We are considering getting a NetApp Filer to become the major fileserver in our established cluster of Solaris 2.6 machines, with a user population of some 15,000 administered using NIS with shadow passwords for authentication.
We understand that filer can do NIS, and that it can use its own shadow password file, but can use a Solaris/NIS/shadow combination? Network Appliance haven't yet been able to give us a definitive answer, nor a reference site we could contact.
On Mon, 10 May 1999, David Lee wrote:
We understand that filer can do NIS, and that it can use its own shadow password file, but can use a Solaris/NIS/shadow combination? Network Appliance haven't yet been able to give us a definitive answer, nor a reference site we could contact.
Hmm. I guess I'm missing just what you are trying to do. We use netapps with Solaris 2.6 boxes, though just using a netgroup file for access. That will probably change to NIS if I ever get a round tuit. Are you trying to use an NIS shadow password file on the netapp itself? If so, to what end?
Jim Davis wrote:
On Mon, 10 May 1999, David Lee wrote:
We understand that filer can do NIS, and that it can use its own shadow password file, but can use a Solaris/NIS/shadow combination? Network Appliance haven't yet been able to give us a definitive answer, nor a reference site we could contact.
Hmm. I guess I'm missing just what you are trying to do. We use netapps with Solaris 2.6 boxes, though just using a netgroup file for access. That will probably change to NIS if I ever get a round tuit.
You should probably test your NIS environment against the Netapp pretty thoroughly before you use NetApp NIS in production.
We had serious problems that I believe were all NIS related. Problems that all went away as soon as we disabled NIS and copied all our maps locally to the filers. During these NIS problems the filer would stop serving new NFS mounts and stop serving CIFS period. A reboot would (sometimes) result in a hung CIFS condition which required a halt -d. Sometimes a reboot wouldn't clear the problem(!?). In that case the cifsconfig file had to be moved aside, then reboot, then put it back, then reboot again - kind of a pain.
We found that the filer had serious problems whenever the ypserver went down - and it did not switchover to another ypserver correctly. If a network outage caused the ypserver that the filer was bound to disappear for more than 5-10 minutes the filer would never fully recover until rebooted. (late in the game i found that turning the nis.enable option off and then back on again appeared to clear the problem - but i never fully tested this before i gave up on NIS).
Also, we use netgroups extensively. We have a large netgroup file with many nested netgroups. I found that when the filer uses netgroups for authentication it uses "ypcat" to look at the netgroup file. If there is a nested netgroup it does another "ypcat" - on down the line. If you have netgroups that are nested 4 or 5 layers deep the filer ypcat's the entire file 4 or 5 times. Not good - on a loaded network the authentication time goes way up. Once we moved our netgroup file to local storage our mount time decreased significantly.
The impression i got from the escalation team is that a lot of code needs to be re-written in order to fix these problems. Also, i got the impression that it was only a problem when your NIS environment was fairly large (we have ~14000 passwords, ~15000 hosts, ~700 netgroups).
BTW, our problems were with DOT 5.1.2 (5.1.2P2 is the most stable OS we ran - but it still had problems) 5.2.1 was worse. I ran 5.2.1 for a total of 11 hours before reverting - the NIS problems were much worse. 5.1.2P2 with NIS off and files copied locally runs like a fine oiled machine.
As always, your results may vary - but it'll be a long time before I bother attempting to use NetApp NIS again. I have the files all copied locally and can't see any reason to go back.....
Graham
David Lee wrote:
We understand that filer can do NIS, and that it can use its own shadow password file, but can use a Solaris/NIS/shadow combination? Network Appliance haven't yet been able to give us a definitive answer, nor a reference site we could contact.
The filer cannot get a shadow password file from NIS. The only maps it supports are:
hosts.byname hosts.byaddr passwd.byname passwd.byuid passwd.adjunct group.byname group.bygid netgroup.byhost
However, if you are in a Unix only environment, then this doesn't matter. The filer does no allow login, so the password portion is not used. The only thing the filer uses the password file for is to do username->UID mapping, so you only really need to worry about having a password at all if you have an /etc/quotas file with usernames in it.
If you are using Unix password authentication with CIFS, however, you have to copy the shadow file onto the filer itself. (Note that this does not apply if you have domain authentication.)
-
David Lee -
Graham C. Knight -
Jerry Talkington -
Jim Davis