PowerScale: Isilon: NFS Users Who Belong To More Than 16 groups Can Be Denied Access Despite Having Permissions

When an NFS client requests access from an NFS server it passes along three major pieces of information:

User ID (UID), One primary Group ID (GID), and up to 15 supplemental GIDs. 

It will only ever send at most 16 GIDs between their primary GID and supplemental GIDs. This is by design in the NFS protocol and not an Isilon specific limitation (see RFC 5531 and RFC 1813 for more information). Since at different times the NFS client may send different supplemental GIDs, it is possible the client may at times not have any issues connecting. This also could result in a user being allowed access who is explicitly denied by group if the GID denied is not sent.

It's important to note that the server does not check with the authentication provider in this scenario. Whatever is sent by the client is what permission level is granted.

To work around this limitation OneFS provides the Map Lookup UID option, which is disabled by default on exports. This option will receive the list of GIDs sent from the client and will then perform a lookup to the authentication providers to get the full list of GIDs that the user belongs to. Enabling this setting requires the PowerScale to lookup all users and groups from the authentication providers which could be impactful in some environments.

Since having Map Lookup UID enabled allows the PowerScale to check with the authentication providers, which does not happen when it's disabled, it is very important to confirm that the authentication provider is configured correctly before enabling the command. This includes confirming that the NFS client's UID and GIDs match what the authentication provider has for the user. On the Powerscale it should also be confirmed that the authentication provider is added to the correct access zone.

The option can be enabled using the following command:

# isi nfs exports modify --id=<exportID> --zone=<accesszone> --map-lookup-uid=true

Or enabled in the WebUI:

1. Select Protocols > UNIX Sharing (NFS) > NFS Exports.
2. In the NFS Exports list, select the check box corresponding to the export you want to modify, and click View/Edit.
3. Click Edit Export.
4. Edit the desired export settings.
5. Click Show Advanced Settings to edit advanced export settings.
It is recommended that you do not change the advanced settings unless it is necessary and you fully understand the consequences of these settings.
6. Click Save Changes.

The change itself is non-disruptive and the changes should be seen immediately, though the client will need to remount the export to see the change. This change also has no effect on SMB clients as SMB will check with the authentication provider by design.