Services for NFS Step-by-Step Guide for Windows Server 2008

What is Services for NFS?

Services for Network File System (NFS) provides a file-sharing solution for enterprises that have a mixed Windows and UNIX environment. Services for NFS enables users to transfer files between computers running the Windows Server® 2008 operating system and UNIX-based computers using the NFS protocol.

What's new in Services for NFS

Services for NFS includes the following improvements:
  • Active Directory Lookup. The Identity Management for UNIX Active Directory schema extension includes UNIX user identifier (UID) and group identifier (GID) fields. This enables Server for NFS and Client for NFS to look up Windows-to-UNIX user account mappings directly from Active Directory Domain Services. Identity Management for UNIX simplifies Windows-to-UNIX user account mapping management in Active Directory Domain Services.
  • 64-bit support. Services for NFS components can be installed on all editions of Windows Server 2008, including 64-bit editions.
  • Enhanced server performance. Services for NFS includes a file filter driver, which significantly reduces common server file access latencies.
  • Unix special device support. Services for NFS supports UNIX special devices (mknod).
  • Enhanced Unix support. Services for NFS supports the following versions of UNIX: Sun Microsystems Solaris version 9, Red Hat Linux version 9, IBM AIX version 5L 5.2, and Hewlett Packard HP-UX version 11i.
To streamline and simplify Services for NFS, the following features were removed from this release:
  • Gateway for NFS
  • Server for PCNFS
  • All PCNFS components of Client for NFS
  • User Name Mapping
 Note
User Name Mapping has changed—server functionality no longer exists, but client functionality is present. Services for NFS can still retrieve mappings from existing legacy User Name Mapping servers.

Services for NFS usage scenarios

Services for NFS enables you to support a mixed environment of Windows-based and UNIX-based operating systems. With Services for NFS, you can also update your company's computers while supporting older technology during the transition phase. The following scenarios are examples of how enterprises can benefit from deploying Services for NFS.
  • Enable UNIX-based client computers to access resources on computers running Windows Server 2008. Your company may have UNIX clients accessing resources, such as files, on UNIX file servers. To take advantage of new features in Windows Server 2008 such as Shadow Copies for Shared Folders, you can move resources from your UNIX servers to computers running Windows Server 2008. You can then set up Services for NFS to enable UNIX clients that are running NFS software to access these computers. All of your UNIX clients will be able to access resources using the NFS protocol without additional configuration.
  • Enable computers running Windows Server 2008 to access resources on UNIX file servers. Your company may have a mixed Windows and UNIX environment with resources, such as files, stored on UNIX file servers. You can use Services for NFS to enable computers running Windows Server 2008 to access these resources when the file servers are running NFS software.
  • Take advantage of new 64-bit hardware. You can run Services for NFS components on 64-bit editions of Windows Server 2008.

Services for NFS components

Services for NFS includes the following components:
  • Server for NFS. Normally, a UNIX-based computer cannot access files on a Windows-based computer. A computer running Windows Server 2008 and Server for NFS, however, can act as a file server for both Windows-based and UNIX-based computers.
  • Client for NFS. Normally, a Windows-based computer cannot access files on a UNIX-based computer. A computer running Windows Server 2008 and Client for NFS, however, can access files stored on a UNIX-based NFS server.

Services for NFS administrative tools

Services for NFS provides a Microsoft Management Console (MMC) snap-in for administration, as well as several command-line tools.

Services for NFS snap-in

With the Services for NFS snap-in, you can administer each installed component of Services for NFS. When you open the snap-in, the components installed on the local computer are available to administer.

To open Services for Network File System

  • Click Start, point to Administrative Tools, and click Services for Network File System (NFS).
 Note
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
You can get help for an item in this snap-in by right-clicking the item and then clicking Help.

Services for NFS command-line tools

Services for NFS provides the following Windows command-line administration tools. To run a tool, type its name at the command prompt. For information about the available parameters, at the command prompt, type toolname /?.
  • mapadmin. Administers User Name Mapping.
  • mount. Mounts NFS shared network resources.
  • nfsadmin. Manages Server for NFS and Client for NFS.
  • nfsshare. Controls NFS shared resources.
  • nfsstat. Displays or resets counts of calls made to Server for NFS.
  • showmount. Displays mounted file systems exported by Server for NFS.
  • umount. Removes NFS-mounted drives.

