nss.split.group.membership

This configuration parameter specifies whether to split up or truncate large groups when you use the getent group UNIX command to retrieve group information.

In operating environments that do not support large groups, commands that return group information could fail or return incomplete results when a group has a membership list exceeds the maximum size allowed. Typically, the maximum size allowed for groups is 1024 bytes, which is roughly equivalent to 125 users. If your environment contains large groups that exceed the 1024-byte limit, you can set this parameter to true to have those groups automatically split into multiple groups when they reach the maximum size.

When this parameter is set to true and you issue the getent group command without specifying a group name, large groups are split into sublists, and all sublists are returned. When this parameter is set to false, large groups are truncated, and only the truncated results of the group list (typically the first 1024 bytes) are returned.

Note:   This policy has no effect in Mac OS X environments.

Note:   This configuration parameter takes effect only when you do not specify a group name on the getent group command line. Because of the way in which group information is queried in NSS, group lists are always truncated (and not split) when you specify a group name on the getent group command line (for example, getent group group_name).

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

The default value is true for Solaris, HPUX, and IRIX, but false for all other operating environments. For example:

nss.split.group.membership: true