zfs discuss - Mar 2011 - zfs-nfs-sun 7000 series

Hello,
I have a Sun 7000 series NAS device, I am trying to back it up via NFS mount on
a Solaris 10 server running Networker 7.6.1.  It works but it is extremely slow,
I have tested other mounts and they work much faster.  The only difference (that
I can see) between the two mounts are the underlying file system zfs vs ufs. 
Any thoughts to speed up the backup of the Sun 7000 nfs mount?
Thanks you.


Mike MacNeil
Global IT Infrastructure

[cid:image001.gif at 01CBDF3D.6192F090]

4281 Harvester Rd.
Burlington, ON l7l 5m4
Canada

Phone: 905 632 2999 ext.2920
Fax: 905 632 2055
Email: mike.macneil at gennum.com
www.gennum.com


________________________________
This communication contains confidential information intended only for the
addressee(s). If you have received this communication in error, please notify us
immediately and delete this communication from your mail box.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20110310/6219ea8d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1258 bytes
Desc: image001.gif
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20110310/6219ea8d/attachment-0001.gif>

Hi,

Is it possible to run both CIFS and NFS on one file system over ZFS?


Thanks.

Fred
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20110312/295648e7/attachment.html>

On Sat, Mar 12, 2011 at 7:42 PM, Fred Liu <Fred_Liu at issi.com> wrote:
>   Hi,
>
>
>
> Is it possible to run both CIFS and NFS on one file system over ZFS?
>
>
>
>
>
> Thanks.
>
>
>
> Fred
>

Yes, but managing permissions in that scenario is generally a nightmare.  If
you''re using NFSv4 with AD integration, it''s a bit more
manageable, but it''s
still definitely a work in progress.


--Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20110312/270863a1/attachment.html>

Tim,

Thanks.

Is there a mapping mechanism like what DataOnTap does to map the permission/acl
between NIS/LDAP and AD?

Thanks.

Fred

From: Tim Cook [mailto:tim at cook.ms]
Sent: ???, ?? 13, 2011 9:53
To: Fred Liu
Cc: zfs-discuss at opensolaris.org
Subject: Re: [zfs-discuss] dual protocal on one file system?


On Sat, Mar 12, 2011 at 7:42 PM, Fred Liu <Fred_Liu at
issi.com<mailto:Fred_Liu at issi.com>> wrote:
Hi,

Is it possible to run both CIFS and NFS on one file system over ZFS?


Thanks.

Fred


Yes, but managing permissions in that scenario is generally a nightmare.  If
you''re using NFSv4 with AD integration, it''s a bit more
manageable, but it''s still definitely a work in progress.


--Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20110312/7e02e31a/attachment.html>

2011/3/12 Fred Liu <Fred_Liu at issi.com>
>  Tim,
>
>
>
> Thanks.
>
>
>
> Is there a mapping mechanism like what DataOnTap does to map the
> permission/acl between NIS/LDAP and AD?
>
>
>
> Thanks.
>
>
>
> Fred
>
>
>
> *From:* Tim Cook [mailto:tim at cook.ms]
> *Sent:* ???, ?? 13, 2011 9:53
> *To:* Fred Liu
> *Cc:* zfs-discuss at opensolaris.org
> *Subject:* Re: [zfs-discuss] dual protocal on one file system?
>
>
>
>
>
> On Sat, Mar 12, 2011 at 7:42 PM, Fred Liu <Fred_Liu at issi.com>
wrote:
>
> Hi,
>
>
>
> Is it possible to run both CIFS and NFS on one file system over ZFS?
>
>
>
>
>
> Thanks.
>
>
>
> Fred
>
>
>
>
>
> Yes, but managing permissions in that scenario is generally a nightmare.
>  If you''re using NFSv4 with AD integration, it''s a bit
more manageable, but
> it''s still definitely a work in progress.
>
>
>
>
>
> --Tim
>

Yes.
http://www.unix.com/man-page/OpenSolaris/1m/idmap/

--Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20110312/9695e5f3/attachment.html>

