Check whether a client IP address is a member of a netgroup

Contributors

When troubleshooting NFS client access issues related to netgroups, you can use the vserver export-policy netgroup check-membership command to help determine whether a client IP is a member of a certain netgroup.

About this task

Checking netgroup membership enables you to determine whether ONTAP is aware that a client is or is not member of a netgroup. It also lets you know whether the ONTAP netgroup cache is in a transient state while refreshing netgroup information. This information can help you understand why a client might be unexpectedly granted or denied access.

Step
  1. Check the netgroup membership of a client IP address: vserver export-policy netgroup check-membership -vserver vserver_name -netgroup netgroup_name -client-ip client_ip

    The command can return the following results:

    • The client is a member of the netgroup.

      This was confirmed through a reverse lookup scan or a netgroup-by-host search.

    • The client is a member of the netgroup.

      It was found in the ONTAP netgroup cache.

    • The client is not a member of the netgroup.

    • The membership of the client cannot yet be determined because ONTAP is currently refreshing the netgroup cache.

      Until this is done, membership cannot be explicitly ruled in or out. Use the vserver export-policy netgroup queue show command to monitor the loading of the netgroup and retry the check after it is finished.

Example

The following example checks whether a client with the IP address 172.17.16.72 is a member of the netgroup mercury on the SVM vs1:

 cluster1::> vserver export-policy netgroup check-membership -vserver vs1 -netgroup  mercury -client-ip 172.17.16.72