On Mon, Mar 07, 2005 at 11:33:13AM -0500, David Collier-Brown wrote:
> Am I correct in thinking the Samba team was one of the
> proponents of larger number of groups in Linux, as
> implied by http://lwn.net/Articles/50916 ?


Maybe, no idea.

> Does that perhaps mean that folks with older
> Unixes (Solarii, BSDs, HP/UX, AIX, etc, etc)
> are still banging up against this on \large sites
> with AD and large numbers of NT groups?


Yes.

> If so, should the limited set of groups
> that Unix allows perhaps be used as a cache of the
> recently-used groups? For example, if a
> user attempts to open a file belonging to
> group 17, and they only have 0-16 in their group
> list, should samba toss out the least
> recently used group, stick 17 in its
> place and retry the open?


Not possible. For each access denied from the kernel you would have to iterate
through all groups that a user is in to retry, just in case some group
membership would give him permission. The only real way around this is a
user-space implementation of NT acls, but then you lose the unix
interoperability.

With Solaris you're stuck, sorry. That is just not usable in large AD
environments.

Volker