> From: zfs-discuss-bounces at opensolaris.org [mailto:zfs-discuss-
> bounces at opensolaris.org] On Behalf Of Mike MacNeil
> 
> I have a Sun 7000 series NAS device, I am trying to back it up via NFS
mount
> on a Solaris 10 server running Networker 7.6.1.? It works but it is
extremely
> slow, I have tested other mounts and they work much faster.? The only
> difference (that I can see) between the two mounts are the underlying file
> system zfs vs ufs.? Any thoughts to speed up the backup of the Sun 7000
nfs
> mount?
If possible, backup via zfs send | zfs receive instead.  It''s about a
million times faster than anything else in the world.

If you have to backup over nfs, be sure to explicitly exclude the .zfs
directory.  

Aside from that, I''m not aware of any reason nfs (read-only operations)
would be slow on zfs instead of ufs.  I have plenty of zfs-backed nfs
services that run and perform well.  Perhaps there''s a strange
incompatibility between the networker nfs client, and the nfs server?

You might do some packet sniffing just to see what operations are taking a
long time.

> From: zfs-discuss-bounces at opensolaris.org [mailto:zfs-discuss-
> 
> Is it possible to run both CIFS and NFS on one file system over ZFS?
Yes.  I do.

> From: zfs-discuss-bounces at opensolaris.org [mailto:zfs-discuss-
> bounces at opensolaris.org] On Behalf Of Fred Liu
> 
> Is there a mapping mechanism like what DataOnTap does to map the
> permission/acl between NIS/LDAP and AD?
There are a lot of solutions available.  But if you don''t already have
a
solution in hand, you can certainly waste a lot of time figuring it all out.
Here''s what I do:

Solaris server used Kerberos to authenticate against AD.
I use NIS (could use LDAP) to maintain a consistent mapping of UID/GID/other
posix information.  This could be either linux/solaris/or windows AD server.
Set up time sync so you''re always in-sync with AD time.
You can enable nfs by setting the sharenfs property on the filesystem, or by
editing dfstab (and running the share command)
You could use the built-in cifs server, but I prefer samba.  
Join the AD domain with samba (net join)... Use DOMAIN or ADS.

On Mar 12, 2011, at 20:59, Tim Cook wrote:
> 2011/3/12 Fred Liu <Fred_Liu at issi.com>
> 
>> Tim,
>> 
>> Thanks.
>> 
>> Is there a mapping mechanism like what DataOnTap does to map the
>> permission/acl between NIS/LDAP and AD?
> 
> Yes.
> http://www.unix.com/man-page/OpenSolaris/1m/idmap/
This appears to be only for OpenSolaris/Solaris 11, and not Solaris 10. Or am I
missing something?

Some good information on the (Open)Solaris CIFS server, and AD integration, is
available at:

http://blogs.sun.com/timthomas/entry/a_quick_look_solaris_cifs
http://blogs.sun.com/nico/entry/dealing_with_windows_sids_in
http://blogs.sun.com/wdp/entry/windows_interoperability

(Hopefully blogs.sun.com will be archived some place when sun.com is
"decommissioned" on June 1.)

On Mar 13, 2011, at 11:15 AM, David Magda wrote:
> 
> On Mar 12, 2011, at 20:59, Tim Cook wrote:
> 
>> 2011/3/12 Fred Liu <Fred_Liu at issi.com>
>> 
>>> Tim,
>>> 
>>> Thanks.
>>> 
>>> Is there a mapping mechanism like what DataOnTap does to map the
>>> permission/acl between NIS/LDAP and AD?
>> 
>> Yes.
>> http://www.unix.com/man-page/OpenSolaris/1m/idmap/
> 
> This appears to be only for OpenSolaris/Solaris 11, and not Solaris 10. Or
am I missing something?
Correct. The in-kernel CIFS service is not ported to Solaris 10.  For a Solaris
10
solution, you need to use Samba.
> Some good information on the (Open)Solaris CIFS server, and AD integration,
is available at:
> 
> http://blogs.sun.com/timthomas/entry/a_quick_look_solaris_cifs
> http://blogs.sun.com/nico/entry/dealing_with_windows_sids_in
> http://blogs.sun.com/wdp/entry/windows_interoperability
> 
> (Hopefully blogs.sun.com will be archived some place when sun.com is
"decommissioned" on June 1.)
Hopefully...
 -- richard

