What is the nblade credential cache?
- NFS clients may need to generate a credential based on their UID to access resources in ONTAP when:
- Accessing NTFS security style volumes
- Using Extended Groups function for SYS/Unix authentication
- allows NFS client to bypass the 16 group RPC limit
- Being 'squashed' to the anonymous user
- due to root squash or when using AUTH_NONE
- This credential is stored in the nblade credential cache.
How is an nblade credential cache entry populated?
- An nblade cache entry is populated when an NFS operation that requires a credential cache entry is executed against ONTAP and a cache entry for the requesting UID does not already exist.
- To populate the entry, the nblade makes an RPC request for the primary group ID, auxiliary group IDs, and NT credentials (if applicable) to userspace.
- The two userspace processes responsible for answering these RPC requests are the Security daemon (SECD) and the Management Gateway daemon (MGWD).
- The time-to-live (TTL) set for the populated entry in the nblade credential cache is 24-hours.
- SECD is mostly responsible for facilitating credential lookup requests from nblade.
- Prior to 9.3, SECD would service these requests from its own caches which had 24-hour TTLs.
- SECD is a unique process per node, this meant that before the nblade request could be serviced, the SECD process local to that node would need to populate its cache if an entry did not already exist.
- After 9.3, Global Nameservice Caching functionality has been added to ONTAP.
- The nblade will still make RPC calls out to userspace, however, SECD/MGWD will leverage a replicated cache to populate the response.
- If one node populates the shared cache, another node can use that information without needing to do its own lookup.
- This cache is replicated across all nodes and persists through reboot, reducing name-service strain after ONTAP startup.
When is the nblade credential cache refreshed?
- The default time-to-live (TTL) for an entry in this cache is 24 hours in versions of ONTAP up to 9.9. Starting with ONTAP 9.10.1 the default value is set to 1 hour.
- Changes made to group membership for a user will not be reflected until this TTL has expired
- The cache is reactive and does not occur until a client operation hits the cached, expired entry
How to view an nblade credential cache entry?
- The nblade credential cache entry can be viewed in diagnostic mode.
The solution requires Diagnostic-level recovery. The use of Diagnostic commands and recovery steps are potentially disruptive and should only be used when directed by NetApp personnel.
|ONTAP 9.4 and later||
|ONTAP 9.3 and prior||
- How to flush NFS credential and name-service caches to update group membership
- name-services best practices in 9.2 and prior: TR-4379
- name-services best practices in 9.3 and later: TR-4668
- The new information is not reflected after changed the username or group membership on AD side
- How the NFS credential cache works