2012-03-01 07:54 AM
I'm a little unsure where to post RFE so I hope this will be seen by NetApp product engineers. Would NetApp consider adding support to OnTap for having the NFS server ignore the supplemental gids supplied by the client when using SYS_AUTH and instead perform it's own lookup (from NIS/LDAP etc) to determine group membership. This would hugely benefit installations who cannot move to Kerberos auth but still run in to issues with 16 group limitations on NFS. The Linux NFS server has an option '--manage-gids' which can accomplish this, please see https://xkyle.com/solving-the-nfs-16-group-limit-problem/ for a description of how that works.
2012-04-11 05:33 AM
Interesting question, a customer of ours has just pointed me to your post after we had the a small discussion about this yesterday
In TR-3764 (Kerberised NFS in Data ONTAP - Configuration and Best Practices), section 6, the following is mentioned:
There should be an option (exports?) at least on 'UNIX' volumes to ignore group data sent over the wire and
rely on the local groups file even under sec=sys. In this way we can bypass the NFS protocol limit of 16
groups per user.
A new option is introduced option 'nfs.max_num_aux_groups', whose value will be 32(NGROUPS_NVLOG)
by default, and other possible value being 256(NGROUPS). When the option value is set to 256, then only
we can use this feature, and allow users to be a member of more than 32 auxiliary unix groups. This will only
check the option value while querying the local networking subsystem with the unix user to get the number
of auxiliary unix groups the user is a member of.
Note: nfs,max_num_aux_groups is available in 7.3.1 release.
NetApp Release 7.3.1 Thu Jan 8 05:32:06 PST 2009
f3050-43*> options nfs.max_num_aux_groups
This sort of leads me to believe that this problem has already been tackled, but I am not 100% sure I am interpreting this TR correctly. Maybe someone who has already tested this can clarify ...
2012-04-19 11:57 AM
According to the Docs, this option is only effective when using Kerberos V5 authentication. I would really like to see this option (--manage-gids) implemented as well
2012-08-20 05:06 AM
we've discovered the following (mostly by ourselves, but in the end with some help from NetApp):
1. NetApp already HAS a workaround for the NFSv3 AUTH_SYS 16 group membership limit. It's currently only available for these specific ONTAP versions:
• ONTAP 7.3 series: 7.3.2 and above
• ONTAP 8.0 series: 8.0.3 and above
• ONTAP 8.1 series: 8.1.1 and above
These ONTAP versions have an "hidden option" that does what the Linux rpc.mountd --manage-gids option does. It actually works in combination with the nfs.max_num_aux_groups option: if you use this hidden option, the default limit is no longer 16 but 32 instead, and it can be cranked up to 256.
Please contact NetApp to learn about this hidden option. If you don't get a clear answer, get back to me.
Note that this workaround doesn't apply to NFSv4 AUTH_SYS, unfortunately. Actually, neither does Linux's rpc.mountd --manage-gids option: there's no (separate) mount daemon in NFSv4 anymore. This is unfortunate, as this makes it impossible to combine the 16 group membership workaround (NFSv3 only) with NFS ACLs (NFSv4 only)...
2. We've also learned that some NFSv3 clients are actually able to send more than 16 auxilliary GIDs over the wire, and NetApp handles these well.
AIX 6.1 and above NFS clients have an option called "maxgroups" that allows sending up to 64 auxilliary GIDs. We don't have AIX clients ourselves, so we've not been able to test it, but we've heard from another company where this (with "maxgroups" set to 30) “just works” with NetApp.
I don't know if there are other NFS client implementations that can do something similar. NetApp claims the’re also only aware of AIX 6.1...
I'm still looking for a good spot on the Internet to document all this in more detail. But I hope this helps you along…
2012-09-07 03:58 AM
I'll send you private reply for now.
I dont’ know why NetApp is so secretive about the workaround. And I’m not too pleased with the way I’m being treated by NetApp lately. So I'll post it publicly real soon, too.
Good luck to you.
2012-10-10 02:51 AM
I tried for one week to get the hidden option from netapp support (indian call center)... without success
Could you provide me the option?
My E-mail is
Thank you very much