Performing stricter access checking for netgroups by verifying domains

By default, ONTAP performs an additional verification when evaluating client access for a netgroup. The additional check ensures that the client's domain matches the domain configuration of the storage virtual machine (SVM). Otherwise, ONTAP denies client access.

About this task

When ONTAP evaluates export policy rules for client access and an export policy rule contains a netgroup, ONTAP must determine whether a client's IP address belongs to the netgroup. For this purpose, ONTAP converts the client's IP address to a host name using DNS and obtains a fully qualified domain name (FQDN).

If the netgroup file only lists a short name for the host and the short name for the host exists in multiple domains, it is possible for a client from a different domain to obtain access without this check.

To prevent this, ONTAP compares the domain that was returned from DNS for the host against the list of DNS domain names configured for the SVM. If it matches, access is allowed. If it does not match, access is denied.

This verification is enabled by default. You can manage it by modifying the -netgroup-dns-domain-search parameter, which is available at the advanced privilege level.

Procedure

  1. Set the privilege level to advanced: set -privilege advanced
  2. Perform the desired action:
    If you want domain verification for netgroups to be... Enter...
    Enabled vserver nfs modify -vserver vserver_name -netgroup-dns-domain-search enabled
    Disabled vserver nfs modify -vserver vserver_name -netgroup-dns-domain-search disabled
  3. Set the privilege level to admin: set -privilege admin