I'm a little unsure where to post RFE so I hope this will be seen by NetApp product engineers. Would NetApp consider adding support to OnTap for having the NFS server ignore the supplemental gids supplied by the client when using SYS_AUTH and instead perform it's own lookup (from NIS/LDAP etc) to determine group membership. This would hugely benefit installations who cannot move to Kerberos auth but still run in to issues with 16 group limitations on NFS. The Linux NFS server has an option '--manage-gids' which can accomplish this, please see https://xkyle.com/solving-the-nfs-16-group-limit-problem/ for a description of how that works.
we've discovered the following (mostly by ourselves, but in the end with some help from NetApp):
1. NetApp already HAS a workaround for the NFSv3 AUTH_SYS 16 group membership limit. It's currently only available for these specific ONTAP versions:
• ONTAP 7.3 series: 7.3.2 and above
• ONTAP 8.0 series: 8.0.3 and above
• ONTAP 8.1 series: 8.1.1 and above
These ONTAP versions have an "hidden option" that does what the Linux rpc.mountd --manage-gids option does. It actually works in combination with the nfs.max_num_aux_groups option: if you use this hidden option, the default limit is no longer 16 but 32 instead, and it can be cranked up to 256.
Please contact NetApp to learn about this hidden option. If you don't get a clear answer, get back to me.
Note that this workaround doesn't apply to NFSv4 AUTH_SYS, unfortunately. Actually, neither does Linux's rpc.mountd --manage-gids option: there's no (separate) mount daemon in NFSv4 anymore. This is unfortunate, as this makes it impossible to combine the 16 group membership workaround (NFSv3 only) with NFS ACLs (NFSv4 only)...
2. We've also learned that some NFSv3 clients are actually able to send more than 16 auxilliary GIDs over the wire, and NetApp handles these well.
AIX 6.1 and above NFS clients have an option called "maxgroups" that allows sending up to 64 auxilliary GIDs. We don't have AIX clients ourselves, so we've not been able to test it, but we've heard from another company where this (with "maxgroups" set to 30) “just works” with NetApp.
I don't know if there are other NFS client implementations that can do something similar. NetApp claims the’re also only aware of AIX 6.1...
I'm still looking for a good spot on the Internet to document all this in more detail. But I hope this helps you along…