ONTAP Discussions

Can AD be used for netgroups?

uphill
932 Views

Hi,

Our SVM's use AD for LDAP. Trying to figure out whether in AD groups of FQDNs can be built if those machine accounts do not exist in AD (anywhere) and never will. I know there are PS commands to get, set, etc. NFS netgroups for AD, but it seems to imply this is for NFS servers "in the domain". Maybe that is an incorrect assumption. Anyhow, if I could get our domain admins to create NFSNetGroups in AD populated with non-domain machine FQDNs, can the SVM reference these if nsswitch is using LDAP and the netgroup is referenced via \@mysillyadnfsnetgroupname?

Secondly, if that isn't really viable and I need to load netgroup files into the SVM - is the -uri method the only way to import the file? I have been aiming to use netgroups because of character string limits in the export policies for years, but not only that, allow automation to populate the netgroup members thereby eliminating constant export policy edits if that makes sense.

thanks!

2 REPLIES 2

SCL
871 Views

I saw this when I did a 'man create' in vserver services name-service ns-switch on ONTAP 9.12.1:

                       +----------+-------------------+
                       | Database |  Valid Sources    |
                       |----------+-------------------|
                       | hosts    |  files, dns       |
                       | group    |  files, nis, ldap |
                       | passwd   |  files, nis, ldap |
                       | netgroup |  files, nis, ldap |
                       | namemap  |  files, ldap      |
                       +----------+-------------------+

  

uphill
809 Views

Telling it to use files isn't the problem. I am not seeing a way to manually manipulate the file used for netgroups, it appears to only be loadable via URI. Not impossible, just wondering if the files can be edited directly without all that since FW's block traffic. 

thanks

Public