1. We're not using this, but I went through *everything* about how it works not long ago.
2. There is one very big caveat if you want to start using it. It works just like the mountd –-manage-gid feature in Linux NFS services. With one very important exception
So WARNING: if you in any corner/nook/cranny of your NFS based environment depend on newgrp, i.e. changing the effective GID (primary group) of a process/shell or whatever to make things work, do not use this ONTAP feature.
It doesn't "merge" things togheter like happens in Linux when using –-manage-gid, where the "primary" GID sent by the NFS client in the packets that come to the server is heeded and the rest is replaced by what's in NIS group. Instead it simply replaces everything (total ignore w.r.t. what was sent in the NFS command), all the GIDs, with what's in NIS group for that particular UID.
In our Enterpriuse SW/HW development environment this would wreak havoc so fast, my head would spin. So we have to live with the NFS protocol limitation of max 16 gids, as good as we can. It's not that easy, the environment is big... really big. So the amount of bad-will from end users this has caused over the last 15 years you can imagine
/M
Randy Rue wrote:
Is anyone using this feature to allow access to NFS for users who are members of more than 16 groups? What setup was required?
*From:* toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] *On Behalf Of *Rue, Randy *Sent:* Wednesday, April 02, 2014 6:51 AM *To:* toasters@teaparty.net *Subject:* RE: nfs.authsys.extended_groups_ns.enable?
Hello Again All,
Phase 2 of this puzzle is making this new setting work.
I’ve mounted a test volume on the 8.2 simulator to our HPC cluster and am su’d to an account that is a member of 17 groups. “id” shows me all seventeen groups. “ls –l” shows me directories that the user ‘s individual group owns, and directories owned by groups he’s a member of, and all with the appropriate permissions. But he’s unable to cd into any of them, or to write anything to the pwd (which is owned by a group he’s a member of).
I used cifs setup to add the filer to our AD and that fact that “id” gets all his groups suggests his AD account is resolving correctly on the client. Did I miss a step in setting up the filer?
Hope to hear from you,
Randy in Seattle
Trying to work around the 16 group limitation of NFS v3 on our 8.1 vfiler and finding references to a “hidden” option “nfs.authsys.extended_groups_ns.enable” that will effectively disable group lookups via auth_sys/RPC and instead look to the filer’s AD authentication for a user’s group memberships. This is similar in spirit to Isilon’s “mapuid” feature and “regular” NFS’s –manage-gid switch.
But I’ve tried in regular mode, priv set advanced and priv set diag, and I always get “No such option nfs.authsys.extended_groups_ns.enable” if I try to view or change the option.
Am I missing some step to make this hidden double-secret-probationary option available?
Randy