Compartilhar via


Services for NFS Step-by-Step Guide for Windows Server 2008 R2

Updated: October 26, 2011

Applies To: Windows Server 2008 R2

What is Services for NFS?

Services for Network File System (NFS) provides a file-sharing solution for enterprises that have a mixed Windows-based and UNIX-based environment. Services for NFS enables users to transfer files between computers running the Windows Server® 2008 R2 operating system and UNIX-based computers using the NFS protocol.

Note

For a downloadable version of this document, see the Services for NFS Step-by-Step Guide for Windows Server 2008 R2 in the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=151755).

Services for NFS components

Services for NFS includes the following components:

  • Server for NFS. This component corresponds to the server-side implementation of the NFS file-sharing protocol. Server for NFS enables a computer that is running Windows Server 2008 R2 to act as a file server for UNIX-based client computers.

  • Client for NFS. This component corresponds to the client-side implementation of the NFS file-sharing protocol. Client for NFS enables a Windows-based computer that is running Windows Server 2008 R2 (or Windows 7) to access files that are stored on a UNIX-based NFS server.

Windows Server 2008 R2 includes both the Server for NFS and Client for NFS components. However, Windows 7 includes only Client for NFS.

What’s new in Services for NFS

The following enhancements to Services for NFS are available in Windows Server 2008 R2:

  • Netgroup support. Netgroups are used to create named groups of hosts across a network, and they simplify the ability to control user and group login and shell access to remote computers. Netgroups also allow administrators to easily manage NFS access control lists. In Windows Server 2008 R2, Server for NFS can retrieve netgroup settings from Network Information Services (NIS) and Lightweight Directory Access Protocol (LDAP) stores, such as Active Directory Domain Services (AD°DS) and Active Directory Lightweight Directory Services (AD°LDS). This new capability enables administrators to use netgroups to provision access to shares instead of host names of individual client computers. This makes it easier to administer and manage access to NFS shares.

  • RPCSEC_GSS support. Services for NFS provides native support for RPCSEC_GSS, a remote procedure call (RPC) security feature that enables applications to take advantage of the security features available through the Generic Security Service Application Programming Interface (GSS-API). GSS-API enables applications with the ability to leverage the integrity and authentication security services provided by the operating system. RPCSEC_GSS enables Services for NFS to use Kerberos authentication, and provides security services that are independent of the mechanisms being used.

Note

Services for NFS does not support the RPCSEC_GSS privacy security service. This means that Kerberos v5 authentication with privacy Krb5p (encryption of NFS traffic) is not supported.

To enable Kerberos protocol authentication methods for a shared folder, the following options have been added to the **NFS Authentication** page in the **Provision a Shared Folder** Wizard and to the **Properties** dialog box for shared folders on the **NFS Authentication** tab:  
  
  - **Kerberos v5 authentication (Krb5)** uses the Kerberos v5 protocol to authenticate users before granting access to the shared file system.  
      
  - **Kerberos v5 authentication with integrity (Krb5i)** uses Kerberos v5 authentication with integrity checking (checksums) to verify that the data has not been tampered with.  
      
You can combine these security options to allow clients to choose either type of Kerberos v5 protocol when they mount shares exported by the NFS file system.  
  
  • Using Windows Management Instrumentation to manage Server for NFS. Windows Management Instrumentation (WMI) enables IT pros to remotely manage NFS by allowing Web-Based Enterprise Management (WBEM) applications to communicate with WMI providers on the local or remote computers to manage WMI objects. WMI allows you to use scripting languages such as VBScript or Windows PowerShell to manage computers and servers that are running a Microsoft Windows operating system, both locally and remotely. In Windows Server 2008 R2, there is a new WMI provider that enables end-to-end remote management of Services for NFS components. For more information, see WMI Provider for NFS on MSDN.

  • Unmapped UNIX User Access (UUUA). An Unmapped UNIX User option is now available for NFS shares. In predominantly UNIX-based environments (deployments where the majority of client computers are running UNIX-based operating systems), Windows servers can be used for storing NFS data without creating UNIX-to-Windows account mapping. This configuration setting allows administrators to quickly provision and deploy Server for NFS without having to configure account mapping. With UUUA, Server for NFS creates custom security identifiers (SIDs) to represent unmapped users. Mapped user accounts use standard Windows security identifiers (SIDs) and unmapped users use custom NFS SIDs.

Services for NFS usage scenarios

Services for NFS enables you to support a mixed environment of Windows-based and UNIX-based operating systems. The following scenarios are examples of how enterprises can benefit from deploying Services for NFS.

