
> Security Software Engineer
>
> wendy at cray dot com
>
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20090128/2f0e5c33/attachment.htm>
More information about the Pam-list
mailing list