Print Email PDF

NFS 16 Group Limit with Qumulo

IN THIS ARTICLE 

Provides an overview of the NFS 16 Group Limit with Qumulo

REQUIREMENTS

  • Cluster running Qumulo Core

DETAILS

Qumulo NFS exports adhere to the specifications of NFS as specified by RFC 5531, which allow UNIX-style AUTH_SYS and AUTH_UNIX systems to handle a maximum of 16 Group ID Numbers (GIDs) for authentication. 

During a normal NFS session, only the first 16 GIDs for groups a user belongs to is used for credential verification.

In the example below, a user belonging to over 50 groups is browsing and creating files in a Qumulo-hosted NFS mount. As you can see, only the first 16 GIDs of this user’s 50-plus GIDs are used for access verification, starting with the Primary GID and followed by the next 15 GIDs in ascending numerical order.

NFS.png

To overcome this 16 Group NFS Specification limit, Qumulo provides two different options:

Once the cluster is joined to Active Directory, all sessions result in a full credential expansion for each user. So when a user is accessing a file over NFS, the cluster first queries the AD server to find all the groups a user belongs to, maps user and groups to all the Windows SIDs, and then apply permissions based on that fully expanded credential set.

When GID expansion is enabled with LDAP, Qumulo uses the configured LDAP server to retrieve all groups for a given UID. Qumulo tests the LDAP connection when this setting is configured.

Either of these methods effectively remove the NFS 16 Group limitation and allow Qumulo hosted NFS exports to handle the max number of groups allowed by OpenLDAP or Active Directory.

NOTE: The NFS 16 Group limit has no impact on SMB shares or SMB access.

RESOLUTION 

You should now have an overall understanding of the NFS 16 Group Limit with Qumulo

ADDITIONAL RESOURCES

OpenLDAP in Qumulo Core

Use Active Directory for POSIX attributes

RFC 5531

 

Like what you see? Share this article with your network!

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.