Skip to main content
NetApp Knowledge Base

AUTH_SYS Extended Groups changes for NFS authentication for ONTAP 9

Views:
3,212
Visibility:
Public
Votes:
3
Category:
ontap-9
Specialty:
nfs
Last Updated:

Applies to

ONTAP 9

Description

  • AUTH_SYS provides a UID, GID, and a list of up to 16 supplemental groups to an NFS server.
    • By default, these IDs are not validated and are trusted as legitimate.
  • To allow for NFS users to belong to more than 16 groups, the option to enable support for Extended Groups introduces ID validation via an appropriate Name Service.
  • The validation does the following:
    • Obtain UID from NFS call
    • Preserve gid for SetGID compatibility
    • Query Name Services, such as LDAP, NIS, or the local SVM files regarding the UID and group-membership (this is determined by the ns-switch configuration)
  • If the user has group association local to NFS client, not in name-services, ONTAP cannot grant access based on these unless the user and group are appropriately defined locally on the SVM
  • If the query produces no results, a credential for that user can not be built
    • With no credential within ONTAP's cache, access is denied.
  • If you see that there is a limit below 1024 groups when extended auth is set to 1024, check the LDAP schema:
    • "Maximum groups supported when RFC 2307bis enabled"
  • The default for this setting appears to be around 256, and can stop the Vserver from looking up all the groups in LDAP