More about Netgroup over NFS

This article discusses lookup mechanism for netgroups. We have multiple customer coming in with the request to restrict the NFS access using Netgroup. Client fencing for NFS is also discussed on the blog

Creating Netgroup can be achieved through Powershell command as discussed on

  • New-NfsNetgroup <NetgroupName>

  • Set-NfsNetgroup -NetGroupName "<NetgroupName>" -AddMember "<HostNameofUnix>"


The first command creates the Netgroup in the root of the domain.

Running the second command “Set-Nfsnetgroup” command to add a host entry, it creates a separate object for each entry. This is how netgroup.byhost in LDAP is maintained. In AD, the attribute which gets populated is nisNetgroupTriple.  


For example:

      è testps is the Netgroup name and the IP address is the host entry added to the Netgroup.

An interesting observation we saw in our test environment was, while testing around the nisobject created for the host entries.

On the object, there is an attribute called “nismap” which has the Netgroup name.

  • First put a garbage value on that attaribute and restarted Server for NFS.  

  • Then deleted the object and “server for NFS” service was restarted.  

  • For both of the steps above, Server for NFS service was restarted and did not see any issues mounting / accessing the NFS shares from Unix based NFS clients.


This was just done for testing and hence not recommended to follow the same steps on Production environment.



There is another option for creating Netgroup by using the nismap command which comes with the IDMU utility. This is a legacy application and not recommended for using the nismap functionality over NFS, but works as per our test environment.

  • nismap add –a <domain name> -e “ <mapname> (host,user,domain)” Netgroup


Adding the netgroup created by ‘nismap’ command works and we can configure client group in the NFS permissions.