Guys,
As of 5.3.7R1, the local /etc/netgroup file is cached. We had a big bottleneck that was eliminated in this release. When you have a netgroup file that's almost 750K and the filer had to parse it for each mount, CPU hit 100% in no time.
This doesn't help caching the NIS netgroup's, but it's a start. Still can't export rw or root to netgroups. :(
The NIS netgroup map is actually very nice, because there is a "netgroup.byhost" map that the filer consults. This map is keyed by hostname (actually "hostname.*"). The data in the entry is all the netgroups that the host belongs to. Try it sometime if you use NIS negroups.
ypmatch foo.com.* netgroup.byhost
So when NFS client "foo.com" tries to mount, the filer does a NIS lookup in netgroup.byhost for "foo.com.*" and gets back a list of netgroups that the host is a member of. If any of these netgroups is listed in the access= list, then the mount is allowed. If the NIS lookup fails, then the filer immediately knows that the host is not a member of any netgroup. Only one NIS lookup is required.
If you did it the other way around, you would have to look up each netgroup listed in the access= list and search for the host. Furthermore, a netgroup can contain a netgroup, so the search is recursive.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support