Reasons for modifying the NFS credential cache time-to-live

Contributors

ONTAP uses a credential cache to store information needed for user authentication for NFS export access to provide faster access and improve performance. You can configure how long information is stored in the credential cache to customize it for your environment.

There are several scenarios when modifying the NFS credential cache time-to-live (TTL) can help resolve issues. You should understand what these scenarios are as well as the consequences of making these modifications.

Reasons

Consider changing the default TTL under the following circumstances:

Issue Remedial action

The name servers in your environment are experiencing performance degradation due to a high load of requests from ONTAP.

Increase the TTL for cached positive and negative credentials to reduce the number of requests from ONTAP to name servers.

The name server administrator made changes to allow access to NFS users that were previously denied.

Decrease the TTL for cached negative credentials to reduce the time NFS users have to wait for ONTAP to request fresh credentials from external name servers so they can get access.

The name server administrator made changes to deny access to NFS users that were previously allowed.

Reduce the TTL for cached positive credentials to reduce the time before ONTAP requests fresh credentials from external name servers so the NFS users are now denied access.

Consequences

You can modify the length of time individually for caching positive and negative credentials. However, you should be aware of both the advantages and disadvantages of doing so.

If you…​ The advantage is…​ The disadvantage is…​

Increase the positive credential cache time

ONTAP sends requests for credentials to name servers less frequently, reducing the load on name servers.

It takes longer to deny access to NFS users that previously were allowed access but are not anymore.

Decrease the positive credential cache time

It takes less time to deny access to NFS users that previously were allowed access but are not anymore.

ONTAP sends requests for credentials to name servers more frequently, increasing the load on name servers.

Increase the negative credential cache time

ONTAP sends requests for credentials to name servers less frequently, reducing the load on name servers.

It takes longer to grant access to NFS users that previously were not allowed access but are now.

Decrease the negative credential cache time

It takes less time to grant access to NFS users that previously were not allowed access but are now.

ONTAP sends requests for credentials to name servers more frequently, increasing the load on name servers.