Recently ran into this issue, as described in NetApp KB000010630:
- Network File System (NFS) users have access problems when they belong to greater than 16 groups.
- Users have access problems if in 17 to 20 groups.
As noted in the KB:
Although the filer currently supports up-to 32 UNIX/NFS groups some NFS clients only support 16 groups, which means an NFS user can only belong to 16 groups while using NFS… While there are hacks for allowing a Unix user to be a part of more then 16 netgroups, per RFC standard RFC 5531 this is a set limit and cannot be modified. So it is likely that a client vendor would not support changes to the client allowing more then 16 netgroups. ONTAP limits to 16 as well following the RFC 5531 standard.
Support recommended as workaround setting up and configuring LDAP for Clustered Data ONTAP 8.x as well as using the “extended-groups-limit” and “auth-sys-extended-groups” parameters to extend the maximum number of group IDs.
1. Gather the schema information (read-only by default)
schema show -vserver [vservername]
(vserver services name-service ldap client schema show)
Vserver Schema Template Comment
------- --------------- -------------------------------------------------------
[vservername] AD-IDMU Schema based on Active Directory Identity Management for UNIX (read-only)
[vservername] AD-SFU Schema based on Active Directory Services for UNIX (read-only)
[vservername] AD-SFU-Deprecated Schema based on Active Directory Services for UNIX (read-only)
[vservername] RFC-2307 Schema based on RFC 2307 (read-only)
4 entries were displayed.
2. Create a new schema to use by copying RFC 2307 to a new schema
::*> set -privilege advanced
::*> ldap client schema copy -schema RFC-2307 -new-schema-name NEW-RFC-2307 -vserver [vservername]
3. Modify the schema as necessary for Active Directory
::*> vserver services ldap client schema modify -schema NEW-RFC-2307 -comment "NEW-RFC-2307" -gecos-attribute name -home-directory-attribute unixHomeDirectory -uid-attribute sAMAccountName -user-password-attribute unixUserPassword -posix-account-object-class User -posix-group-object-class Group -member-uid-attribute memberUid -enable-rfc2307bis true -group-of-unique-names-object-class group -unique-member-attribute member -vserver [vservername]
4. Verify the schema
::*> ldap client schema show -schema NEW-RFC-2307 -vserver [vservername]
Vserver: [vservername]
Schema Template: NEW-RFC-2307
Comment: NEW-RFC-2307
RFC 2307 posixAccount Object Class: User
RFC 2307 posixGroup Object Class: Group
RFC 2307 nisNetgroup Object Class: nisNetgroup
RFC 2307 uid Attribute: sAMAccountName
RFC 2307 uidNumber Attribute: uidNumber
RFC 2307 gidNumber Attribute: gidNumber
RFC 2307 cn (for Groups) Attribute: cn
RFC 2307 cn (for Netgroups) Attribute: cn
RFC 2307 userPassword Attribute: unixUserPassword
RFC 2307 gecos Attribute: name
RFC 2307 homeDirectory Attribute: unixHomeDirectory
RFC 2307 loginShell Attribute: loginShell
RFC 2307 memberUid Attribute: memberUid
RFC 2307 memberNisNetgroup Attribute: memberNisNetgroup
RFC 2307 nisNetgroupTriple Attribute: nisNetgroupTriple
Enable Support for Draft RFC 2307bis: true
RFC 2307bis groupOfUniqueNames Object Class: group
RFC 2307bis uniqueMember Attribute: member
Data ONTAP Name Mapping windowsToUnix Object Class: posixAccount
Data ONTAP Name Mapping windowsAccount Attribute: windowsAccount
Data ONTAP Name Mapping windowsToUnix Attribute: windowsAccount
No Domain Prefix for windowsToUnix Name Mapping: false
Vserver Owns Schema: true
Maximum groups supported when RFC 2307bis enabled: 256
RFC 2307 nisObject Object Class: nisObject
RFC 2307 nisMapName Attribute: nisMapName
RFC 2307 nisMapEntry Attribute: nisMapEntry
5a. Create the ldap client config (using a bind account) or..
Use if the SVM is not joined to AD, and you have no intention of serving out CIFS.
::*> vserver services ldap client create -client-config ldap1 -ad-domain [domainname] -preferred-ad-servers [ipaddress] -schema NEW-RFC-2307 -port 389 -query-timeout 10 -min-bind-level sasl -base-dn [basedn] -base-scope subtree -user-scope subtree -group-scope subtree -netgroup-scope subtree -bind-dn [binddn] -bind-password [password] -user-dn [userdn] -group-dn [groupdn] -bind-as-cifs-server false -vserver [vservername]
::*> vserver services name-service ldap client show -instance -vserver [vservername]
Vserver: [vservername]
Client Configuration Name: ldap1
LDAP Server List: -
Active Directory Domain: [domainname]
Preferred Active Directory Servers: [ipaddress]
Bind Using the Vserver's CIFS Credentials: false
Schema Template: NEW-RFC-2307
LDAP Server Port: 389
Query Timeout (sec): 10
Minimum Bind Authentication Level: sasl
Bind DN (User): [binddn]
Base DN: [basedn]
Base Search Scope: subtree
User DN: [userdn]
User Search Scope: subtree
Group DN: [groupdn]
Group Search Scope: subtree
Netgroup DN: -
Netgroup Search Scope: subtree
Vserver Owns Configuration: true
Use start-tls Over LDAP Connections: false
(DEPRECATED) Allow SSL for the TLS Handshake Protocol: false
Enable Netgroup-By-Host Lookup: false
Netgroup-By-Host DN: -
Netgroup-By-Host Scope: subtree
5b. Create the ldap client config (binding as cifs server)
Use if the SVM is already joined to AD.
