RFE: Add support for --manage-gids to rpc.mountd in DataOnTAP

stuart_mcphail · ‎2012-03-01

Hi,

I'm a little unsure where to post RFE so I hope this will be seen by NetApp product engineers. Would NetApp consider adding support to OnTap for having the NFS server ignore the supplemental gids supplied by the client when using SYS_AUTH and instead perform it's own lookup (from NIS/LDAP etc) to determine group membership. This would hugely benefit installations who cannot move to Kerberos auth but still run in to issues with 16 group limitations on NFS. The Linux NFS server has an option '--manage-gids' which can accomplish this, please see https://xkyle.com/solving-the-nfs-16-group-limit-problem/ for a description of how that works.

Thanks,

Stuart

uptimenow · ‎2012-04-11

Hi,

Interesting question, a customer of ours has just pointed me to your post after we had the a small discussion about this yesterday

In TR-3764 (Kerberised NFS in Data ONTAP - Configuration and Best Practices), section 6, the following is mentioned:

======

There should be an option (exports?) at least on 'UNIX' volumes to ignore group data sent over the wire and

rely on the local groups file even under sec=sys. In this way we can bypass the NFS protocol limit of 16

groups per user.

A new option is introduced option 'nfs.max_num_aux_groups', whose value will be 32(NGROUPS_NVLOG)

by default, and other possible value being 256(NGROUPS). When the option value is set to 256, then only

we can use this feature, and allow users to be a member of more than 32 auxiliary unix groups. This will only

check the option value while querying the local networking subsystem with the unix user to get the number

of auxiliary unix groups the user is a member of.

Note: nfs,max_num_aux_groups is available in 7.3.1 release.

f3050-43*> version

NetApp Release 7.3.1 Thu Jan 8 05:32:06 PST 2009

f3050-43*>

f3050-43*> options nfs.max_num_aux_groups

nfs.max_num_aux_groups 32

======

This sort of leads me to believe that this problem has already been tackled, but I am not 100% sure I am interpreting this TR correctly. Maybe someone who has already tested this can clarify ...

Best regards,

Filip

garypitman · ‎2012-04-19

According to the Docs, this option is only effective when using Kerberos V5 authentication. I would really like to see this option (--manage-gids) implemented as well

imecleuven · ‎2012-08-20

Stuart,

we've discovered the following (mostly by ourselves, but in the end with some help from NetApp):

1. NetApp already HAS a workaround for the NFSv3 AUTH_SYS 16 group membership limit. It's currently only available for these specific ONTAP versions:

• ONTAP 7.3 series: 7.3.2 and above

• ONTAP 8.0 series: 8.0.3 and above

• ONTAP 8.1 series: 8.1.1 and above

These ONTAP versions have an "hidden option" that does what the Linux rpc.mountd --manage-gids option does. It actually works in combination with the nfs.max_num_aux_groups option: if you use this hidden option, the default limit is no longer 16 but 32 instead, and it can be cranked up to 256.

Please contact NetApp to learn about this hidden option. If you don't get a clear answer, get back to me.

Note that this workaround doesn't apply to NFSv4 AUTH_SYS, unfortunately. Actually, neither does Linux's rpc.mountd --manage-gids option: there's no (separate) mount daemon in NFSv4 anymore. This is unfortunate, as this makes it impossible to combine the 16 group membership workaround (NFSv3 only) with NFS ACLs (NFSv4 only)...

2. We've also learned that some NFSv3 clients are actually able to send more than 16 auxilliary GIDs over the wire, and NetApp handles these well.

AIX 6.1 and above NFS clients have an option called "maxgroups" that allows sending up to 64 auxilliary GIDs. We don't have AIX clients ourselves, so we've not been able to test it, but we've heard from another company where this (with "maxgroups" set to 30) “just works” with NetApp.

I don't know if there are other NFS client implementations that can do something similar. NetApp claims the’re also only aware of AIX 6.1...

I'm still looking for a good spot on the Internet to document all this in more detail. But I hope this helps you along…

Sincerely,

ERIC OLEMANS.

marcinl · ‎2012-08-28

Hello Eric,
What is this hidden option ?

imecleuven · ‎2012-09-07

Dear,

I'll send you private reply for now.

I dont’ know why NetApp is so secretive about the workaround. And I’m not too pleased with the way I’m being treated by NetApp lately. So I'll post it publicly real soon, too.

Good luck to you.

Bye,

Eric

hj_maurer · ‎2012-10-10

Hi Eric

I tried for one week to get the hidden option from netapp support (indian call center)... without success

Could you provide me the option?

My E-mail is

Hansjoerg.Maurer@dlr.de

Thank you very much

Regards

Hansjörg

pedro_rocha · ‎2013-06-10

Hello,

I have the same issue, but having lots of trouble in getting the information with NetApp. COuld you send this to me?

Regards,

Pedro Rocha.

Jon_Nilsson · ‎2013-07-02

Hi.

Can you send me this hidden option aswell?

jon.nilsson@proact.se

pedro_rocha · ‎2013-07-02

Hi,

I solved this using the option below (which is not hidden):

options nfs.authsys.extended_groups_ns.enable on

Best wishes,

Pedro Rocha.

RFE: Add support for --manage-gids to rpc.mountd in DataOnTAP

We're on Discord, are you?

Meet Explore, NetApp’s digital sales platform