NFS users have issues when they belong to greater than 16 groups

Recently ran into this issue, as described in NetApp KB000010630:

  • Network File System (NFS) users have access problems when they belong to greater than 16 groups.
  • Users have access problems if in 17 to 20 groups.

As noted in the KB:

Although the filer currently supports up-to 32 UNIX/NFS groups some NFS clients only support 16 groups, which means an NFS user can only belong to 16 groups while using NFS… While there are hacks for allowing a Unix user to be a part of more then 16 netgroups, per RFC standard RFC 5531 this is a set limit and cannot be modified. So it is likely that a client vendor would not support changes to the client allowing more then 16 netgroups. ONTAP limits to 16 as well following the RFC 5531 standard.

Support recommended as workaround setting up and configuring LDAP for Clustered Data ONTAP 8.x as well as using the “extended-groups-limit” and “auth-sys-extended-groups” parameters to extend the maximum number of group IDs.

1. Gather the schema information (read-only by default)

schema show -vserver [vservername] 
(vserver services name-service ldap client schema show)
Vserver Schema Template Comment
------- --------------- -------------------------------------------------------
[vservername] AD-IDMU Schema based on Active Directory Identity Management for UNIX (read-only)
[vservername] AD-SFU Schema based on Active Directory Services for UNIX (read-only)
[vservername] AD-SFU-Deprecated Schema based on Active Directory Services for UNIX (read-only)
[vservername] RFC-2307 Schema based on RFC 2307 (read-only)
4 entries were displayed.
2. Create a new schema to use by copying RFC 2307 to a new schema

::*> set -privilege advanced
::*> ldap client schema copy -schema RFC-2307 -new-schema-name NEW-RFC-2307 -vserver [vservername] 
3. Modify the schema as necessary for Active Directory

::*> vserver services ldap client schema modify -schema NEW-RFC-2307 -comment "NEW-RFC-2307" -gecos-attribute name -home-directory-attribute unixHomeDirectory -uid-attribute sAMAccountName -user-password-attribute unixUserPassword -posix-account-object-class User -posix-group-object-class Group -member-uid-attribute memberUid -enable-rfc2307bis true -group-of-unique-names-object-class group -unique-member-attribute member -vserver [vservername]
4. Verify the schema

::*> ldap client schema show -schema NEW-RFC-2307 -vserver [vservername]      

                                           Vserver: [vservername]
                                   Schema Template: NEW-RFC-2307
                                           Comment: NEW-RFC-2307
                RFC 2307 posixAccount Object Class: User
                  RFC 2307 posixGroup Object Class: Group
                 RFC 2307 nisNetgroup Object Class: nisNetgroup
                            RFC 2307 uid Attribute: sAMAccountName
                      RFC 2307 uidNumber Attribute: uidNumber
                      RFC 2307 gidNumber Attribute: gidNumber
                RFC 2307 cn (for Groups) Attribute: cn
             RFC 2307 cn (for Netgroups) Attribute: cn
                   RFC 2307 userPassword Attribute: unixUserPassword
                          RFC 2307 gecos Attribute: name
                  RFC 2307 homeDirectory Attribute: unixHomeDirectory
                     RFC 2307 loginShell Attribute: loginShell
                      RFC 2307 memberUid Attribute: memberUid
              RFC 2307 memberNisNetgroup Attribute: memberNisNetgroup
              RFC 2307 nisNetgroupTriple Attribute: nisNetgroupTriple
              Enable Support for Draft RFC 2307bis: true
       RFC 2307bis groupOfUniqueNames Object Class: group
                RFC 2307bis uniqueMember Attribute: member
Data ONTAP Name Mapping windowsToUnix Object Class: posixAccount
  Data ONTAP Name Mapping windowsAccount Attribute: windowsAccount
   Data ONTAP Name Mapping windowsToUnix Attribute: windowsAccount
   No Domain Prefix for windowsToUnix Name Mapping: false
                               Vserver Owns Schema: true
 Maximum groups supported when RFC 2307bis enabled: 256
                   RFC 2307 nisObject Object Class: nisObject
                     RFC 2307 nisMapName Attribute: nisMapName
                    RFC 2307 nisMapEntry Attribute: nisMapEntry
5a. Create the ldap client config (using a bind account) or..

Use if the SVM is not joined to AD, and you have no intention of serving out CIFS.


::*> vserver services ldap client create -client-config ldap1 -ad-domain [domainname] -preferred-ad-servers [ipaddress] -schema NEW-RFC-2307 -port 389 -query-timeout 10 -min-bind-level sasl -base-dn [basedn] -base-scope subtree -user-scope subtree -group-scope subtree -netgroup-scope subtree -bind-dn [binddn] -bind-password [password] -user-dn [userdn] -group-dn [groupdn] -bind-as-cifs-server false -vserver [vservername]

::*> vserver services name-service ldap client show -instance -vserver [vservername]

                                  Vserver: [vservername]
                Client Configuration Name: ldap1
                         LDAP Server List: -
                  Active Directory Domain: [domainname]
       Preferred Active Directory Servers: [ipaddress]
Bind Using the Vserver's CIFS Credentials: false
                          Schema Template: NEW-RFC-2307
                         LDAP Server Port: 389
                      Query Timeout (sec): 10
        Minimum Bind Authentication Level: sasl
                           Bind DN (User): [binddn]
                                  Base DN: [basedn]
                        Base Search Scope: subtree
                                  User DN: [userdn]
                        User Search Scope: subtree
                                 Group DN: [groupdn]
                       Group Search Scope: subtree
                              Netgroup DN: -
                    Netgroup Search Scope: subtree
               Vserver Owns Configuration: true
      Use start-tls Over LDAP Connections: false
(DEPRECATED) Allow SSL for the TLS Handshake Protocol: false
           Enable Netgroup-By-Host Lookup: false
                      Netgroup-By-Host DN: -
                   Netgroup-By-Host Scope: subtree
5b. Create the ldap client config (binding as cifs server)

Use if the SVM is already joined to AD.


