How come you can't use netgroups except with the access directive?
Because it is inefficient to do otherwise.
The access= directive only needs to be checked when a NFS client mounts a volume. The root= directive needs to be checked for each NFS transaction.
In fact, you can change the root= directive right out from under a NFS client. A client can go from having root access to not having it without a remount. Also note that once a NFS client has a mount, you cannot take that mount away by simply removing the client from a netgroup because the netgroup is never checked again. You also have to umount on the NFS client.
Checking a netgroup can be time consuming because a netgroup may consist of nested netgroups, etc. You can speed things up with a NIS server, but you really don't want your NFS server doing a NIS lookup for each NFS transaction.
Basically, the root= list is limited to a rather short list of hostnames, which can be converted to a short list of IP addresses, so that the NFS server can quickly check root= access for each NFS transaction.
If you need to give root access to a large number of NFS clients, look into the anon=0 attribute, which gives root access to all NFS clients.
I believe that Solaris NFS servers now accept netgroups in all attributes. To make this efficient, they cache netgroup information to avoid looking it up repeatedly.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support