After enabling the NFS option auth-sys-extended-groups, the NFS access from client is getting denied secd.authsys.lookup.failed:error: Unable to retrieve credentials for UNIX user with UID (x) on Vser...After enabling the NFS option auth-sys-extended-groups, the NFS access from client is getting denied secd.authsys.lookup.failed:error: Unable to retrieve credentials for UNIX user with UID (x) on Vserver (SVM) for client with IP address (y). 816053 NFS 124 16 V3 ACCESS Call (Reply In 816054), FH: 0x552b00cd, [Check: RD LU MD XT DL] 816054 NFS 24 16 V3 ACCESS Reply (Call In 816053) RPC Auth Error: (client must begin new session)
To allow for NFS users to belong to more than 16 groups, the option to enable support for Extended Groups introduces ID validation via an appropriate Name Service If the user has group association loc...To allow for NFS users to belong to more than 16 groups, the option to enable support for Extended Groups introduces ID validation via an appropriate Name Service If the user has group association local to NFS client, not in name-services, ONTAP cannot grant access based on these unless the user and group are appropriately defined locally on the SVM The default for this setting is approximately 256, and can stop the Vserver from looking up all the groups in LDAP
AUTH_SYS extended groups is enabled and correctly configured Unix user with more than groups than the configured limit of extended groups fails to access data Alternatively, Windows user maps to a Uni...AUTH_SYS extended groups is enabled and correctly configured Unix user with more than groups than the configured limit of extended groups fails to access data Alternatively, Windows user maps to a Unix user with more than the configured limit of extended groups and fails to access data On MacOS, the error observed is There was a problem connecting to the server Access works for other users belonging to fewer groups Packet trace shows STATUS_UNSUCCESSFUL on the tree connect for CIFS access
While Data ONTAP operating in 7-Mode supports internally a default of 32 groups in unix credentials, there is a well known limitation in the number of group that can be present in an RPC request that ...While Data ONTAP operating in 7-Mode supports internally a default of 32 groups in unix credentials, there is a well known limitation in the number of group that can be present in an RPC request that uses the AUTH_SYS authentication flavour. The specification limits the maximum number of groups that can be present in this header to 16. Due to that, an NFS client that uses AUTH_SYS authentication will truncate the list of groups sent in each request to 16.