Manualshelf

Group Membership Expansion: Guidelines for Deployment

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Enterprise OE
1234567
4
enhancement does not change system behavior in any way. It is necessary to increase the
ngroups_max tunable above its default value of 20 to change the system behavior.
Updating system utilities
A number of system utilities are sensitive to the maximum number of groups per user, and so must be
updated before they will recognize that a user or process is a member of more than 20 groups.
Because these utilities are not part of the core, they are not installed along with PHKL_38095. Table
1 shows the utilities that must be updated if they are to be used in an expanded groups environment:
Table 1. Utilities requiring update before use with expanded groups
Utility Minimum required version Included in Update 3?
sendmail C.8.13.3.2 YES
FTP C.2.6.1.4.0 YES
ONC+ B.11.31.04 YES
LDAP-UX B.04.20 NO; available via Web release (Software Depot) by December 2008
The utilities RCS and SCCS have not yet been updated to work with group membership expansion.
They will not work properly for users belonging to more than 20 groups until such time as patches are
created by HP.
Updating applications
Most applications are not sensitive to the maximum number of groups per user, but some specialized
applications may track the group membership of users and processes. If such applications assume that
the maximum number of groups is fixed at 20, they may not perform properly in an expanded groups
environment: they may terminate unexpectedly, or fail to recognize that a user has any supplementary
groups at all. In the appendix are some details that will help application developers to write programs
that work with an expanded number of groups.
HP has not validated that all third-party applications work properly with more than 20 groups. For
that reason, the kctune command displays a warning message when ngroups_max is tuned to a
value greater than 20.
Known limitations
The ONC RPC over-the-wire protocol used by all ONC RPC applications, including NFS, limits the
number of supplementary group IDs recognized across NFS filesystems to 16.
Network Information Service (NIS) builds a database that contains information about user group
membership, called netid. NIS will include only the first 20 supplementary user groups in this
database. NIS is usually used in conjunction with ONC RPC, where only the first 16 groups are
significant, so this is of little practical consequence.