> From: zfs-discuss-bounces at opensolaris.org [mailto:zfs-discuss-
> bounces at opensolaris.org] On Behalf Of Richard Elling
> 
> >> Yes.
> >> http://www.unix.com/man-page/OpenSolaris/1m/idmap/
> >
> > This appears to be only for OpenSolaris/Solaris 11, and not Solaris
10.
Or am
> I missing something?
> 
> Correct. The in-kernel CIFS service is not ported to Solaris 10.  For a
Solaris 10
> solution, you need to use Samba.
Just for clarity:
The in-kernel CIFS service is indeed available in solaris 10.  But idmap is
not.  I think Richard is saying if you want to have a consistent directory
mapping across multiple machines (which is usually necessary if you''re
sharing both cifs and nfs) then in solaris 10 you need to use samba. 
It''s
not that in-kernel cifs isn''t available, it''s that idmap
isn''t available.

On 14/03/11 11:13 PM, Edward Ned Harvey wrote:
>> From: zfs-discuss-bounces at opensolaris.org [mailto:zfs-discuss-
>> bounces at opensolaris.org] On Behalf Of Richard Elling
>>
>>>> Yes.
>>>> http://www.unix.com/man-page/OpenSolaris/1m/idmap/
>>>
>>> This appears to be only for OpenSolaris/Solaris 11, and not Solaris
10.
> Or am
>> I missing something?
>>
>> Correct. The in-kernel CIFS service is not ported to Solaris 10.  For a
> Solaris 10
>> solution, you need to use Samba.
>
> Just for clarity:
> The in-kernel CIFS service is indeed available in solaris 10.
Are you really, really sure about that? Please point the RFE number
which tracks the inclusion in a Solaris 10 Update.

I''d also like to know where you''re getting your information
from
on this topic.


James C. McPherson
--
Oracle
http://www.jmcp.homeunix.com/blog

> From: James C. McPherson [mailto:jmcp at opensolaris.org]
> Sent: Monday, March 14, 2011 9:20 AM
> 
> > Just for clarity:
> > The in-kernel CIFS service is indeed available in solaris 10.
> 
> Are you really, really sure about that? Please point the RFE number
> which tracks the inclusion in a Solaris 10 Update.
> 
> I''d also like to know where you''re getting your
information from
> on this topic.
Really really sure?  No, because I don''t use it.  I wouldn''t
stake my life on the man page being error-free.  But I do know this:

I have a solaris 10u8 box I''m logged into right now.  man zfs shows
that sharesmb is available as an option.  I suppose I could be wrong, if either
the man page is wrong, or if I''m incorrectly assuming the zfs sharesmb
property uses the in-kernel cifs daemon.

On 14/03/11 11:26 PM, Edward Ned Harvey wrote:
>> From: James C. McPherson [mailto:jmcp at opensolaris.org]
>> Sent: Monday, March 14, 2011 9:20 AM
>>
>>> Just for clarity:
>>> The in-kernel CIFS service is indeed available in solaris 10.
>>
>> Are you really, really sure about that? Please point the RFE number
>> which tracks the inclusion in a Solaris 10 Update.
>>
>> I''d also like to know where you''re getting your
information from
>> on this topic.
>
> Really really sure?  No, because I don''t use it.  I
wouldn''t stake my
> life on the man page being error-free.  But I do know this:
>
> I have a solaris 10u8 box I''m logged into right now.  man zfs
shows
> that sharesmb is available as an option.  I suppose I could be wrong,
> if either the man page is wrong, or if I''m incorrectly assuming
the zfs
> sharesmb property uses the in-kernel cifs daemon.
That''s a big leap to make.

