Hi,
I am trying to enable more than the default 16 groups for NFS connection via SYS_AUTH to a NetApp filer, but not having any success. Can anyone shed some light?
The issue is present in our production environment, but to get to the bottom of it I have created a virtual appliance with 'NetApp Release 8.1.4 7-Mode', which matches Production. The appliance is set-up to use our Active Directory domain and on the appliance I can use 'wcc' to successfully query users and groups. I have set 'nfs.authsys.extended_groups_ns.enable on' and 'nfs.max_num_aux_groups 256'.
My NFS client is running recently patched RH Enterprise Linux 6.6 and I am testing with my own user account that is a member of more than 16 groups. To test the functionality I create one file for each of the groups I belong to and set the permissions so that write is only possible by a group (not user or other). Writing to each file is there by dependent on a different group. As I can use chrgp successfully to setup each of these files I think it proves that AD, the Linux Client and the NetApp are all in step regarding groups. However, when I try to write to each of these groups in turn I am successful only with the first 16, which is the same behaviour as if 'nfs.authsys.extended_groups_ns.enable' was set to 'off'. I have tried using NFS 3 and 4 without success.
To prove there is no issue on the Linux Client I used another Linux server to create an NFS export and set the '--manage-gids' option on rpc.mountd. After mounting that export on the client machine I repeated the test of creating the files, setting their permissions and attempting to write to each in turn. I could write to all the files, which proves that if the NFS server is configured to use '--manage-gids' correctly the client can support it.
If I understand correctly then by enabling 'nfs.authsys.extended_groups_ns.enable' group enumeration is shifted from the client request (the groups of which are ignored) to the NetApp, which picks up the additional task of going to AD to find out what groups the requesting account is a member of. Therefore it seems likely the netapp is not capable of enumerating an accounts groups, but when I check with wcc it seems that it is. I get data back that looks like this (names changed to protect the innocent):
wcc -u fred.bloggs
(NT - UNIX) account name(s): (MYDOMAIN\fred.bloggs - fred.bloggs)
***************
UNIX uid = 10225
user is a member of group MYGROUP (10042)
NT membership
MYDOMAIN\fred.bloggs
<snipped lots of other groups from here>
BUILTIN\Users
User is also a member of Everyone, Network Users,
Authenticated Users
***************
So, after all that the questions I have are:
- Is anyone using a NetApp with 'nfs.authsys.extended_groups_ns.enable on' successfully with a RHEL5, 6 or 7 client?
- Does anyone know of a required configuration setting I have may not have set?
- Am I correct in assuming that the output of wcc is a good way of verifying the appliance's ability to enumerate a user's groups?
- Are there any logs on the netapp that could provide a clue as to what is going wrong (there is nothing in the logs exposed through theWebUI)?
- Am I correct in my assumption that 'nfs.authsys.extended_groups_ns.enable on' works in the same way as '--manage-gids' does for rpc.mountd?
Thanks in advance for any assistance.
Regards,
David
PS, appologies if this is a repeat post - I thought I asked this question on Friday, but I cannot find the original post.