::*> vserver services ldap client create -client-config ldap1 -ad-domain [domainname] -preferred-ad-servers [ipaddress] -schema NEW-RFC-2307 -port 389 -query-timeout 10 -min-bind-level sasl -base-dn [basedn] -base-scope subtree -user-scope subtree -group-scope subtree -netgroup-scope subtree -bind-dn [binddn] -bind-password [password] -user-dn [userdn] -group-dn [groupdn] -bind-as-cifs-server true -vserver [vservername]

::*> vserver services name-service ldap client show -instance -vserver [vservername]

                                  Vserver: [vservername]
                Client Configuration Name: ldap1
                         LDAP Server List: -
                  Active Directory Domain: [domainname]
       Preferred Active Directory Servers: [ipaddress]
Bind Using the Vserver's CIFS Credentials: false
                          Schema Template: NEW-RFC-2307
                         LDAP Server Port: 389
                      Query Timeout (sec): 10
        Minimum Bind Authentication Level: sasl
                           Bind DN (User): [binddn]
                                  Base DN: [basedn]
                        Base Search Scope: subtree
                                  User DN: [userdn]
                        User Search Scope: subtree
                                 Group DN: [groupdn]
                       Group Search Scope: subtree
                              Netgroup DN: -
                    Netgroup Search Scope: subtree
               Vserver Owns Configuration: true
      Use start-tls Over LDAP Connections: false
(DEPRECATED) Allow SSL for the TLS Handshake Protocol: false
           Enable Netgroup-By-Host Lookup: false
                      Netgroup-By-Host DN: -
                   Netgroup-By-Host Scope: subtree
6. Configure the SVM to use the new LDAP client

::*> vserver services name-service ldap create -client-config ldap1 -client-enabled true -vserver [vservername]

::> vserver services name-service ldap show
               Client        Client
Vserver        Configuration Enabled
-------------- ------------- -------
[vservername] 
               ldap1         true
7. Configure the SVM to use LDAP for name server lookups

::*> vserver services name-service ns-switch show -vserver [vservername]
                               Source
Vserver         Database       Order
--------------- ------------   ---------
[vservername] hosts         files,
                               dns
[vservername] group         files
[vservername] passwd        files
[vservername] netgroup      files
[vservername] namemap       files
5 entries were displayed.

::*> vserver services name-service ns-switch modify -database passwd files,ldap -vserver [vservername]

::*> vserver services name-service ns-switch modify -database group files,ldap -vserver [vservername]

::*> vserver services name-service ns-switch modify -database namemap files,ldap -vserver [vservername]

::> vserver services name-service ns-switch show -vserver [vservername]
                               Source
Vserver         Database       Order
--------------- ------------   ---------
[vservername] hosts         files,
                               dns
[vservername] group         files,
                               ldap
[vservername] passwd        files,
                               ldap
[vservername] netgroup      files
[vservername] namemap       files,
                               ldap
5 entries were displayed.

::>
8. Configure the number of group IDs allowed for NFS users

By default, Data ONTAP supports up to 32 group IDs when handling NFS user credentials using Kerberos (RPCSEC_GSS) authentication. When using AUTH_SYS authentication, the default maximum number of group IDs is 16, as defined in RFC 5531. You can increase the maximum up to 1,024 if you have users who are members of more than the default number of groups.


::*> vserver nfs modify -auth-sys-extended-groups enabled -vserver [vservername] 

::*> vserver nfs modify -extended-groups-limit 256 -vserver [vservername]

::*> vserver nfs show -fields auth-sys-extended-groups,extended-groups-limit -vserver [vservername] 
vserver          auth-sys-extended-groups extended-groups-limit 
---------------- ------------------------ --------------------- 
[vservername] enabled                  256    
9. Test the lookup

Example results for successful gid 308 lookup:


::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

::*> diag secd authentication translate -node [nodename] -gid 308 -vserver [vservername] 
[AD group object]

Example results for failed uid 308 lookup:


::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

::*> diag secd authentication translate -node [nodename] -uid 308 -vserver [vservername]

Vserver: [vservername] (internal ID: 24)

Error: Acquire UNIX credentials procedure failed
  [  1 ms] Entry for user-id: 308 not found in the current source:
           FILES. Ignoring and trying next available source
  [     2] Using a cached connection to [domainserver]
 *[     3] FAILURE: User ID '308' not found in UNIX authorization
 *         source LDAP. 
  [     4] Entry for user-id: 308 not found in the current source:
           LDAP. Entry for user-id: 308 not found in any of the
           available sources
  [     4] Unable to retrieve UNIX username for UID 308

Error: command failed: Failed to resolve User ID '308' to a user name. Reason: "SecD Error: object not found". 

Example results for successful name mapping:


::*> diag secd name-mapping show -node -[nodename] -vserver [vservername] -direction win-unix -name [domaindomainusername]             

Warning: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled,but the following information does not reflect this mapping.
Do you want to continue? {y|n}: y

[domaindomainusername] maps to [username]     

Further reading:

Secure Unified Authentication for NFS Kerberos, NFSv4, and LDAP in ONTAP