Skip to main content
NetApp Knowledge Base

What is the Nblade Credential Cache?

Views:
6,392
Visibility:
Public
Votes:
10
Category:
ontap-9
Specialty:
NAS
Last Updated:

 

Applies to

ONTAP 9

Answer

What is the nblade credential cache?
  • NFS clients may need to generate a credential based on their UID to access resources in ONTAP when:
    • Accessing NTFS security style volumes
    • Using Extended Groups function for SYS/Unix authentication
      • allows NFS client to bypass the 16 group RPC limit
    • Being 'squashed' to the anonymous user
      • due to root squash or when using AUTH_NONE
  • This credential is stored in the nblade credential cache.
How is an nblade credential cache entry populated?
  • An nblade cache entry is populated when an NFS operation that requires a credential cache entry is executed against ONTAP and a cache entry for the requesting UID does not already exist.
    • To populate the entry, the nblade makes an RPC request for the primary group ID, auxiliary group IDs, and NT credentials (if applicable) to userspace.
    • The two userspace processes responsible for answering these RPC requests are the Security daemon (SECD) and the Management Gateway daemon (MGWD).
    • The time-to-live (TTL) set for the populated entry in the nblade credential cache is 24-hours.
  • SECD is mostly responsible for facilitating credential lookup requests from nblade.
    • Prior to 9.3, SECD would service these requests from its own caches which had 24-hour TTLs.
    • SECD is a unique process per node, this meant that before the nblade request could be serviced, the SECD process local to that node would need to populate its cache if an entry did not already exist.
    • After 9.3, Global Nameservice Caching functionality has been added to ONTAP.
      • The nblade will still make RPC calls out to userspace, however, SECD/MGWD will leverage a replicated cache to populate the response.
      • If one node populates the shared cache, another node can use that information without needing to do its own lookup.
      • This cache is replicated across all nodes and persists through reboot, reducing name-service strain after ONTAP startup.
When is the nblade credential cache refreshed?
  • The default time-to-live (TTL) for an entry in this cache is 24 hours in versions of ONTAP up to 9.9.  Starting with ONTAP 9.10.1 the default value is set to 1 hour.
    • Changes made to group membership for a user will not be reflected until this TTL has expired
    • The cache is reactive and does not occur until a client operation hits the cached, expired entry
How to view an nblade credential cache entry?
  • The nblade credential cache entry can be viewed in diagnostic mode.

WARNING

The solution requires Diagnostic-level recovery. The use of Diagnostic commands and recovery steps are potentially disruptive and should only be used when directed by NetApp personnel.

ONTAP 9.4 and later ::*> vserver nfs credentials show -node Node01 -vserver SVM01 -unix-user-name User01
ONTAP 9.3 and prior ::*> nblade credentials show -node Node01 -vserver SVM01 -unix-user-name User01

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.