Is there a workaround for the 16 Group User Limit on the HNAS that is imposed on NFS, because of the RFC 5531?
HNAS allow up to 32 GID.
maybe your issue is at the client level??
one solution to increase this number is to use NFSv4 instead of NFSv3.
Doesn't this limitation persist unless you use Kerberos sec mode (krb5) instead of AUTH_SYS (sys), even with NFSv4? Is there an option equivalent to Linux rpc.mountd --manage-gids on HNAS side?
Also, are there instructions for how to set up NFSv4 with Kerberos when the HNAS is joined to AD (I.e., using a Windows-based KDC)? I assume ktpass.exe will be required, but the details are not clear to me.
1) Should SPN be added to the HNAS computer account in AD or should you create a separate account?
2) Does the account's UPN need to change to nfs/host.example.com@EXAMPLE.COM (or nfs/host.example.com) or can it stay HOST/host.example.com@EXAMPLE.COM?
3) Do we have to use DES-CBC-CRC crypto or can we use AES256-SHA1 or RC4-HMAC-NT? DES is deprecated for Windows 2008 R2 and later.
4) Does kvno need to be specified with ktpass?
5) What about ptype?
6) Will the HNAS handle having the machine account password changed by ktpass? I.e., doesn't need to be re-joined to AD after running ktpass.
7) Other than Kerberos realm, does case matter? I.e., if the computer name in AD is uppercase, does it need to be uppercase in the UPN/SPN?
Another possibility is to use ktutil or msktutil on a Linux box.
I can answer only to Q3:
with release 12.2, you will have the following crypto:
AES Crypto Support for NFS
The HNAS Kerberos implementation has been updated with the Advanced Encryption Standard (AES), the latest and so far the strongest available cryptosystem.
The Data Encryption Standard (DES) has been deprecated and is not secure. The following AES crypto profiles are supported:
Is there a version of ktutil that runs on the HNAS via SSC (or on the SMU) in order to generate the keytab? This would be the best option, since it knows its own computer account password already and would also put the keytab in the correct place.
There is a document "LDAP and Kerberos v3.1 Best Practices" that describes a way to use kerberos and set it up. To generate the keytab file there is no utility like kinit. You should generate the file using ktpass:
This is also described in the document.
Hopefully you got it working in the mean time and help me figure out why it isnt working here.
Retrieving data ...