The maximum number of groups a user can belong to on UNIX or Linux is 16.
The 16 group limitation is not controlled by ClearCase, rather by the architecture from which the RFC (Request for Comments) for RPC (Remote Procedure Call) Standards Track emanates.
The original RFC for RPC was RFC#1050 published in 1988 which had a limitation of 10 additional GID's:
9.2 UNIX Authentication
The caller of a remote procedure may wish to identify himself as he
is identified on a UNIX(tm) system. The value of the credential's
discriminant of an RPC call message is "AUTH_UNIX". The bytes of the
credential's opaque body encode the following structure:
struct auth_unix {
unsigned int stamp;
string machinename<255>;
unsigned int uid;
unsigned int gid;
unsigned int gids<10>;
};
This was updated and superseded by RFC#1831, published in 1995 which increased the number of additional GID's to 16.
APPENDIX A: SYSTEM AUTHENTICATION
The client may wish to identify itself, for example, as it is
identified on a UNIX(tm) system. The flavor of the client credential
is "AUTH_SYS". The opaque data constituting the credential encodes
the following structure:
struct authsys_parms {
unsigned int stamp;
string machinename<255>;
unsigned int uid;
unsigned int gid;
unsigned int gids<16>;
};
APAR PK10876 has been submitted to address this behavior.
Answer
This defect, APAR PK10876, has been resolved through use of a workaround in ClearCase 7.0.
WORKAROUND:
You will be required to use a wrapper utility to process any ClearCase commands when a user is a member of more than 16 groups.
DOCUMENTATION:
setgroup-swap
Allows users who are a member of more than 16 groups to use ClearCase commands.
Applicability
Product
Command type
ClearCase executable
Platform
UNIX and Linux
Synopsis
Use ClearCase functionality when user membership exceeds 16 groups.
Description
Due to the RPC limitation imposed by UNIX and Linux, users who are members of more than 16 groups cannot properly process RPC calls for ClearCase use. To work around this issue, you can use the setgroup-swap utility (found in the /opt/rational/clearcase/etc/utils directory) to work in conjunction with the CLEARCASE_GROUPS variable to define an ordered list of groups for ClearCase to package and process RPC calls in accordance with RFC#1831 guidelines and restrictions.
Restrictions
Identities
You must have one of the following identities:
* root (UNIX and Linux)
Note: This identity is required to chmod the setgroup-swap utility to apply the setuid permission. After that, no special identities are required.
Options and arguments
By default setgroup-swap does not have any options.
The only arguments that are required is the ClearCase command you wish to run.
Instructions
1. Ensure ClearCase 7.0 is installed
2. Ensure the setgroup-swap executable is owned by root and the setuid bit is set to root.
3. Ensure the setgroup-swap executable is in the path for the shell.
Note: Use the appropriate shell syntax for your environment to set the PATH variable.
4. Set the CLEARCASE_GROUPS variable to define which of the 16 groups you want to use with ClearCase.
Note: Use the appropriate shell syntax for your environment and set the CLEARCASE_GROUPS variable as a colon-separated list.
5. Run the setgroup-swap before the ClearCase command.
Example
% cleartool -ver
ClearCase version 7.0.0 (Fri May 05 12:38:05 EDT 2006)
7.0.0.0-RATL-RCC-IFIX01 (Thu Jun 29 23:33:44 EDT 2006)
@(#) MVFS version 7.0.0.0-IFIX01 (Tue May 16 00:02:04 2006)
cleartool 7.0.0.0 (Fri Apr 21 00:16:51 EDT 2006)
db_server 7.0.0.0 (Fri Apr 21 00:15:07 EDT 2006)
VOB database schema version: 54
% pwd
/opt/rational/clearcase/sun5/etc/utils
% ls -al setgroup-swap
-r-xr-xr-x 1 root other 7676 Dec 2 2005 setgroup-swap
% chmod 4555 setgroup-swap
% ls -al setgroup-swap
-r-sr-xr-x 1 root other 7676 Dec 2 2005 setgroup-swap
% PATH=$PATH:/opt/rational/clearcase/
export PATH
% CLEARCASE_GROUPS="group1:group2:group3:group4:group5:group6:^
group7:group8:group9:group10:group11:group12:group13:^
group14:group15:group16";
export CLEARCASE_GROUPS
% setgroup-swap
usage: ./setgroup-swap
CLEARCASE_GROUPS EV to reorganize groups)
% setgroup-swap cleartool mkview -tag testview -host testhost^
-gpath /net/homes/testuser/testview.vws -hpath^
/net/homes/testuser/testview.vws ^
/net/homes/testuser/testview.vws
No comments:
Post a Comment