NIS is supported as an auth provider for NFS exports. When NIS is configured, both of the following uses are enabled for views that are exposed to NFS and have the Group Membership Source setting in the view policy set to Provider or both:
Authorizing user access to files and directories.
In the view policy, when controlling access permissions per NFS hosts, you can specify the NFS client hosts using netgroup keys as defined in a NIS netgroup map.
See the following topics for details:
From the left navigation menu, select User Management and then NIS.
Click Create Nis to add a new NIS configuration. (You can only add one.)
-
Complete the fields:
Field
Description
Domain Name
The NIS domain name shared by all the NIS servers and clients on your network.
Example, NIS.companyname.com
Servers
Include every NIS master and slave server (limited to ten servers). You can specify each server by its IP or host name, up to 48 characters. Either type them as a comma separated list or type each one and hit ENTER and then type the next. Each entry appears below the field with its own removal button.
Example: NISmaster.companyname.com,192.0.2.200,NISslave2.companyname.com
-
Click Create.
The NIS configuration is now displayed on the NIS tab in the User Management page.
To manage NIS via the CLI, use the following commands.
The NIS client looks up the NIS user and netgroup maps every thirty minutes and caches them. Refresh clears the cache and looks up the users and netgroups again.
If you are using NIS to check user group memberships in order to authorize file access, the cached user entries are used. Therefore, in order to avoid unwanted access denials, it's good practice to refresh the cache immediately after you update any user's group memberships on NIS.
The users cache is limited to 20,480 users.
If you're using NIS netgroups to specify which hosts are allowed to access exports, refreshing the cache can avoid delays granting access: If a host requests to access an export and is not found in the netgroups that are listed in the export policy, VAST Cluster fetches the netgroup map again. Therefore, a host who was recently added to a netgroup without a refresh of the cache would be granted access after a short delay. To avoid those delays, refresh the NIS cache immediately after updating the netgroup map.
The netgroup cache is limited to 10,000 entries. If the number of netgroups on the NIS server exceeds the limit, the least recently used netgroups are skipped each time the netgroups are fetched.
Netgroups are sets of users, hosts and domains that are grouped together for administration purposes. On VAST Cluster, netgroups can be used to specify hosts in the access type rules per view policy. These rules determine the type of access you allow to NFS client hosts.
Here we explain the requirements for setting up a NIS netgroup map to be used for this purpose.
NIS Netgroups Explained
NIS netgroups are defined in a NIS netgroup map on the NIS master server.
A netgroup map looks like this, for example:
users (,user1271,) (,user973,) (,user287,) (,user1185,) (,user83,) (,user860,) (,user657,) (,user447,) (,user136,) (,user1113,) moreusers (,user447,) besthosts (host84.test.org,,) otherhosts (host132.test.org,,) (host133.test.org,,) (host134.test.org,,) (host135.test.org,,) (host136.test.org,,) (host137.test.org,,) (host138.test.org,,) (host139.test.org,,) (host140.test.org,,) keygroup morehosts otherhosts besthosts morehosts (host832.test.org,,) (host833.test.org,,) (host834.test.org,,) (host835.test.org,,) (host836.test.org,,) (host837.test.org,,) (host838.test.org,,) (host839.test.org,,) (host840.test.org,,) (host841.test.org,,) (host842.test.org,,) (host843.test.org,,)
Each line represents a netgroup, starting with the name of the netgroup (the netgroup key) and then listing all the netgroup's members, which can be either:
-
In the triple format
([-|host], [-|user], [domain])A blank value for any of the three parts acts as a wildcard. For example, the entry
(,user1271,)denotes the user user1271 on any host or domain.or
-
Another netgroup key. In this case, one netgroup is nested under another netgroup.
For example, in the netgroup map above, the netgroup keygroup has the netgroups morehosts, otherhosts and besthosts nested under it.
Requirements for Using NIS Netgroups in View Policies
When using NIS netgroups to allow host access to views, the following requirements apply:
Hosts should have both forward and reverse DNS entries. Netgroup hostname response from the NIS servers triggers VAST Cluster to perform hostname resolution via DNS.
-
The host entries inside the netgroups, in the format
([-|host], [-|user], [domain]), should have values set as follows:domain must be the NIS domain name specified in the NIS configuration (or blank).
-
host must be either the hostname or the IP of the host.
Note
user can be anything. It is ignored.
Netgroup keys may include up to 46 characters.
Up to 10,000 netgroups are supported altogether per VAST Cluster .
Nesting is supported up to a limit of ten levels.
Comments
0 comments
Article is closed for comments.