Re: pam list size limit?

Jon Miller <jonebird@xxxxxxxxx> · Wed, 28 Jan 2009 20:37:51 -0500

The 'getent' command is independent of any other operations occurring on your machine, so it is quite harmless to test. For example, logging into your machine and running "getent group root" should simply show you the 'root' group entry. Now substitute 'root' for your group name and see how many members you see. 

You can have 'awk' count them for you. In the case of the 'root' group, I can issue the command "getent group root | awk -F, '{ print NF }'". See if the count is what you are expecting. If you are not getting the expected +2500 entries then you know it is not a PAM issue.

-- Jon Miller

2009/1/28 Wendy Palm <wendy@xxxxxxxx>

I can't test the getent command right now.  we have a workaround
in place that I'd have to disengage to test it out.

I'm at SP1.  Pam version in SP1 is 0.99.6.3-28.8 and didn't
change in sp2 – are there any specific packages you might recommend updating to
sp2?  It's not feasible for me to wholesale change the whole system to sp2, so targeting
packages for experimentation would be easier.

From: pam-list-bounces@xxxxxxxxxx
[mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Jon Miller

Sent: Wednesday, January 28, 2009 6:06 PM

To: Pluggable Authentication Modules

Subject: Re: pam list size limit?

Are you sure the issue is with
pam_access? How many entries do you get when you run "getent group
<grpname>" ?

Finally, what level SP are you at on your SLES10 machine? If you're not at SP2,
you could try updating to that. I've found SP2 to have solved a lot of issues. 

-- Jon Miller

2009/1/28 Wendy Palm <wendy@xxxxxxxx>

We have a site that uses pam to regulate user
logins, and has a unix group in excess of 2500 user entries which is specified
in the access.conf file.

They were running SLES9 (pam-0.77-221.4) and
had no problems.  However, updating to SLES10 (pam-0.99.6.3-28.8), they
are now having problems with the group list truncating at about 1100 user
entries.

Was some default limit changed?  I
checked the archives, but didn't see anything blatent announcing this.  I
checked the ChangeLog in the source code and found an entry that is suspicious
(2005-12-21  Tomas Mraz simplifying evaluate_ingroup), but again, nothing
blatent.

What is the limit?  How can I change it
(preferably without recompiling)?  Is this at all possible?

Thanks,

Wendy

---------------------------------

Wendy Palm

Security Software Engineer

wendy at cray dot com

_______________________________________________

Pam-list mailing list

Pam-list@xxxxxxxxxx

https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________

Pam-list mailing list

Pam-list@xxxxxxxxxx

https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list