Test scenario

This test scenario requires you to deploy Services for NFS in a lab environment to assess how this technology would function if deployed in your production environment. The instructions provided in this document will help you:
  • Create an NFS shared resource on a computer running Windows Server 2008 and Server for NFS that can be mounted and used by a UNIX computer.
  • Create an NFS shared resource on a UNIX file server that can be mounted and used by a computer running Windows Server 2008 and Client for NFS.

Prerequisites and assumptions

This guide assumes that you:
  • Have basic familiarity with Windows and UNIX operating environments and file security.
  • Know how to install and operate Windows Server 2008.
  • Understand client-server interaction in a networked environment.

Steps for Deploying and Testing Services for NFS

This section describes how to set up a basic test environment for Services for NFS. It discusses how to install and configure the Services for NFS components and how to test the deployment.

Reviewing system requirements for Services for NFS

Services for NFS can be installed on computers running any edition of Windows Server 2008. The three main components of Services for NFS – User Name Mapping, Server for NFS, and Client for NFS – can be installed on the same computer or on separate computers.
 Important
Before installing Services for NFS, you must remove any previously installed NFS components, such as NFS components that were included with Services for UNIX. We recommend that you back up or make a record of your configuration before removing NFS components, so that you can restore the configuration on Services for NFS.
You can use Services for NFS with UNIX computers which are running NFS client or server software which complies with version 2 or version 3 of the NFS protocol. NFS version 2 is defined in RFC 1094 and NFS version 3 is definied in RFC 1813.
 Note
By default, Server for NFS supports UNIX client computers using NFS version 2 or version 3. You can override this, however, and configure Server for NFS to allow access only to clients running NFS version 2. For instructions, see "Configuring Server for NFS" in the Services for NFS Help. Client for NFS supports both versions, and this is not configurable.

Setting up the environment for Services for NFS

The next step is to set up the environment for Services for NFS by deploying computers and creating user accounts for testing.

Deploy computers

You need to deploy the following computers and connect them on a local area network (LAN):
  • One or more computers running Windows Server 2008 on which you will install the three main Services for NFS components: User Name Mapping Server, Server for NFS, and Client for NFS. You can install the components on the same computer or on different computers. Installation instructions for installing all Services for NFS components are provided later in this document.
  • One or more UNIX computers running NFS client and NFS server software. The computer running the NFS client will access a Windows NFS shared resource provided by Server for NFS. The computer running NFS server will host a UNIX NFS shared resource, which will be accessed by a computer running Windows Server 2008 and Client for NFS. You can install the NFS client and NFS server software on the same computer or on different computers.
  • A Windows Server 2008 domain controller running at the Windows Server 2008 functional level. The domain controller will provide user authentication information for the Windows environment. Or, if you prefer, you can use local user accounts.
  • A Network Information Service (NIS) server to provide user authentication information for the UNIX environment. Or, if you prefer, you can use Password and Group files that are stored on the computer running the User Name Mapping service.

Create test user accounts

For the purposes of this test, you can create several fictitious users. For each user, you can create one Windows security account and one UNIX security account, giving the two accounts different user names. You can later use these accounts to test the advanced mapping feature of Services for NFS. Advanced mapping allows you to map a given user's credentials between Windows and UNIX, even when the user name is different.
 Note
The alternative to advanced mapping is simple mapping. You can use simple mapping when Windows and UNIX user names for each user are the same. For more information, see the Help topics about User Name Mapping (https://go.microsoft.com/fwlink/?LinkId=127917).
You can create the Windows user accounts on the Windows Server 2008 domain controller. Or if you prefer, you can create local user accounts on each Windows-based computer in the deployment. For instructions on configuring user accounts, see your Windows Server 2008 documentation.
You can create the UNIX user accounts either on the NIS server or in UNIX /etc/passwd and /etc/group files. For instructions on creating NIS user accounts, see the documentation for your NIS server. For instructions on creating /etc/passwd and /etc/group files, see the documentation for your UNIX operating system.
The following table lists some examples of fictitious users and corresponding user and group accounts that you may want to use for this test.
TABLE 1

