IBM Support

About maximum groups on UNIX and Linux for use with ClearCase

Question & Answer


Question

Are there limits to the number of groups a user can be a member of when using IBM Rational ClearCase on UNIX and Linux?

Cause

The maximum number of groups a user can belong to on UNIX or Linux is 16.

The 16 group limitation is not controlled by ClearCase, rather by the architecture from which the RFC (Request for Comments) for RPC (Remote Procedure Call) Standards Track originates.

The original RFC for RPC was RFC#1050 published in 1988 which had a limitation of 10 additional GID's:

9.2 UNIX Authentication

The caller of a remote procedure may wish to identify himself as he
is identified on a UNIX(tm) system. The value of the credential's
discriminant of an RPC call message is "AUTH_UNIX". The bytes of the
credential's opaque body encode the following structure:

struct auth_unix {
unsigned int stamp;
string machinename<255>;
unsigned int uid;
unsigned int gid;
unsigned int gids<10>;
};

This was updated and superseded by RFC#1831, published in 1995, which increased the number of additional GID's to 16.

APPENDIX A: SYSTEM AUTHENTICATION

The client may wish to identify itself, for example, as it is
identified on a UNIX(tm) system. The flavor of the client credential
is "AUTH_SYS". The opaque data constituting the credential encodes
the following structure:

struct authsys_parms {
unsigned int stamp;
string machinename<255>;
unsigned int uid;
unsigned int gid;
unsigned int gids<16>;
};

Since ClearCase uses RPCs within the code to communicate between processes, we are limited to only 16 groups for authentication. The AUTH_SYS authentication for RPC limits NFS v4 and below that utilize RPC AUTH_SYS for authentication to 16 groups as well.

APAR PK10876 has been submitted to address this behavior.

Answer


Note: The information in this technote applies to full ClearCase and not the ClearCase Web clients: The Web clients have a built-in user interface to manipulate the Primary User and Secondary Groups on the standalone and plugin versions of ClearCase Remote Client (CCRC).

This defect, APAR PK10876 has been resolved through use of a workaround in ClearCase 7.0.



WORKAROUND:

You will be required to use a wrapper utility to process any ClearCase commands when a user is a member of more than 16 groups.



DOCUMENTATION:

setgroup-swap

Allows users who are a member of more than 16 groups to use ClearCase commands.

Applicability

Product
Command type
ClearCaseexecutable
Platform
UNIX and Linux

Synopsis


Use ClearCase functionality when user membership exceeds 16 groups.


Description
Due to the RPC limitation imposed by UNIX and Linux, users who are members of more than 16 groups cannot properly process RPC calls for ClearCase use. To work around this issue, you can use the setgroup-swap utility (found in the /opt/rational/clearcase/etc/utils directory) to work in conjunction with the CLEARCASE_GROUPS variable to define an ordered list of groups for ClearCase to package and process RPC calls in accordance with RFC#1831 guidelines and restrictions.


Restrictions

    Identities

    You must have one of the following identities:

    • root (UNIX and Linux)
    Note: This identity is required to chmod the setgroup-swap utility to apply the setuid permission. After that, no special identities are required.

    Solaris-specific configuration

    Only Solaris 10 is supported with this tool. Solaris 10 patch 144500 (SPARC) or 144501 (x86), revision 7 or later, are required to support more than 16 groups. After installing this patch, set the ngroups_max variable in /etc/system to a value large enough to include all your users' groups. For example, if all your users are in 32 or fewer groups, set the value to 32:


      set ngroups_max = 32

    Once this value is set, reboot the system. After rebooting, log in as a user with more than 16 groups. Run the "/usr/bin/id -a" command to confirm that all the groups are active. Then proceed to the steps below.

Options and arguments

By default setgroup-swap does not have any options.
The only arguments that are required are the ClearCase command and arguments you wish to run.

Instructions

  1. Ensure the applicable version of ClearCase is installed.
  2. Ensure the setgroup-swap executable is owned by root and the setuid bit is set to root.
  3. Ensure the setgroup-swap executable is in the path for the shell.

    Note: Use the appropriate shell syntax for your environment to set the PATH variable.
  4. Set the CLEARCASE_GROUPS variable to define which of the 16 groups you want to use with ClearCase.

    Note: Use the appropriate shell syntax for your environment and set the CLEARCASE_GROUPS variable as a colon-separated list.
  5. Run the setgroup-swap before the ClearCase command.


Example

% cleartool -ver
ClearCase version 7.0.0 (Fri May 05 12:38:05 EDT 2006)
7.0.0.0-RATL-RCC-IFIX01 (Thu Jun 29 23:33:44 EDT 2006)
@(#) MVFS version 7.0.0.0-IFIX01 (Tue May 16 00:02:04 2006)
cleartool                         7.0.0.0 (Fri Apr 21 00:16:51 EDT 2006)
db_server                         7.0.0.0 (Fri Apr 21 00:15:07 EDT 2006)
VOB database schema version: 54

% pwd
/opt/rational/clearcase/<os>/etc/utils

% ls -al setgroup-swap
-r-xr-xr-x   1 root     other    7676 Dec  2  2005 setgroup-swap

% chmod 4555 setgroup-swap

% ls -al setgroup-swap
-r-sr-xr-x   1 root     other    7676 Dec  2  2005 setgroup-swap


% PATH=$PATH:/opt/rational/clearcase/<os>/etc/utils; export PATH

% CLEARCASE_GROUPS="group1:group2:group3:group4:group5:group6:\
group7:group8:group9:group10:group11:group12:group13:\
group14:group15:group16";\
export CLEARCASE_GROUPS



% setgroup-swap
usage: ./setgroup-swap <program-to-run> (set\
CLEARCASE_GROUPS EV to reorganize groups)


% setgroup-swap cleartool mkview -tag testview -host testhost \
-gpath /net/homes/testuser/testview.vws -hpath \
/net/homes/testuser/testview.vws \
/net/homes/testuser/testview.vws


Alternatively, found "problem" created group name in the view error and run "newgrp <problemgroup>" name. without above steps.

[{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Operating System Configurations","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"8.0;8.0.1;8.0.1.1;8.0.1.2;8.0.1.3;8.0.1.4;8.0.1.5;8.0.1.6","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21207807