On my Solaris 11 system I see this:


$ svcs \*smb\*
STATE          STIME    FMRI
online         Mar_11   svc:/network/smb/client:default
online         Mar_11   svc:/network/shares/group:smb
online         Mar_11   svc:/network/smb/server:default


I seriously doubt you''ll see anything similar on your
S10U8 system.


http://download.oracle.com/docs/cd/E19253-01/816-5166/6mbb1kqo8/index.html
quote::
# nbmand....
This SMB related property is not fully functional in the Oracle Solaris 10 
release because the Oracle Solaris SMB server is not supported in the 
Oracle Solaris 10 release.

...

# sharesmb....

Note that the Oracle Solaris SMB service is not supported in the Oracle 
Solaris 10 release.
...
::endquote


James C. McPherson
--
Oracle
http://www.jmcp.homeunix.com/blog

On Mon, Mar 14, 2011 at 9:26 AM, Edward Ned Harvey
<opensolarisisdeadlongliveopensolaris at nedharvey.com> wrote:
> I have a solaris 10u8 box I''m logged into right now. ?man zfs
shows that sharesmb is
> available as an option. ?I suppose I could be wrong, if either the man page
is wrong,
> or if I''m incorrectly assuming the zfs sharesmb property uses the
in-kernel cifs daemon.
    I made the same (incorrect) assumption months ago.

    The data structure is there in ZFS to support the CIFS server, but
the kernel support is NOT in Solaris 10. There is an excellent blog
entry (which I do not have a link to at the moment) which explains
why. Essentially it comes down to the CIFS server being a kernel layer
module and the Solaris 10 kernel not having enough understanding of
CIFS (AD) security. That functionality was added to the kernel with
Solaris 11 (and is a big enough change that it will not be back ported
into the Solaris 10 kernel).

-- 
{--------1---------2---------3---------4---------5---------6---------7---------}
Paul Kraus
-> Senior Systems Architect, Garnet River ( http://www.garnetriver.com/ )
-> Sound Coordinator, Schenectady Light Opera Company (
http://www.sloctheater.org/ )
-> Technical Advisor, RPI Players

> From: Paul Kraus [mailto:paul at kraus-haus.org]
> 
> > I have a solaris 10u8 box I''m logged into right now. ?man zfs
shows that
> sharesmb is
> > available as an option. ?I suppose I could be wrong, if either the man
page is
> wrong,
> > or if I''m incorrectly assuming the zfs sharesmb property uses
the
in-kernel
> cifs daemon.
> 
>     I made the same (incorrect) assumption months ago.
> 
>     The data structure is there in ZFS to support the CIFS server, but
> the kernel support is NOT in Solaris 10. There is an excellent blog
> entry (which I do not have a link to at the moment) which explains
> why. Essentially it comes down to the CIFS server being a kernel layer
> module and the Solaris 10 kernel not having enough understanding of
> CIFS (AD) security. That functionality was added to the kernel with
> Solaris 11 (and is a big enough change that it will not be back ported
> into the Solaris 10 kernel).
So if you were to enable the sharesmb property on a zfs filesystem in sol10,
you just get an error or something?

I don''t want to test it on my live system, nor do I want to go to the
effort
of building a VM just to test this...  Nor would I use it, even if it did
work.   ;-)   But I''m curious.

On Mon, Mar 14, 2011 at 9:26 PM, Edward Ned Harvey
<opensolarisisdeadlongliveopensolaris at nedharvey.com> wrote:
> So if you were to enable the sharesmb property on a zfs filesystem in
sol10,
> you just get an error or something?
    Nope. The command succeeds and the flag gets set on the dataset.
Since there is no kernel process to read the flag and act on it,
nothing happens (at least, that is my experience).
> I don''t want to test it on my live system, nor do I want to go to
the effort
> of building a VM just to test this... ?Nor would I use it, even if it did
> work. ? ;-) ? But I''m curious.
    Oh, I *wanted* it to work, and can''t wait for S11 to actually be
able to use it in production (the shop I work in does not use
OpenSolaris or Solaris Express in production).

