Labels

Windows Server 2003 R2 NFS Server Setup Simple Tutorial

Objective: Share a Windows share to a Linux client, via Network File System (NFS)

(Last Update: 28-Feb-2012)

Windows Server NFS services –> NFS –> Linux

Why?  It is because NFS client is native to Linux/UNIX.  There is no additional software needed to be installed at Linux/UNIX side.

At Windows side (assumptions):

  • A folder will be shared via NFS e.g. S:\NFS
  • A single Windows server runs all NFS related servers/services.
  • A Windows user is needed to create for the UNIX user mapping (both domain or local user are fine)
  • A Windows group is needed to create for the UNIX user mapping (both domain or local user are fine)
  • Setup user mapping so that Linux users/groups will have their respective Windows user identity.  On the other side, when a Linux user access a Windows file, the NFS service on Windows will convert Windows user and group to corresponding UID and GID.

At Linux side: (RedHat linux is tested at this tutorial)

  • We will mount the share at UNIX under /mnt/winnfs
  • Please do not access the NFS share using root users.  Use another users instead
Reference: MSDN Blog
  1. Install NFS Server Components:
    1. Control Panel - Add or Remove Programs 
    2. click "Add/Remove Windows Components"
    3. go to "Other Network File and Print Services"
    4. click "Details"
    5. go to "Microsoft Services for NFS"
    6. click "Details"
    7. Select "Client for NFS", "Microsoft Services for NFS Administration", "RPC External Data Representation", "RPC Port Mapper", "Server for NFS" and "User Name Mapping"
    8. Click OK.  (You will be asked for Disc 2 to install the required files).
  2. User and Group Mapping Preparation
    1. Please create a Windows user and group. Domain or local user/group are both fine.
    2. Copy the /etc/passwd and /etc/group file from your Linux to your windows under C:\ETC
    3. Edit the two files. Remove unnecessary users and group. You may need advanced editor such as Notepad++ to edit UNIX format file.
  3. Enable User and Group Mapping
    1. Open "Microsoft Services for Network File System" mmc (You may use Start - Run - nfsmgmt.msc; or locate it under Start - Programs - Administrative Tools)
    2. Right click the root level (Microsoft Services for NFS). Select Properties.
    3. Make sure "localhost" is entered at "User Name Mapping Server".
    4. Click OK to save the setting.
    5. Expand the tree at root level (if not done so). You will find "User Name Mapping" just under "Microsoft Services for NFS".
    6. Right - click "User Name Mapping". Click "Properties".
    7. Select "UNIX User Source" tab.
    8. Click "Use Password and Group files"
    9. Enter the "Password file path and name:" e.g. c:\etc\passwd
    10. Enter the "Group file path and name:" e.g. c:\etc\group
    11. Click OK to save all setting
  4. Assign Advanced User mapping
    (If the user name is not the same on UNIX side and Windows side, we need to use Advanced user mapping which we tell Windows the mapping pairs.)
    1. Right click "User Maps", click "Create Map..."
    2. On the left side, select the correct Windows domain. (In this example, we stick to local user. Please select \\WinServerName.)
    3. Click "List Windows Users"
    4. Select the Windows user you want to map. (Do not use Administrator. You need to create a new Windows user for the mapping.)
    5. Click "List UNIX Users".
    6. Select the UNIX user to be mapped.
    7. Click "Add" to save the mapping.
    8. Click "Close" to return to the MMC.
       