Fictitious user

Windows user name

UNIX user name
Windows group nameUNIX group name
Carol Philips
WindowsDomain\CarolP
CPhilips@NISDomain
WinGroup
UNIXGrp
Roger Harui
WindowsDomain\RogerH
RHarui@NISDomain
WinGroup
UNIXGrp
Luis Alverca
WindowsDomain\LuisA
LAlverca@NISDomain
WinGroup
UNIXGrp

Installing Services for NFS

You need to install Services for NFS components on a computer running Windows Server 2008. These instructions assume that you are installing all of the components on a single computer.
 Note
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
 Important
Before installing Services for NFS, you must remove any previously installed NFS components, such as NFS components that were included with Services for UNIX. We recommend that you back up or make a record of your configuration before removing NFS components so that you can restore your settings on Services for NFS.

To install Services for NFS components

  1. Click Start, point to Administrative Tools, and then click Server Manager.
  2. In the left pane, click Roles.
  3. Under Roles Summary in the right pane, click Add Roles. The Add Roles Wizard appears. Click Next.
  4. Select the File Services check box to install this role on the server, and then click Next.
  5. Select the Services for Network File System check box, and then click Next.
  6. Confirm your selection, and then click Install.
  7. When the installation completes, the installation results appear. Click Close.

Configuring NFS authentication

The required configuration for this test uses a Windows Server 2008 domain controller or later running at the Windows Server 2008 functional level. For security reasons, we recommend installing Windows Server 2008 and all the latest security updates.

Creating an NFS shared folder

The next step is to use NFS sharing to create an NFS shared folder on the computer running Server for NFS. You can later mount this shared folder on a UNIX client and create a test file on it.

To create a shared folder using NFS sharing

  1. On the computer running Server for NFS, create a folder to use as the NFS shared folder.
  2. Right-click the folder you created and click NFS Sharing.
  3. Select Share this folder.
  4. If you want to allow anonymous access, select Allow anonymous access.
  5. Click Permissions, click Add, and then do either of the following:
    • In the Names list, click the clients and groups you want to add and click Add.
    • In the Add Names box, type the names of clients or groups you want to add, separating names in the list with a semicolon (;).
  6. In the Type of Access list, click the type of access you want to allow the selected clients and groups.
  7. Select Allow Root Access if you want a user identified as root to have access other than as an anonymous user. By default, the user identifier (UID) root user is coerced to the anonymous UID.
  8. In the Encoding list, click the type of directory name and file name encoding to be used for the selected clients and groups.
  9. Click OK twice, and then click Apply.
 Note
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority.
 Note
To see a list of the members of a group, in the Names list, click a group, and then click Members.

Specifying default permissions for new files and folders

You can specify the default permissions that will be applied to any file or folder created on an NFS shared resource by the computer running Client for NFS. You can assign Read, Write, and Execute permissions to Owner, Group, and Others.
  • Owner. The person creating the file. By default, Owner has Read, Write, and Execute permissions.
  • Group. The primary group of the person creating the file. By default, Group has Read and Execute permissions.
  • Others. Other file system users (equivalent to Everyone in Windows). By default, Others have Read and Execute permissions.

To specify default file permissions

  1. On the computer running Client for NFS, open Services for NFS. To open Services for NFS, click Start, point to Administrative Tools, and then click Services for Network File System.
  2. In the console tree, right-click Client for NFS and click Properties.
  3. On the File Permissions tab, select the default file permissions to apply to each new file and folder created by this computer, and then click OK.
 Note
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority.

Configuring Windows Firewall

After you install Services for NFS, you must configure Windows Firewall to enable external computers to access the Services for NFS services.

Open ports

On the computer(s) running User Name Mapping and Server for NFS, you must open ports in Windows Firewall. On a computer and running only User Name Mapping, you only need to open the portmapper port. On a computer running Server for NFS, you must open all of the ports listed in the following table.

