Home > Storage > PowerScale (Isilon) > Industry Solutions and Verticals > Electronic Design Automation > PowerScale: Best Practices for Semiconductor EDA Design Environments > AUTH_SYS
NFSv3 clients use the AUTH_SYS (previously known as AUTH_UNIX) authentication method to pass credentials to the system. Using AUTH_SYS, clients send the user's ID (UID), primary group ID (GID) and up to 16 supplemental GIDs.
When an NFS client requests access from an NFS server it passes along three major pieces of information:
User ID (UID), One primary Group ID (GID), and up to 15 supplemental GIDs.
It will only ever send at most 16 GIDs between their primary GID and supplemental GIDs. This is by design in the NFS protocol and not a PowerScale specific limitation (see RFC 5531 and RFC 1813 for more information).
Since at different times the NFS client may send different supplemental GIDs, it is possible the client may at times not have any issues connecting. This also could result in a user being allowed access who is explicitly denied by group if the GID denied is not sent.
Map Lookup UID is disabled by default.
In EDA environments, project folders are secured by using multiple GID to control access from privileged employees or contractors only. User also belongs to multiple projects and have more than 16 groups (GID). They may be denied access if permissions are granted based on a group Id (GID).
This is by design in the NFS protocol and can be worked around with the Map Lookup UID option, which is disabled by default on exports.
This option ignores all GIDs sent with the UID and will then perform a lookup to the authentication providers to get the full list of GIDs that the user belongs to.
The option can be enabled using the following command:
# isi nfs exports modify --id=<exportID> --zone=<accesszone> --map-lookup-uid=true