Skip to main content

Configure the number of group IDs allowed for NFS users

Contributors netapp-thomi

By default, ONTAP supports up to 32 group IDs when handling NFS user credentials using Kerberos (RPCSEC_GSS) authentication. When using AUTH_SYS authentication, the default maximum number of group IDs is 16, as defined in RFC 5531. You can increase the maximum up to 1,024 if you have users who are members of more than the default number of groups.

About this task

If a user has more than the default number of group IDs in their credentials, the remaining group IDs are truncated and the user might receive errors when attempting to access files from the storage system. You should set the maximum number of groups, per SVM, to a number that represents the maximum groups in your environment.

The following table shows the two parameters of the vserver nfs modify command that determine the maximum number of group IDs in three sample configurations:

Parameters

Settings

Resulting group IDs limit

-extended-groups-limit

-auth-sys-extended-groups

32

disabled

These are the default settings.

RPCSEC_GSS: 32

AUTH_SYS: 16

-extended-groups-limit

-auth-sys-extended-groups

256

disabled

RPCSEC_GSS: 256

AUTH_SYS: 16

-extended-groups-limit

-auth-sys-extended-groups

512

enabled

RPCSEC_GSS: 512

AUTH_SYS: 512

Note

Some older NFS clients might not be compatible with AUTH_SYS extended groups.

Steps
  1. Set the privilege level to advanced:

    set -privilege advanced

  2. Perform the desired action:

    If you want to set the maximum number of allowed auxiliary groups…​

    Enter the command…​

    Only for RPCSEC_GSS and leave AUTH_SYS set to the default value of 16

    vserver nfs modify -vserver vserver_name -extended-groups-limit {32-1024} -auth-sys-extended-groups disabled

    For both RPCSEC_GSS and AUTH_SYS

    vserver nfs modify -vserver vserver_name -extended-groups-limit {32-1024} -auth-sys-extended-groups enabled

  3. Verify the -extended-groups-limit value and verify whether AUTH_SYS is using extended groups: vserver nfs show -vserver vserver_name -fields auth-sys-extended-groups,extended-groups-limit

  4. Return to the admin privilege level:

    set -privilege admin

Example

The following example enables extended groups for AUTH_SYS authentication and sets the maximum number of extended groups to 512 for both AUTH_SYS and RPCSEC_GSS authentication. These changes are made only for clients who access the SVM named vs1:

vs1::> set -privilege advanced
Warning: These advanced commands are potentially dangerous; use
         them only when directed to do so by NetApp personnel.
Do you want to continue? {y|n}: y

vs1::*> vserver nfs modify -vserver vs1 -auth-sys-extended-groups enabled -extended-groups-limit 512

vs1::*> vserver nfs show -vserver vs1 -fields auth-sys-extended-groups,extended-groups-limit
vserver auth-sys-extended-groups extended-groups-limit
------- ------------------------ ---------------------
vs1     enabled                  512

vs1::*> set -privilege admin