To open ports in Windows Firewall

  1. On a computer running the User Name Mapping service or Server for NFS, click Start, click Run, type firewall.cpl, and then click OK.
  2. Click the Exceptions tab, and then click Add Port.
  3. In Name, type the name of a port to open, as listed in the following table.
  4. In Port number, type the corresponding port number.
  5. Select TCP or UDP and click OK.
  6. Repeat steps 2 through 5 for each port to open, and then click OK when finished.
 Note
Depending on your requirements, you may need to open Transmission Control Protocol (TCP) ports, User Datagram Protocol (UDP) ports, or both TCP ports and UDP ports. For testing purposes, we recommend that you open both TCP and UDP transports for all protocols.
TABLE 2
Services for NFS componentPort to openProtocolPort
User Name Mapping and Server for NFS
Portmapper
TCP, UDP
111
Server for NFS
Network Status Manager
TCP, UDP
1039
Server for NFS
Network Lock Manager
TCP, UDP
1047
Server for NFS
NFS Mount
TCP, UDP
1048
Server for NFS
Network File System
TCP, UDP
2049

Enable file and printer sharing for administration tools

On the computer hosting the Services for NFS snap-in and Services for NFS command-line tools, you must enable file and printer sharing in Windows Firewall.

To enable file and printer sharing

  1. On a computer running Services for NFS, click Start, click Run, type firewall.cpl, and then click OK.
  2. Click the Exceptions tab, select the File and Printer Sharing check box, and then click OK.
  3. Repeat these steps on each computer running Services for NFS.

Testing your deployment

Now that everything is set up, you can test your deployment to verify its functionality. The following are some suggested basic tests.

Test 1: On the computer running Client for NFS, map a drive letter to a UNIX-based NFS shared resource.

The test is successful if you can map the drive and view the test file on the NFS shared resource from the computer running Client for NFS.

To map a drive letter to a UNIX-based NFS shared resource

  1. On a UNIX-based server running NFS software, create an NFS shared resource. Create a test file on the shared resource.
  2. Log on to the computer running Windows Server 2008 and Client for NFS with one of the Windows user accounts that you created for this test.
  3. Open Windows Explorer (My Computer) and on the Tools menu, click Map Network Drive.
  4. Type either the UNIX-style server and shared resource name (hostname://sharedresourcename) or the Universal Naming Convention (UNC) path of the NFS shared resource on the UNIX file server, and then click OK.

Test 2: On the computer running Client for NFS, create a test file and verify its permissions.

The test is successful if you can create a new document, and its ownership and permission match the default file permissions that you had specified.

To create a test file and verify its permissions

  1. Log on to the computer running Client for NFS with one of the Windows user accounts that you created for this test, and open the NFS shared resource that you used in Test 1.
  2. Right-click in the file list, point to New, and then click Text Document.
  3. Type a name for the file. Do not use spaces.
  4. Right-click the file, click Properties, and then click NFS Attributes.
  5. Verify that the NFS attributes match the default attributes that you specified earlier, as described in "Specifying default permissions for new files and folders." Also verify that the Owner UID and Group UID are correct.

Test 3: On a UNIX client computer, mount the Windows NFS shared resource.

The test is successful if you can mount the NFS shared resource.

To mount the Windows NFS shared resource

  • In a command shell on a UNIX client running NFS client software, type:
    mount hostname**:/**sharename mountpoint
TABLE 3
VariableDescription
hostname
The name of the computer running Server for NFS, on which you previously created an NFS shared resource, as described in "Creating an NFS shared folder."
Sharename
The name of the NFS shared resource.
mountpoint
The point in the file system where the command will mount the NFS shared resource—for example, /home/username/testshare.

Test 4: On a UNIX client, create a test file and verify the file permissions match, from both Windows and UNIX.

The test is successful if you can create the text file and the file permissions match from both Windows and UNIX.

To create a test file and verify the file permissions match from both Windows and UNIX

  1. On the same UNIX client that you used in Test 3, create a text file by using a simple text editor. Save the file to the NFS shared resource that you mounted in Test 3.
  2. On the computer running Server for NFS and hosting the NFS shared resource, open My Computer and browse to the NFS shared resource.
  3. Right-click the file, click Properties, and then click Security.
  4. Compare the file permissions reported through Windows with the file permissions reported through the same UNIX client you used in Test 3.

Additional resources

For more information about using and configuring NFS, see the following resources.

Comments

Popular posts from this blog

altiris software key

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

Troubleshooting Netlogon Error Codes