Skip to main content
NetApp Knowledge Base

AUTH_SYS Extended Groups changes for NFS authentication for ONTAP 9

Views:
4,481
Visibility:
Public
Votes:
3
Category:
ontap-9
Specialty:
nfs
Last Updated:

Applies to

ONTAP 9

Description

  • AUTH_SYS provides a UID, GID, and a list of up to 16 supplemental groups to an NFS server.
    • By default, these IDs are not validated and are trusted as legitimate.
  • To allow for NFS users to belong to more than 16 groups, the option to enable support for Extended Groups introduces ID validation via an appropriate Name Service.
  • The validation does the following:
    • Obtain UID from NFS call
    • Preserve gid for SetGID compatibility
    • Query Name Services, such as LDAP, NIS, or the local SVM files regarding the UID and group-membership (this is determined by the ns-switch configuration)
  • If the user has group association local to NFS client, not in name-services, ONTAP cannot grant access based on these unless the user and group are appropriately defined locally on the SVM
  • If the query produces no results, a credential for that user can not be built
    • With no credential within ONTAP's cache, access is denied.
  • If you see that there is a limit below 1024 groups when extended auth is set to 1024, check the LDAP schema:
    • "Maximum groups supported when RFC 2307bis enabled"
  • The default for this setting appears to be around 256, and can stop the Vserver from looking up all the groups in LDAP

Scan to view the article on your device