  5. Assign Advanced Group mapping
    1. Right click "Group Maps", click "Create Map..."
    2. On the left side, select the correct Windows domain. (In this example, we stick to local user. Please select \\WinServerName.)
    3. Click "List Windows Group"
    4. Select the Windows group you want to map.
    5. Click "List UNIX Group".
    6. Select the UNIX Groupto be mapped.
    7. Click "Add" to save the mapping.
    8. Click "Close" to return to the MMC.
  6. Share a folder
    1. Create a folder in Windows (e.g. S:\NFS)
    2. Right click the folder - Select Properties
    3. Select "NFS Sharing"
    4. Click "Share this folder"
    5. (for testing only): Enable "Allow anonymous access"
      (usually, we will further limit the access via “Security” tab.)
    6. Click "Permissions"
    7. Change the "Type of access" of ALL MACHINES from Read Only to Read-Write
    8. (for testing only)Enable "Allow root access" (so that you can access the NFS share using root identify.  This is not recommended because there is little protection for the server if root is used.)
      (If this checkbox is not checked, root will be regarded as nobody or nfsnobody in default setup.)
    9. Click all "OK" all the way.
  7. Add user access right in NFS
    1. Modify Rights
      1. Right click the folder - Select Properties
      2. Select "Security"
      3. click "Add"
      4. enter the corresponing “Windows User” which have mapping at “User Mapping”
        (for testing only)If you have problem in user mapping, you can use ANONYMOUS LOGON as a temporary solution.  Enter "ANONYMOUS LOGON" 
      5. click "OK"
    2. Ownership rights (in case you have difficulty in delete file in the share from a Linux)
      1. add "Modify" rights to the “Windows User”
        (for testing only) add "Modify" rights to "ANONYMOUS LOGON"
      2. Click “Advanced” button
      3. Click “Owner” Tab
      4. Click “Other Users or Groups”
      5. Add the mapped “Windows User” as owner of the folder.
      6. click "OK" to save the change
  8. Check if the NFS sharing is enabled
    1. Open command prompt in MS Windows
    2. type: showmount -e
    3. You should see the share is listed.
  9. Check if the NFS is accessible from Linux
    1. Go to Linux (e.g. RedHat)
    2. Make sure your are using the right login ID which has Windows user mapping at Windows NFS.
    3. Open a Terminal
    4. type: showmount -e WinServerName
  10. Create mount point and mount in Linux (temporary)
    1. mkdir /mnt/winnfs
    2. mount -t nfs WinServerName:/nfs /mnt/winnfs
  11. Permanent mounting at Linux (alternate to previous step (reference)
    1. Add the below line at /etc/fstab of your UNIX machine:
      WinServerName:/NFS /mnt/winnfs nfs rsize=8192,wsize=8192,timeo=14,intr
    2. To mount NFS using TCP (for better traffic control), use the below entry:
      serverName:/nfs /mnt/winnfs nfs rsize=8192,wsize=8192,timeo=14,intr,tc
  12. Test the mount point
    1. test read: ls -al /mnt/winnfsYou should see the directory content
    2. test write: touch /mnt/winnfs/myfileYou should see a file created
  13. Hardening (optional) (application if you have enable "Allow anonymous access" in previous steps)
    (Since we have successfully done "User Mapping", we need to disable Anonymous access which we have enabled for testing purpose)
    1. Rememeber to disable "Allow anonymous access" under NFS sharing.
    2. Remove "ANONYMOUS LOGON" under Windows security of the share.
  14. Delete of file created during access as "ANONYMOUS".
    1. These file may not be able to delete at UNIX because there is no ANONYMOUS at UNIX side.  If you use ls -l to see the details, you may see these files are owned by 4294967294 which means ANONYMOUS.  You may delete them at Windows side.
    2. After correct user mapping and group mapping, the files created should be able to be deleted.

Advanced Topics:

  1. Assign Simple user mapping
    (If there are a lot of users to be mapped, Advanced Mapping will be inadequate.  We may consider auto user mapping (known as Simple user mapping).

    1. Open "Microsoft Services for Network File System" mmc (You may use Start - Run - nfsmgmt.msc; or find it under Start - Programs - Administrative Tools)
    2. Right click the root level (Microsoft Services for NFS).  Select Properties.
    3. Make sure "localhost" is entered at "User Name Mapping Server".
    4. Click OK to save the setting.
    5. Expand the tree at root level (if not done so). You will find "User Name Mapping" just under "Microsoft Services for NFS".
    6. Right - click "User Name Mapping".  Click "Properties".
    7. Select "UNIX User Source" tab.
    8. Click "Use Password and Group files"
    9. Enter the "Password file path and name:"  e.g. c:\etc\passwd
    10. Enter the "Group file path and name:"  e.g. c:\etc\group
    11. Select "Simple Mapping" tab.
    12. Enable "Use simple maps"
    13. Under "Windows domain", select the local server name \\servername (we will use local user name mapping in this example).
    14. Click OK to save all setting
    15. Expand "User Name Mapping"
    16. Right click "User Maps", enable "Show simple maps"
    17. Right click "User Maps", click Refresh.  We should see user mapping if UNIX and Windows accounts are of the same name.
    18. Right click "Group Maps", enable "Show simple maps"
    19. Right click "Group Maps", click Refresh.
  2. Create UNIX client group in Windows
    (The default is to all ALL MACHINES to access the share. If you want better security, you may create computer group and only allow certain host to access the share for better security).

    1. open a command prompt
    2. Create client group:
      nfsadmin server [ ComputerName ] creategroup GroupName
    3. Add client into client group:
      nfsadmin server [ ComputerName ] addmembers GroupName Member [, Member ...]
    4. Create a folder in Windows (e.g. S:\NFS)
    5. Right click the folder - Select Properties
    6. Select "NFS Sharing"
    7. Click "Share this folder"
    8. Click "Permissions"
    9. Click "Add..."
    10. Select related client groups
    11. Select Type of Access.  (Read Only or Red-Write)
    12. Enable "Allow root access" (if you want auto mount at Linux)
    13. Click "OK" to save.
    14. Change the "Type of access" of ALL MACHINES to No Access
    15. Click all "OK" all the way.

Update at 2014-05-07:
On Windows server 2008 or later, the User Mapping Service is removed.  Please refer to this article for user mapping with AD.


Email Post
Labels:

Comments

Post a Comment

Popular Posts