Managing Client Groups - An Easier Approach

On UNIX-based NFS servers, it's much easier to control access to the NFS shares based on host names or IP addresses. You just have to put them in the export file and it's done. It's not so difficult in Windows either - you can click on the Permission buttons on the NFS Sharing tab and add/remove hosts and control the access type and root squash option graphically.

While that's easy - Server for NFS supports a concept called client groups. These groups are very much similar to netgroups as far NFS is concerned - it's just a group of hosts which you can use to restrict access to NFS shares. This concept didn't really take off well because there's isn't a GUI to manage it. I, otherwise, see a lot of benefit in using client groups rather than using host names to control access.

So, while a GUI would have been the best, here's a batch file that can be used to automate a lot of work that is required and to help people who would really to use it -

@Echo Off

IF "%1" == "" GOTO SyntaxError
GOTO %1

:SyntaxError
Echo Invalid Syntax
Echo.
GOTO SYNTAX

:SYNTAX
Echo SYNTAX:
Echo %0 creategroup sharename - create the readonly and readwrite access groups for the mentioned share
Echo %0 deletegroup sharename - delete the readonly and readwrite access groups for the mentioned share
Echo %0 list    - list all the client groups and their members
Echo %0 RO sharename client1[,client2] - add client(s) to a readonly CG of a share.
Echo      add /delete to remove the client from the RO group
Echo %0 RW sharename client1[,client2] - add client(s) to a readwrite CG of a share
Echo      add /delete to remove the client from the RW group
GOTO Exit

:CREATEGROUP
If "%1" == "" GOTO SyntaxError
If "%2" == "" GOTO SyntaxError
nfsadmin server creategroup %2-RO
nfsshare %2 -o ro=%2-RO
nfsadmin server creategroup %2-RW
nfsshare %2 -o rw=%2-RW
Echo.
Echo Client groups %2-RO and %2-RW have been created.
Echo.
GOTO Exit

:DELETEGROUP
If "%1" == "" GOTO SyntaxError
If "%2" == "" GOTO SyntaxError
nfsshare %2 -o removeclient=%2-RO
nfsadmin server deletegroup %2-RO
nfsshare %2 -o removeclient=%2-RW
nfsadmin server deletegroup %2-RW
Echo.
Echo Client groups %2-RO and %2-RW have been deleted.
Echo.
GOTO Exit

:LIST
If "%1" == "" GOTO SyntaxError
for /f "usebackq delims=# eol=;" %%i in (`nfsadmin server listgroups ^|findstr /I [a-z] ^|findstr /V "The following"`) do @nfsadmin server listmembers %%i
GOTO Exit

:RO
SET OP=add
If "%1" == "" GOTO SyntaxError
If "%2" == "" GOTO SyntaxError
If "%3" == "" GOTO SyntaxError
if "%4" == "/delete" SET OP=delete
nfsadmin server %OP%members %2-RO %3
GOTO Exit

:RW
SET OP=add
If "%1" == "" GOTO SyntaxError
If "%2" == "" GOTO SyntaxError
If "%3" == "" GOTO SyntaxError
if "%4" == "/delete" SET OP=delete
nfsadmin server %OP%members %2-RW %3
GOTO Exit

:Exit
Echo.

How does it work?

Rather than forcing users to think and name the client groups, this batch file uses the NFS share name to manage the groups. The syntax looks like to the following -

CGEDIT CREATEGROUP <SHARENAME> - This will create two client groups - SHARENAME-RW and SHARENAME-RO - that can be used to easily identify what kind of access is granted and add these groups to the share name mentioned

CGEDIT DELETEGROUP <SHARENAME> - This deletes the client groups created using the above syntax and removes them from the share properpties

CGEDIT LIST - lists all the client groups and their members

CGEDIT RO SHARENAME CLIENT1[,CLIENT2] - Adds the mentioned client(s) to the Read-only client group created to the given share
If /DELETE is passed as the last argument, it will remove the mentioned clients from the client group

CGEDIT RW SHARENAME CLIENT1[,CLIENT2] - Adds the mentioned client(s) to the Read-Write client group created to the given share
If /DELETE is passed as the last argument, it will remove the mentioned clients from the client group

This is not a widely used feature so many of you may not find it interesting but if you do, I hope you find it useful.