Hi folks,
We tend to use unix style security on shares that are accessed via both NFS and CIFS. Being a university we have a large number of users and groups, and some folks belong to numerous groups. (We use group permissions for shared projects and some folks are members of many unix groups.)
We use NFS v3 exclusively and the auxiliary group list is passed by the NFS client in each NFS packet, and it is limited to 16 groups. This is rather inconvenient for some NFS users. Does anyone know if this is a hard NFS v3 limit?
For CIFS we authenticate via a Windows domain and the CIFS credentials are mapped to Unix credentials for unix style security. We noticed with "cifs shares -s username" that folks were being limited to 32 unix groups. I have discovered that you can do this:
options nfs.max_num_aux_groups 256
(the only legal values are 32 and 256, we have DOT 8.0.1 7-Mode.)
and now our CIFS users who belong to over 32 unix groups are getting all their groups. No help for NFS v3 but this will make several of our CIFS users happy.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
Steve Losen wrote:
We use NFS v3 exclusively and the auxiliary group list is passed by the NFS client in each NFS packet, and it is limited to 16 groups. This is rather inconvenient for some NFS users. Does anyone know if this is a hard NFS v3 limit?
It's not really that hard to my knowledge, but it depends on what you mean by that term. It's not primarily a server side (NetApp) problem really (ONTAP supports handling at least 32 groups and that goes a long way to handle any environment). It's a client issue and you need to know and make sure that the NFS client the users are on, are doing what you think they are w.r.t. the no of UNIX groups.
Linux, presumably?
It says below that you have many users who are members of >32 UNIX groups...(!) That's an unfortunate situation w.r.t. NFS clients I think and suspect. Sorry.
For CIFS we authenticate via a Windows domain and the CIFS credentials are mapped to Unix credentials for unix style security. We noticed with "cifs shares -s username" that folks were being limited to 32 unix groups. I have discovered that you can do this:
options nfs.max_num_aux_groups 256
(the only legal values are 32 and 256, we have DOT 8.0.1 7-Mode.)
and now our CIFS users who belong to over 32 unix groups are getting all their groups. No help for NFS v3 but this will make several of our CIFS users happy.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This isn't specific to NFS, but, as has been previously stated 'auth_sys'. The following page has some interesting information:
https://xkyle.com/solving-the-nfs-16-group-limit-problem/
Including the "hidden option" for enabling the "nfs.max_num_aux_groups" option.
I noted one solution that was proposed for Linux on the client-side:
http://www.frankvm.com/nfs-ngroups/
But as I have not used it, I cannot testify to it's effectiveness. The theory looks sound, though. Good luck...
- -=Tom Nail
On Fri, 8 Feb 2013 16:34:33 +0100 Michael Bergman michael.bergman@ericsson.com wrote:
Steve Losen wrote:
We use NFS v3 exclusively and the auxiliary group list is passed by the NFS client in each NFS packet, and it is limited to 16 groups. This is rather inconvenient for some NFS users. Does anyone know if this is a hard NFS v3 limit?
It's not really that hard to my knowledge, but it depends on what you mean by that term. It's not primarily a server side (NetApp) problem really (ONTAP supports handling at least 32 groups and that goes a long way to handle any environment). It's a client issue and you need to know and make sure that the NFS client the users are on, are doing what you think they are w.r.t. the no of UNIX groups.
Linux, presumably?
It says below that you have many users who are members of >32 UNIX groups...(!) That's an unfortunate situation w.r.t. NFS clients I think and suspect. Sorry.
For CIFS we authenticate via a Windows domain and the CIFS credentials are mapped to Unix credentials for unix style security. We noticed with "cifs shares -s username" that folks were being limited to 32 unix groups. I have discovered that you can do this:
options nfs.max_num_aux_groups 256
(the only legal values are 32 and 256, we have DOT 8.0.1 7-Mode.)
and now our CIFS users who belong to over 32 unix groups are getting all their groups. No help for NFS v3 but this will make several of our CIFS users happy.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
-
Michael Bergman -
Steve Losen -
Thomas Nail