  • Enable UNIX-based client computers to access resources on computers running Windows Server 2008 R2. Your company may have UNIX-based client computers accessing resources, such as files, on UNIX-based file servers. To take advantage of features in Windows Server 2008 R2 such as Shadow Copies for Shared Folders, you can move resources from your UNIX-based file servers to computers running Windows Server 2008 R2. You can then set up Services for NFS to enable UNIX-based clients that are running NFS software to access files shared by these computers. All of your UNIX-based clients will be able to access resources by using the NFS protocol without additional configuration.

  • Enable computers running Windows Server 2008 R2 to access resources on UNIX-based file servers. Your company may have a mixed Windows-based and UNIX-based environment with resources, such as files, stored on UNIX file servers. You can use Services for NFS (specifically, Client for NFS) to enable computers that are running Windows Server 2008 R2 to access these resources when the file servers are running NFS server software.

  • Take advantage of 64-bit hardware. You can run Services for NFS components on 64-bit editions of Windows Server 2008 R2 and benefit from the improved performance and scalability of 64-bit computing.

Services for NFS administrative tools

Windows Server 2008 R2 provides a Microsoft Management Console (MMC) snap-in and several command-line tools for managing Services for NFS components.

Services for NFS snap-in

You can use the Services for NFS snap-in to manage Client for NFS and Server for NFS. When you open the snap-in, the components that are installed on the computer that is being managed will be available.

Note

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must be delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider running Services for Network File System as an administrator.
To get help for an item in this snap-in, right-click the item, and then click Help.

To open Services for Network File System

  • Click Start, point to Administrative Tools, and click Services for Network File System (NFS).

Services for NFS command-line tools

The following Windows command-line administration tools are available to manage Services for NFS. To run a tool, type its name in a Command Prompt window. For information about the parameters that are available for a tool, type the tool name followed by the /? command-line option.

  • mount. Mounts a remote NFS share (also known as an export) locally and maps it to a local drive letter on the Windows client computer.

  • nfsadmin. Manages configuration settings of the Server for NFS and Client for NFS components.

  • nfsshare. Configures NFS share settings for folders that are shared using Server for NFS.

  • nfsstat. Displays or resets statistics of calls received by Server for NFS.

  • showmount. Displays mounted file systems exported by Server for NFS.

  • umount. Removes NFS-mounted drives.

Test scenario

This test scenario requires you to deploy Services for NFS in a lab environment to assess how this technology would function if it is deployed in your production environment. The instructions provided in this document will help you do the following:

  • Create an NFS shared resource on a computer that is running Windows Server 2008 R2 and Server for NFS that can be mounted and used by a UNIX-based client computer.

  • Create an NFS shared resource on a UNIX-based file server that can be mounted and used by a client computer that is running Windows Server 2008 R2 and Client for NFS.

Prerequisites and assumptions

This guide assumes that you:

  • Have basic familiarity with Windows and UNIX operating environments and file security.

  • Know how to install and operate Windows Server 2008 R2.

  • Understand client-server interaction in a networked environment.

Steps for deploying and testing Services for NFS

This section describes how to set up a basic test environment to deploy and validate Services for NFS. It discusses how to install and configure the Services for NFS components and how to test the deployment.

Reviewing system requirements for Services for NFS

Services for NFS can be installed on computers that are running any edition of the Windows Server 2008 R2 operating system. The two main components of Services for NFS (Server for NFS and Client for NFS) can be installed on the same computer or on separate computers.

Server for NFS and Client for NFS support both version 2 and version 3 of the NFS protocol. You can use Services for NFS with UNIX-based computers that are running an NFS server or NFS client if these NFS server and client implementations comply with one of the following protocol specifications:

Note

By default, Server for NFS supports UNIX-based client computers that are using either NFS Version 2 or NFS Version 3. However, you can override this and configure Server for NFS to allow access only to clients that are running NFS Version 2. For instructions, see "Configuring Server for NFS" in the Services for NFS Help. Client for NFS supports both versions, and this is not configurable.

Setting up the environment for Services for NFS

The next step is to set up the environment for Services for NFS by deploying computers and creating user accounts for testing.

Deploy computers

You need to deploy the following computers and connect them on a local area network (LAN):

  • One or more computers running Windows Server 2008 R2 on which you will install the two main Services for NFS components: Server for NFS and Client for NFS. You can install the components on the same computer or on different computers. Installation instructions for installing all Services for NFS components are provided later in this document.

  • One or more UNIX-based computers that are running NFS server and NFS client software. The UNIX-based computer that is running NFS server hosts an NFS shared resource (known as an NFS share or export), which is accessed by a computer that is running Windows Server 2008 R2 and Client for NFS. You can install NFS server and client software either in the same UNIX-based computer or on different UNIX-based computers, as desired.

