Skip to main content
NetApp Knowledgebase

How does AUTH_SYS Extended Groups change NFS authentication?

Views:
414
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nfs
Last Updated:

Applies to

  • ONTAP 9
  • Data ONTAP 8
  • Data ONTAP operating in 7-mode
  • NFS

Answer

  • AUTH_SYS provides a uid, gid, and a list of up to 16 supplemental groups to an NFS server. By default, these IDs are not validated and are trusted as legitimate. To allow for NFS users to belong to more than 16 groups, the option to enable support for Extended Groups introduces ID validation via an appropriate Name Service.
  • The validation does the following:
    • Obtain uid from NFS call
    • Preserve gid for SetGID compatibility
    • Query Name Services, such as LDAP or NIS regarding the UID and group-membership
  • If the query produces no results, a credential for that user can not be built
    • With no credential within ONTAP's cache, access is denied.
  • If the user has group association local to NFS client, not in name-services, ONTAP cannot grant access based on these.