Qumulo NFS exports adhere to the specifications of NFS as specified by RFC 5531, which allow UNIX-style AUTH_SYS and AUTH_UNIX systems to handle a maximum of 16 Group ID Numbers (GIDs) for authentication.
During a normal NFS session, only the first 16 GIDs for groups a user belongs to is used for credential verification.
In the example below, a user belonging to over 50 groups is browsing and creating files in a Qumulo-hosted NFS mount. As you can see, only the first 16 GIDs of this user’s 50-plus GIDs are used for access verification, starting with the Primary GID and followed by the next 15 GIDs in ascending numerical order.
To overcome this 16 Group NFS Specification limit, Qumulo provides two different options:
Once the cluster is joined to Active Directory, all sessions result in a full credential expansion for each user. So when a user is accessing a file over NFS, the cluster first queries the AD server to find all the groups a user belongs to, maps user and groups to all the Windows SIDs, and then apply permissions based on that fully expanded credential set.
When GID expansion is enabled with LDAP, Qumulo uses the configured LDAP server to retrieve all groups for a given UID. Qumulo tests the LDAP connection when this setting is configured.
Either of these methods effectively remove the NFS 16 Group limitation and allow Qumulo hosted NFS exports to handle the max number of groups allowed by OpenLDAP or Active Directory.
NOTE: The NFS 16 Group limit has no impact on SMB shares or SMB access.