By default, ONTAP performs an additional verification when evaluating client access for a netgroup. The additional check ensures that the client's domain matches the domain configuration of the storage virtual machine (SVM). Otherwise, ONTAP denies client access.
If the netgroup file only lists a short name for the host and the short name for the host exists in multiple domains, it is possible for a client from a different domain to obtain access without this check.
To prevent this, ONTAP compares the domain that was returned from DNS for the host against the list of DNS domain names configured for the SVM. If it matches, access is allowed. If it does not match, access is denied.
This verification is enabled by default. You can manage it by modifying the -netgroup-dns-domain-search parameter, which is available at the advanced privilege level.
If you want domain verification for netgroups to be... | Enter... |
---|---|
Enabled | vserver nfs modify -vserver vserver_name -netgroup-dns-domain-search enabled |
Disabled | vserver nfs modify -vserver vserver_name -netgroup-dns-domain-search disabled |