Skip to main content
NetApp Knowledge Base

AUTH_SYS Extended Groups changes for NFS authentication for ONTAP 9

Views:
11,090
Visibility:
Public
Votes:
13
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • UNIX
  • NFS

Description

  • A client using AUTH_SYS provides a UID, GID, and a list of up to 16 supplemental groups to an NFS server
    • By default, these IDs are not validated and are trusted as legitimate
  • To allow for NFS users to belong to more than 16 groups, the option to enable support for Extended Groups introduces ID validation via an appropriate Name Service
  • The validation does the following:
    • Obtain UID from NFS call
    • Preserve gid for SetGID compatibility
    • Query Name Services, such as LDAP, NIS, or the local SVM files regarding the UID and group-membership (this is determined by the ns-switch configuration)
  • If the user has group association local to NFS client, not in name-services, ONTAP cannot grant access based on these unless the user and group are appropriately defined locally on the SVM

WARNING

  • If the nameservice query produces no results, a credential for that user can not be built, and with no credential within ONTAP's cache, access is denied
  • If there is a limit below 1024 groups when extended auth is set to 1024, check that the  LDAP schema has "Maximum groups supported when RFC 2307bis" enabled
    • The default for this setting is approximately 256, and can stop the Vserver from looking up all the groups in LDAP

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.