-- 
{--------1---------2---------3---------4---------5---------6---------7---------}
Paul Kraus
-> Senior Systems Architect, Garnet River ( http://www.garnetriver.com/ )
-> Sound Coordinator, Schenectady Light Opera Company (
http://www.sloctheater.org/ )
-> Technical Advisor, RPI Players

> From: Paul Kraus [mailto:paul at kraus-haus.org]
> 
> > So if you were to enable the sharesmb property on a zfs filesystem in
sol10,
> > you just get an error or something?
> 
>     Nope. The command succeeds and the flag gets set on the dataset.
> Since there is no kernel process to read the flag and act on it,
> nothing happens (at least, that is my experience).
hehehehe.   Silent fail.   The best type of fail.    ;-)

BTW, what is the advantage of the kernel cifs server as opposed to samba?
It seems, years ago, somebody must have been standing around and saying
"There is a glaring deficiency in samba, and we need to solve it."  

I can see a few glaring deficiencies in the other direction too - but
I''d
like to know the differences more clearly.

On Tue, Mar 15, 2011 at 11:00 PM, Edward Ned Harvey
<opensolarisisdeadlongliveopensolaris at nedharvey.com> wrote:
> BTW, what is the advantage of the kernel cifs server as opposed to samba?
> It seems, years ago, somebody must have been standing around and saying
> "There is a glaring deficiency in samba, and we need to solve
it."
    Complete integration with AD/NTFS from the client perspective. In
other words, the Sun CIFS server really does look like a genuine NTFS
volume shared via CIFS in terms of ACLs. Snapshots even show up as
"previous versions" in explorer.

    I have never seen SAMBA provide more than just authentication
integration with AD.

    The in kernel CIFS server is also supposed to be much faster,
although I have not tested that yet.

-- 
{--------1---------2---------3---------4---------5---------6---------7---------}
Paul Kraus
-> Senior Systems Architect, Garnet River ( http://www.garnetriver.com/ )
-> Sound Coordinator, Schenectady Light Opera Company (
http://www.sloctheater.org/ )
-> Technical Advisor, RPI Players

On Mar 16, 2011, at 8:13 AM, Paul Kraus <paul at kraus-haus.org> wrote:
> On Tue, Mar 15, 2011 at 11:00 PM, Edward Ned Harvey
> <opensolarisisdeadlongliveopensolaris at nedharvey.com> wrote:
> 
>> BTW, what is the advantage of the kernel cifs server as opposed to
samba?
>> It seems, years ago, somebody must have been standing around and saying
>> "There is a glaring deficiency in samba, and we need to solve
it."
> 
>    Complete integration with AD/NTFS from the client perspective. In
> other words, the Sun CIFS server really does look like a genuine NTFS
> volume shared via CIFS in terms of ACLs. Snapshots even show up as
> "previous versions" in explorer.
> 
>    I have never seen SAMBA provide more than just authentication
> integration with AD.
> 
>    The in kernel CIFS server is also supposed to be much faster,
> although I have not tested that yet.
Samba has all those features as well. It has native support for different
platform ACLs (Linux/Solaris/BSD) and supports mapping POSIX perms with platform
ACLs to present a quasi NT ACL that reflects the native permissions of the host.

Samba even has modules for mapping NT RIDs to Nix UIDs/GIDs as well as a module
that supports "Previous Versions" using the hosts native snapshot
method.

The one glaring deficiency Samba has though, in Sun''s eyes not mine, is
that it runs in user space, though I believe that''s just the cover song
for "It wasn''t invented here".

-Ross

On Wed, Mar 16, 2011 at 9:48 AM, Ross Walker <rswwalker at gmail.com>
wrote:
> Samba has all those features as well. It has native support for different
platform ACLs
> (Linux/Solaris/BSD) and supports mapping POSIX perms with platform ACLs to
present
> a quasi NT ACL that reflects the native permissions of the host.
    Can you point to documentation that describes how to get SAMBA to
present ZFS ACLs as native NTFS ACLs ?