  • A Windows Server 2008 R2 domain controller running at the Windows Server 2008 R2 functional level. The domain controller provides user authentication information for the Windows environment. Or, if you prefer, you can use local user accounts.

  • A Network Information Service (NIS) server to provide user authentication information for the UNIX environment. Or, if you prefer, you can use Password and Group files that are stored on the computer that is running the User Name Mapping service. The User Name Mapping service can be deployed on a computer that is running Windows Server 2003 R3.

Create test user accounts

For the purposes of this test, you can create several fictitious users. For each user, you can create one security account for the Windows operating system and one security account for the UNIX-based operating system. Assign different user names to the two accounts. You can later use these accounts to test the advanced mapping feature of Services for NFS. Advanced mapping allows you to map a given user's credentials between Windows and UNIX, even when the user name is different.

Note

The alternative to advanced mapping is simple mapping. You can use simple mapping when the user names are the same on the Windows operating system and the UNIX-based operating system. For more information, see User Name Mapping administration (https://go.microsoft.com/fwlink/?LinkId=127917).

For the Windows operating system, you can create the user accounts (domain user accounts) on the Windows Server 2008 R2 domain controller. Or if you prefer, you can create local user accounts on each Windows-based computer in the deployment. For instructions about how to configure user accounts, consult your Windows Server 2008 R2 documentation.

For the UNIX-based operating system, you can create the user accounts on the NIS server or in the UNIX /etc/passwd and /etc/group files. For instructions about how to create NIS user accounts, see the documentation for your NIS server software. For instructions on creating /etc/passwd and /etc/group files, see the documentation for your UNIX-based operating system.

The following table lists some examples of fictitious users and corresponding user and group accounts that you can use for this test.


Fictitious user

Windows user name

UNIX user name
Windows group name UNIX group name

Carol Philips

WindowsDomain\CarolP

CPhilips@NISDomain

WinGroup

UNIXGrp

Roger Harui

WindowsDomain\RogerH

RHarui@NISDomain

WinGroup

UNIXGrp

Luis Alverca

WindowsDomain\LuisA

LAlverca@NISDomain

WinGroup

UNIXGrp

Installing Services for NFS

You need to install the Services for NFS components on a computer that is running Windows Server 2008 R2. These instructions assume that you are installing all of the components on a single computer.

Note

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must be delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider running Services for Network File System as an administrator.

Important

Before installing Services for NFS, you must remove any previously installed NFS components. We recommend that you back up your computers or record your configuration before you remove the NFS components, so that you can restore the configuration on Services for NFS.

To install Services for NFS components

  1. Click Start, point to Administrative Tools, and then click Server Manager.

  2. In the left pane, click Manage Roles.

  3. Click Add Roles. The Add Roles Wizard appears.

  4. Click Next. The Select Server Roles options appear.

  5. Select the File Services check box, and then click Next.

  6. The File Services screen appears. Click Next to view the Role Services options.

  7. Select the Services for Network File System (NFS) check box, and then click Next.

  8. Confirm your selection and click Install.

  9. When the installation completes, the installation results appear. Click Close.

Configuring NFS authentication

The required configuration for this test uses a Windows Server 2008 R2 domain controller running at the Windows Server 2008 R2 functional level. For security reasons, we recommend installing Windows Server 2008 R2 and all the latest security updates.

Creating an NFS shared folder

The next step is to use NFS sharing to create an NFS shared folder on the computer running Server for NFS. You can later mount this shared folder on a UNIX-based client computer and create a test file on it.

Note

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must be delegated the appropriate authority.

To create a shared folder by using NFS sharing

  1. On the Windows Server 2008 R2 computer that is running Server for NFS, create a folder to use as the NFS shared folder.

  2. In Windows Explorer, right-click the folder that you created, and click Properties. In Properties, click the NFS Sharing tab. Note that the NFS Sharing tab is not available unless you install Services for Network File System components, as described in the previous section.

  3. Click Manage NFS Sharing, and select Share this folder. Provide a name for the share that you would like to export to NFS client computers.

  4. If you want to allow anonymous access, select Allow anonymous access. You can also specify the UID and GID to be used for anonymous access (the default is -2).

  5. To configure share permissions, click Permissions, click Add, and then do one of the following:

    • In the Names list, click the clients and groups that you want to add, and then click Add.

    • In the Add Names text box, type the names of the clients or groups that you want to add (separate the names in the list with a semicolon).

  6. In the Type of Access list, click the type of access that you want to allow the selected clients and groups.

  7. Select Allow root access if you want a user who is identified as a root user to have access other than as an anonymous user. By default, the user identifier (UID) root user is forced to use the anonymous UID.

  8. In the Encoding list, choose the type of directory and file name encoding to be used for the selected clients and groups.

