Using Netgroups to Authorize Hosts

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 3 minute(s) read
Prev Next

Netgroups are sets of users, hosts and domains that are grouped together for administration purposes. On VAST Cluster, netgroups defined on a NIS or LDAP authorization provider can be used to authorize NFSv3 or NFSv4.1 client hosts' access.

Overview of Netgroups

VAST Cluster supports netgroups defined in a netgroup map on a NIS or LDAP server. A netgroup map looks like this, for example:

users (,user1271,) (,user973,) (,user287,) (,user1185,)
moreusers (,user447,)
besthosts (host84.test.org,,)
otherhosts (host132.test.org,,) (host133.test.org,,) (host134.test.org,,) 
keygroup morehosts otherhosts besthosts (host463.test.org,,) 
morehosts (host832.test.org,,) (host833.test.org,,)

Each line represents a netgroup. It starts with the netgroup name and then lists netgroup members. A netgroup member can be either of the following:

  • A triple:  (host,user,domain). A blank value for any of the three elements acts as a wildcard. For example, the entry (host132,,) denotes host host132 with any user on any domain. The triple (,,) denotes all clients.

  • A nested netgroup. In the example above, netgroup keygroup includes nested netgroups morehosts, otherhosts and besthosts.

Requirements and Restrictions

  • Netgroups are only used to allow or deny clients' access via NFS. VAST Cluster does not accept netgroup entries in host-based access rules for other access protocols.

  • Hosts should have both forward and reverse DNS entries. When VAST Cluster gets the netgroup hostname response from a NIS or LDAP server, it resolves the hostname via DNS.

  • Netgroup names can be up to 46 characters.

  • A netgroup triple should be specified in format (host,user,domain), where:

    • host is a DNS name or an IP address of the host. If no host is specified, the netgroup is considered invalid.

    • user is ignored.

    • domain is ignored.

  • Netgroup nesting is supported up to a limit of 10 levels.

  • Up to 10,000 netgroups are supported altogether per VAST Cluster .

Setting a Netgroup Provider for a Tenant

Netgroups can be retrieved from a NIS or LDAP provider configured for a tenant on VAST Cluster.Connecting to NISLDAPCreating Tenants

Enabling and Disabling Reverse Lookup for Netgroups

When using LDAP netgroups, you can optionally enable reverse DNS lookup for the LDAP provider.

If reverse lookup is enabled, the server locates the netgroup by translating a client IP address to a hostname and comparing the hostname to hostnames in netgroup entries. This reduces the number of DNS queries involved but requires reverse pointers to be set up on the DNS server.

If reverse lookup is disabled, the server queries DNS for each hostname found in the netgroup entries. This ensures faster access checks, but may cause a higher load on the DNS server.

To enable reverse lookup:

  • In VAST Web UI, open LDAP or Active Directory provider settings (User Management -> LDAP or Active Directory -> choose to create or edit a provider) and in the Advanced settings tab, set the Netgroup DNS operation mode to Reverse lookup.

  • In VAST CLI, run the ldap create or ldap modify command with the --reverse-lookup option specified.

To disable reverse lookup:

  • In VAST Web UI, open LDAP or Active Directory provider settings (User Management -> LDAP or Active Directory -> choose to create or edit a provider) and in  the Advanced settings tab, set the Netgroup DNS operation mode to Normal.

  • In VAST CLI, run the ldap create or ldap modify command with the --no-reverse-lookup option specified.

Configuring Host-Based Access Rules with Netgroups

Netgroups are specified in host-based access rules of a view policy.Host-Based Access Rules

To determine which type of access is to be allowed for a netgroup:  

  • In VAST Web UI, go to Element Store -> View Policies, choose to create or edit a view policy and open the Host-Based Access tab. Under NFS, click + Add New Rule for the type of access you want to provide and enter the netgroup name (prefixed with @) in the Enter IPs popup.

  • In VAST CLI, run the viewpolicy create or viewpolicy modify command and specify the netgroup name (prefixed with @) on one of the following options:

    • --nfs-read-write

    • --nfs-read-only

    • --nfs-no-squash

    • --nfs-root-squash

    • --nfs-all-squash

    • --nfs-trash-access

Refreshing Netgroups per View Policy

You can refresh NIS and LDAP netgroups configured for a view policy at the same time.

To refresh netgroups:

  • In VAST Web UI, choose Element Store -> View Policies, find the view policy for which you want to refresh netgroups and click ViewPolicies_RefreshNetgroups.png in the Actions menu for that view policy.

  • In VAST CLI, run the viewpolicy refresh-netgroups command.

See also Refreshing the NIS Cache for information about NIS user and netgroup cache and the procedure to refresh it.Refreshing the NIS Cache

Related articles