    Including properly handling AD groups and allowing for full
management of the ACLs from the client side.
> Samba even has modules for mapping NT RIDs to Nix UIDs/GIDs as well as a
module that
> supports "Previous Versions" using the hosts native snapshot
method.
    But... if SAMBA has native AD authentication, and the underlying
OS can authenticate against AD, why do we need to have native Unix
accounts for the SAMBA users ?
> The one glaring deficiency Samba has though, in Sun''s eyes not
mine, is that it runs in
> user space, though I believe that''s just the cover song for
"It wasn''t invented here".
    Given the performance difference I have seen between in kernel and
user space NFS server processes, I expect the in kernel CIFS service
to be substantially faster than a user space service. Our current
performance limitation is at the SAMBA layer.

    For me this is not academic, as we have a large file server (20 TB
and over 400 million files) that needs to be presented to the end
users as one share (for some reasonably good business reasons). By
policy we need a solution that we can get support on, so assembling a
solution out various open source modules is not acceptable. We also
need to keep the configuration as simple as possible for future
manageability.

    We are currently using Solaris 10 with SAMBA and have some
usability issues as follows.

1. need to manage Solaris as well as AD users/groups
2. Unix / Solaris limitation of 16 / 32 group membership
3. ACL management (must be done on the Solaris side) and visibility
4. performance (especially with many small files)

    We can solve some of the above with SAMBA, but we are hoping that
the Sun CIFS server in Solaris 11 resolves all of these issues. We
start testing with Solaris 11 Express shortly.

-- 
{--------1---------2---------3---------4---------5---------6---------7---------}
Paul Kraus
-> Senior Systems Architect, Garnet River ( http://www.garnetriver.com/ )
-> Sound Coordinator, Schenectady Light Opera Company (
http://www.sloctheater.org/ )
-> Technical Advisor, RPI Players

> From: Paul Kraus [mailto:paul at kraus-haus.org]
> 
> > Samba even has modules for mapping NT RIDs to Nix UIDs/GIDs as well as
a
> module that
> > supports "Previous Versions" using the hosts native snapshot
method.
> 
>     But... if SAMBA has native AD authentication, and the underlying
> OS can authenticate against AD, why do we need to have native Unix
> accounts for the SAMBA users ?
You say "native" unix accounts, but that doesn''t have a clear
meaning - All
the account info can be stored locally or remotely in a directory service,
or even locally in a caching directory service ... And multiple services can
be combined together, as long as all the relevant pieces of information come
from *some* where.  And as long as any unavailable pieces of information are
not necessary to satisfy any of the system''s intended purposes.  For
example, I have one system which authenticates via Kerberos to AD, and uses
a NIS service, without any password, home directory, or shell information,
just to synchronize the username/UID/GID on a system which is a fileserver
and not intended for user logon.

If you run CIFS and you don''t run NFS, then you don''t need
anything beyond
the AD server.  The CIFS server can locally generate all the posix details
as necessary, and all the separate unix/linux systems on the network can all
do the same - And none of the UID''s will match between systems - and
that''s
ok because no system will care about the UID of any user account on any
other system.

If you have a CIFS and NFS server, then you need some way of unifying all
the POSIX information - username to UID, GID, home dir, and shell.  Etc. 

By default, AD doesn''t have any such information in it - Yes you can
add
UNIX services to AD, or extend the schema in various ways, and then
distribute that information via LDAP or NIS or some other directory
services, but the point remains, if you''re authenticating via Kerberos,
you
still need an additional directory service to make the POSIX information
consistent across all the unix/linux NFS machines.  AFAIK, posix information
is not something that Kerberos can be used for.

>     We are currently using Solaris 10 with SAMBA and have some
> usability issues as follows.
> 
> 1. need to manage Solaris as well as AD users/groups
I have a similar setup.  Solaris 10 and Samba uses AD Kerberos for
authentication, but also uses NIS for POSIX.
At one site, the NIS server is the Windows AD server.
At another (independent) site, the NIS server is a linux machine.
Both the windows & linux NIS servers have some pros/cons versus each other.

This need does not disappear when you use a kernel cifs server.  

