NFS Active Directory lookups

SCL — Wed, 04 Jun 2025 10:19:51 GMT

Hello all,

My first post here. I have an issue that seems to have me badly stumped: we have an NFS mount where were are trying to do AD group lookups that are approaching the 1024 limit. We have enabled RFC-2307bis support, and increased max groups to 1024. Yet, our lookups are still stuck at around 236 groups or so.

We are using NFSv4, and we did reboot the client node. We also conducted the same exercise on the NFS client with the lookups done over local file systems (with NS-SWITCH set to 'sss') without any issue.

We looked at https://kb.netapp.com/?title=Advice_and_Troubleshooting%2FData_Storage_Software%2FONTAP_OS%2FHow_does_AUTH_SYS_Extended_Groups_change_NFS_authentication%253F and https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-nfs%2FGUID-B1CCBCC8-9FF0-4270-A4F4-679BE315C58A.html so far. We updated the schema so that enable-2307bis is true and max aux groups is 1024.

RFC 2307 posixAccount Object Class: User
RFC 2307 posixGroup Object Class: Group
RFC 2307 nisNetgroup Object Class: nisNetgroup
RFC 2307 uid Attribute: uid
RFC 2307 uidNumber Attribute: uidNumber
RFC 2307 gidNumber Attribute: gidNumber
RFC 2307 cn (for Groups) Attribute: cn
RFC 2307 cn (for Netgroups) Attribute: name
RFC 2307 userPassword Attribute: unixUserPassword
RFC 2307 gecos Attribute: name
RFC 2307 homeDirectory Attribute: unixHomeDirectory
RFC 2307 loginShell Attribute: loginShell
RFC 2307 memberUid Attribute: memberUid
RFC 2307 memberNisNetgroup Attribute: memberNisNetgroup
RFC 2307 nisNetgroupTriple Attribute: nisNetgroupTriple
Enable Support for Draft RFC 2307bis: true
RFC 2307bis groupOfUniqueNames Object Class: group
RFC 2307bis uniqueMember Attribute: Member
Data ONTAP Name Mapping windowsToUnix Object Class: User
Data ONTAP Name Mapping windowsAccount Attribute: sAMAccountName
Data ONTAP Name Mapping windowsToUnix Attribute: sAMAccountName
No Domain Prefix for windowsToUnix Name Mapping: true
Vserver Owns Schema: true
Maximum groups supported when RFC 2307bis enabled: 1024
RFC 2307 nisObject Object Class: nisObject
RFC 2307 nisMapName Attribute: nisMapName
RFC 2307 nisMapEntry Attribute: nisMapEntry

AUTH_SYS Extended Groups Enabled: enabled
AUTH_SYS and RPCSEC_GSS Auxillary Groups Limit: 1024

NFSv4.1 Implementation ID Name: NetApp Release 9.7P3

Any suggestions for where to further look?

Thanks,

Steven

Re: NFS Active Directory lookups

hmoubara — Wed, 07 Jul 2021 02:16:06 GMT

Hello,

Could you share the output for the ldap client that you are using for the specified vserver.

cluster::> ldap client show -vserver <vserver name> -client-config <>

Thanks

topic Re: NFS Active Directory lookups in ONTAP Discussions

NFS Active Directory lookups

Re: NFS Active Directory lookups