::*> vserver services ldap client create -client-config ldap1 -ad-domain [domainname] -preferred-ad-servers [ipaddress] -schema NEW-RFC-2307 -port 389 -query-timeout 10 -min-bind-level sasl -base-dn [basedn] -base-scope subtree -user-scope subtree -group-scope subtree -netgroup-scope subtree -bind-dn [binddn] -bind-password [password] -user-dn [userdn] -group-dn [groupdn] -bind-as-cifs-server true -vserver [vservername]
::*> vserver services name-service ldap client show -instance -vserver [vservername]
Vserver: [vservername]
Client Configuration Name: ldap1
LDAP Server List: -
Active Directory Domain: [domainname]
Preferred Active Directory Servers: [ipaddress]
Bind Using the Vserver's CIFS Credentials: false
Schema Template: NEW-RFC-2307
LDAP Server Port: 389
Query Timeout (sec): 10
Minimum Bind Authentication Level: sasl
Bind DN (User): [binddn]
Base DN: [basedn]
Base Search Scope: subtree
User DN: [userdn]
User Search Scope: subtree
Group DN: [groupdn]
Group Search Scope: subtree
Netgroup DN: -
Netgroup Search Scope: subtree
Vserver Owns Configuration: true
Use start-tls Over LDAP Connections: false
(DEPRECATED) Allow SSL for the TLS Handshake Protocol: false
Enable Netgroup-By-Host Lookup: false
Netgroup-By-Host DN: -
Netgroup-By-Host Scope: subtree
6. Configure the SVM to use the new LDAP client
::*> vserver services name-service ldap create -client-config ldap1 -client-enabled true -vserver [vservername]
::> vserver services name-service ldap show
Client Client
Vserver Configuration Enabled
-------------- ------------- -------
[vservername]
ldap1 true
7. Configure the SVM to use LDAP for name server lookups
::*> vserver services name-service ns-switch show -vserver [vservername]
Source
Vserver Database Order
--------------- ------------ ---------
[vservername] hosts files,
dns
[vservername] group files
[vservername] passwd files
[vservername] netgroup files
[vservername] namemap files
5 entries were displayed.
::*> vserver services name-service ns-switch modify -database passwd files,ldap -vserver [vservername]
::*> vserver services name-service ns-switch modify -database group files,ldap -vserver [vservername]
::*> vserver services name-service ns-switch modify -database namemap files,ldap -vserver [vservername]
::> vserver services name-service ns-switch show -vserver [vservername]
Source
Vserver Database Order
--------------- ------------ ---------
[vservername] hosts files,
dns
[vservername] group files,
ldap
[vservername] passwd files,
ldap
[vservername] netgroup files
[vservername] namemap files,
ldap
5 entries were displayed.
::>
8. Configure the number of group IDs allowed for NFS users
By default, Data ONTAP supports up to 32 group IDs when handling NFS user credentials using Kerberos (RPCSEC_GSS) authentication. When using AUTH_SYS authentication, the default maximum number of group IDs is 16, as defined in RFC 5531. You can increase the maximum up to 1,024 if you have users who are members of more than the default number of groups.
::*> vserver nfs modify -auth-sys-extended-groups enabled -vserver [vservername]
::*> vserver nfs modify -extended-groups-limit 256 -vserver [vservername]
::*> vserver nfs show -fields auth-sys-extended-groups,extended-groups-limit -vserver [vservername]
vserver auth-sys-extended-groups extended-groups-limit
---------------- ------------------------ ---------------------
[vservername] enabled 256
9. Test the lookup
Example results for successful gid 308 lookup:
::> set diag
Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y
::*> diag secd authentication translate -node [nodename] -gid 308 -vserver [vservername]
[AD group object]
Example results for failed uid 308 lookup:
::> set diag
Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y
::*> diag secd authentication translate -node [nodename] -uid 308 -vserver [vservername]
Vserver: [vservername] (internal ID: 24)
Error: Acquire UNIX credentials procedure failed
[ 1 ms] Entry for user-id: 308 not found in the current source:
FILES. Ignoring and trying next available source
[ 2] Using a cached connection to [domainserver]
*[ 3] FAILURE: User ID '308' not found in UNIX authorization
* source LDAP.
[ 4] Entry for user-id: 308 not found in the current source:
LDAP. Entry for user-id: 308 not found in any of the
available sources
[ 4] Unable to retrieve UNIX username for UID 308
Error: command failed: Failed to resolve User ID '308' to a user name. Reason: "SecD Error: object not found".
Example results for successful name mapping:
::*> diag secd name-mapping show -node -[nodename] -vserver [vservername] -direction win-unix -name [domaindomainusername]
Warning: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled,but the following information does not reflect this mapping.
Do you want to continue? {y|n}: y
[domaindomainusername] maps to [username]
Further reading:
Secure Unified Authentication for NFS Kerberos, NFSv4, and LDAP in ONTAP