> 2. Unix / Solaris limitation of 16 / 32 group membership
> 3. ACL management (must be done on the Solaris side) and visibility
> 4. performance (especially with many small files)
> 
>     We can solve some of the above with SAMBA, but we are hoping that
> the Sun CIFS server in Solaris 11 resolves all of these issues. We
> start testing with Solaris 11 Express shortly.
I don''t think you''re going to eliminate #2.
#3 and #4, perhaps the kernel cifs server might be better than samba.  Or
vice-versa.  ;-)  I don''t know.

On Thu, March 17, 2011 09:53, Edward Ned Harvey wrote:
>> From: Paul Kraus [mailto:paul at kraus-haus.org]
[...]
>> 2. Unix / Solaris limitation of 16 / 32 group membership
>> 3. ACL management (must be done on the Solaris side) and visibility
>> 4. performance (especially with many small files)
>>
>>     We can solve some of the above with SAMBA, but we are hoping that
>> the Sun CIFS server in Solaris 11 resolves all of these issues. We
>> start testing with Solaris 11 Express shortly.
>
> I don''t think you''re going to eliminate #2.
> #3 and #4, perhaps the kernel cifs server might be better than samba.  Or
> vice-versa.  ;-)  I don''t know.
#2 is fixed in OpenSolaris as of snv_129:

    http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4088757

The new limit is 1024--the same maximum number of groups as Windows
supports. Unlikely that it will be back ported to Solaris 10 though (it
changes a bunch of structures which could break compatibility). Details in
 PSARC 2009/542, work done by Casper Dik.

On 3/17/2011 8:11 AM, David Magda wrote:
>>> From: Paul Kraus [mailto:paul at kraus-haus.org]
> [...]
>>> 2. Unix / Solaris limitation of 16 / 32 group membership
>
> #2 is fixed in OpenSolaris as of snv_129:
>
>      http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4088757
>
> The new limit is 1024--the same maximum number of groups as Windows
> supports. Unlikely that it will be back ported to Solaris 10 though (it
> changes a bunch of structures which could break compatibility). Details in
>   PSARC 2009/542, work done by Casper Dik.
My employer, $bank, has been promised that fix in Sol 10. Promises are 
not patches, however ;-)

-- 
Carson

> From: David Magda [mailto:dmagda at ee.ryerson.ca]
> 
> >> 2. Unix / Solaris limitation of 16 / 32 group membership
> >>
> > I don''t think you''re going to eliminate #2.
>
> #2 is fixed in OpenSolaris as of snv_129:
> 
> The new limit is 1024--the same maximum number of groups as Windows
> supports. Unlikely that it will be back ported to Solaris 10 though (it
If you''re doing NFS, just be careful that all the NFS clients support
the
same.  If you have any solaris 10 clients, or pre-129 osol, or any linux
which doesn''t support it ... Then there are problems.

Which is why I said I don''t think you''re going to eliminate
#2.

On Fri, March 18, 2011 08:28, Edward Ned Harvey wrote:
> From: David Magda [mailto:dmagda at ee.ryerson.ca]
>> #2 is fixed in OpenSolaris as of snv_129:
>>
>> The new limit is 1024--the same maximum number of groups as Windows
>> supports. Unlikely that it will be back ported to Solaris 10 though (it
>
> If you''re doing NFS, just be careful that all the NFS clients
support the
> same.  If you have any solaris 10 clients, or pre-129 osol, or any linux
> which doesn''t support it ... Then there are problems.
>
> Which is why I said I don''t think you''re going to
eliminate #2.
This is mentioned in the PSARC:
> As part of this case, we''re change the "AUTH_SYS"
semantics for RPC;
> rather than failing for users in more than 16 groups, we''d prefer
to
> copy the semantics of others: just drop the additional groups and
> perform the operation with a reduced set of groups.
    http://arc.opensolaris.org/caselog/PSARC/2009/542/20091008_casper.dik

It also gives this URL which has the limits for various Unix systems:

    http://www.j3e.de/ngroups.html

Legacy is legacy, but a lot of systems are now raising the limit, so it be
''fixed'' in a decade or so. :)