Configuring the number of group IDs allowed for NFS users
By default, ONTAP supports up to 32 group IDs when handling NFS user credentials using Kerberos (RPCSEC_GSS) authentication. When using AUTH_SYS authentication, the default maximum number of group IDs is 16, as defined in RFC 5531. You can increase the maximum up to 1,024 if you have users who are members of more than the default number of groups.
About this task
If a user has more than the default number of group IDs in their credentials, the remaining group IDs are truncated and the user might receive errors when attempting to access files from the storage system. You should set the maximum number of groups, per SVM, to a number that represents the maximum groups in your environment.
The following table shows the two parameters of the vserver nfs modify command that determine the maximum number of group IDs in three sample configurations:
| Parameters | Settings | Resulting group IDs limit |
|---|---|---|
-extended-groups-limit -auth-sys-extended-groups | 32 disabled These are the default settings. | RPCSEC_GSS: 32 AUTH_SYS: 16 |
-extended-groups-limit -auth-sys-extended-groups | 256 disabled | RPCSEC_GSS: 256 AUTH_SYS: 16 |
-extended-groups-limit -auth-sys-extended-groups | 512 enabled | RPCSEC_GSS: 512 AUTH_SYS: 512 |
- Set the privilege level to advanced: set -privilege advanced
- Perform the desired action:
If you want to set the maximum number of allowed auxiliary groups... Enter the command... Only for RPCSEC_GSS and leave AUTH_SYS set to the default value of 16 vserver nfs modify -vserver vserver_name -extended-groups-limit {32-1024} -auth-sys-extended-groups disabled For both RPCSEC_GSS and AUTH_SYS vserver nfs modify -vserver vserver_name -extended-groups-limit {32-1024} -auth-sys-extended-groups enabled - Verify the -extended-groups-limit value and verify whether AUTH_SYS is using extended groups: vserver nfs show -vserver vserver_name -fields auth-sys-extended-groups,extended-groups-limit
- Return to the admin privilege level: set -privilege admin
Example
The following example enables extended groups for AUTH_SYS authentication and sets the maximum number of extended groups to 512 for both AUTH_SYS and RPCSEC_GSS authentication. These changes are made only for clients who access the SVM named vs1:
vs1::> set -privilege advanced
Warning: These advanced commands are potentially dangerous; use
them only when directed to do so by Lenovo personnel.
Do you want to continue? {y|n}: y
vs1::*> vserver nfs modify -vserver vs1 -auth-sys-extended-groups enabled -extended-groups-limit 512
vs1::*> vserver nfs show -vserver vs1 -fields auth-sys-extended-groups,extended-groups-limit
vserver auth-sys-extended-groups extended-groups-limit
------- ------------------------ ---------------------
vs1 enabled 512
vs1::*> set -privilege admin