  9. Click OK twice, and then click Apply.

Note

To see a list of the members of a group, in the Names list, click a group, and then click Members.

Specifying default permissions for new files and folders on a computer that is running Client for NFS

You can specify the default permissions that are applied to an NFS shared resource by the computer that is running Client for NFS. You can assign Read, Write, and Execute permissions to Owner, Group, and Others.

  • Owner. The person creating the file. By default, Owner has Read, Write, and Execute permissions.

  • Group. The primary group of the person creating the file. By default, Group has Read and Execute permissions.

  • Others. Other file system users (equivalent to Everyone in a Windows operating system). By default, Others have Read and Execute permissions.

Note

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must be delegated the appropriate authority.

To specify default file permissions

  1. On the computer that is running Client for NFS, open Services for NFS. To open Services for NFS, click Start, point to Administrative Tools, and then click Services for Network File System.

  2. In the console tree, right-click Client for NFS, and then click Properties.

  3. On the File Permissions tab, select the default file permissions to apply to each new file and folder that is created by this computer, and then click OK.

Enable file and printer sharing for administration tools

On the computer that is hosting the Services for NFS snap-in and Services for NFS command-line tools, you must enable file and printer sharing in Windows Firewall.

To enable file and printer sharing

  1. On a computer that is running Services for NFS, click Start, click Run, type firewall.cpl, and then click OK.

  2. Click the Exceptions tab, select the File and Printer Sharing check box, and then click OK.

  3. Repeat these steps on each computer that is running Services for NFS.

Testing your deployment

Now that everything is set up, you can test your deployment to verify its functionality. The following are some suggested basic tests.

Test 1: On the computer that is running Client for NFS, map a drive letter to a UNIX-based NFS shared resource.

The test is successful if you can map the drive and view the test file on the NFS shared resource from the computer that is running Client for NFS.

To map a drive letter to a UNIX-based NFS shared resource

  1. On a UNIX-based server that is running NFS server software, create an NFS shared resource (also known as an NFS export). Create a test file on the shared resource.

  2. Use one of the Windows user accounts that you created for this test to log on to the computer that is running Windows Server 2008 R2 and Client for NFS.

  3. Open Windows Explorer, and on the Tools menu, click Map Network Drive.

  4. Type the UNIX-style NFS server and shared resource name (hostname://sharedresourcename) or the Universal Naming Convention (UNC) path of the NFS shared resource on the UNIX file server.

  5. Click OK.

Using Windows Explorer, navigate to the mapped drive and check to see if you can view the test file that was created on the UNIX-based NFS server.

Test 2: On the computer that is running Client for NFS, create a test file and verify its permissions.

The test is successful if you can create a new document, and its ownership and permission match the default file permissions that you specified.

To create a test file and verify its permissions

  1. Use one of the Windows user accounts that you created for this test to log on to the computer that is running Client for NFS.

  2. Open the NFS shared resource that you used in Test 1.

  3. In the file list, right-click and point to New, and then click Text Document.

  4. Type a name for the file. Do not use spaces.

  5. Right-click the file name, click Properties, and then click NFS Attributes.

  6. Verify that the NFS attributes match the default attributes that you specified earlier (as described in "Specifying default permissions for new files and folders"). Also verify that the Owner UID and Group UID are correct.

Test 3: On a UNIX-based client, mount the Windows NFS shared resource.

The test is successful if you can mount the NFS shared resource.

To mount the Windows NFS shared resource

  • In a command shell on a UNIX client computer that is running NFS client software, type:

    mount hostname**:/**sharename mountpoint

Refer to the man pages of your UNIX-based operating system for specific command line switches supported by the mount utility.

Variable Description

hostname

The name of the computer that is running Server for NFS, on which you previously created an NFS shared resource (as described in "Creating an NFS shared folder").

Sharename

The name of the NFS shared resource.

mountpoint

The point in the file system where the command will mount the NFS shared resource—for example, /home/username/testshare.

Test 4: On a UNIX-based client, create a test file and verify that the file permissions match those in the Windows operating system.

The test is successful if you can create the text file and the file permissions match in the Windows operating system and the UNIX operating system.

To create a test file and verify that the file permissions match

  1. On the same UNIX client that you used in Test 3, create a text file by using a simple text editor. Save the file to the NFS shared resource that you mounted in Test 3.

  2. On the computer that is running Server for NFS and hosting the NFS shared resource, open Windows Explorer and browse to the NFS shared resource.

  3. Right-click the file name, click Properties, and then click Security.

  4. Compare the file permissions that are reported in the Windows operating system against the file permissions that are reported in the same UNIX-based client that you used in Test 3.

Additional references

For more information about using and configuring NFS, see the following resources: