IN THIS ARTICLE
Provides an overview of the NFSv3 16 Group Limit with Qumulo
- Cluster running Qumulo Core
Qumulo NFS exports adhere to the specifications of NFS Version 3 (NFSv3 as specified by RFC 5531) that allow UNIX-style AUTH_SYS and AUTH_UNIX systems to handle a maximum of 16 Group ID Numbers (GIDs) for authentication.
During a normal NFS session, only the first 16 GIDs for groups that a user belongs to will be used for credential verification.
In the example below, a user belonging to over 50 groups is browsing and creating files in a Qumulo-hosted NFS mount. As you can see, only the first 16 GIDs of this user’s 50-plus GIDs are used for access verification starting with the Primary GID followed by the next 15 GIDs in ascending numerical order.
To overcome this 16 Group NFS Specification limit, Qumulo provides two different options:
Once the cluster is joined to Active Directory, all sessions will result in a full credential expansion for each user. So when a user is accessing a file over NFS, the cluster will first query the AD server to find all the groups that user belongs to, map that user and groups to all the Windows SIDs, and then apply permissions based on that fully expanded credential set.
When GID expansion is enabled with LDAP, Qumulo will use the configured LDAP server to retrieve all groups for a given UID. Qumulo will test the LDAP connection when this setting is configured.
Either of these methods will effectively remove the NFS 16 Group limitation and allow Qumulo hosted NFS exports to handle the max number of groups allowed by OpenLDAP or Active Directory.
NOTE: The NFS 16 Group limit has no impact on SMB shares or SMB access.
You should now have an overall understanding of the NFSv3 16 Group Limit with Qumulo
Like what you see? Share this article with your network!