Documente Academic
Documente Profesional
Documente Cultură
8/5/12
Programming Interface (GSS-API). GSS-API enables applications with the ability to leverage the integrity and authentication security services provided by the operating system. RPCSEC_GSS enables Services for NFS to use Kerberos authentication, and provides security services that are independent of the mechanisms being used. Note Services for NFS does not support the RPCSEC_GSS privacy security service. This means that Kerberos v5 authentication with privacy Krb5p (encryption of NFS traffic) is not supported.
To enable Kerberos protocol authentication methods for a shared folder, the following options have been added to the NFS Authentication page in the Provision a Shared Folder Wizard and to the Properties dialog box for shared folders on the NFS Authentication tab: Kerberos v5 authentication (Krb5) uses the Kerberos v5 protocol to authenticate users before granting access to the shared file system. Kerberos v5 authentication with integrity (Krb5i) uses Kerberos v5 authentication with integrity checking (checksums) to verify that the data has not been tampered with. You can combine these security options to allow clients to choose either type of Kerberos v5 protocol when they mount shares exported by the NFS file system. Using Windows Management Instrumentation to manage Server for NFS. Windows Management Instrumentation (WMI) enables IT pros to remotely manage NFS by allowing Web-Based Enterprise Management (WBEM) applications to communicate with WMI providers on the local or remote computers to manage WMI objects. WMI allows you to use scripting languages such as VBScript or Windows PowerShell to manage computers and servers that are running a Microsoft Windows operating system, both locally and remotely. In Windows Server 2008 R2, there is a new WMI provider that enables end-toend remote management of Services for NFS components. For more information, see WMI Provider for NFS2 on MSDN. Unmapped UNIX User Access (UUUA). An Unmapped UNIX User option is now available for NFS shares. In predominantly UNIX-based environments (deployments where the majority of client computers are running UNIX-based operating systems), Windows servers can be used for storing NFS data without creating UNIX-to-Windows account mapping. This configuration setting allows administrators to quickly provision and deploy Server for NFS without having to configure account mapping. With UUUA, Server for NFS creates custom security identifiers (SIDs) to represent unmapped users. Mapped user accounts use standard Windows security identifiers (SIDs) and unmapped users use custom NFS SIDs.
8/5/12
are running NFS software to access files shared by these computers. All of your UNIXbased clients will be able to access resources by using the NFS protocol without additional configuration. Enable computers running Windows Server 2008 R2 to access resources on UNIXbased file servers. Your company may have a mixed Windows-based and UNIX-based environment with resources, such as files, stored on UNIX file servers. You can use Services for NFS (specifically, Client for NFS) to enable computers that are running Windows Server 2008 R2 to access these resources when the file servers are running NFS server software. Take advantage of 64-bit hardware. You can run Services for NFS components on 64bit editions of Windows Server 2008 R2 and benefit from the improved performance and scalability of 64-bit computing.
8/5/12
showmount. Displays mounted file systems exported by Server for NFS. umount. Removes NFS-mounted drives.
Test scenario
This test scenario requires you to deploy Services for NFS in a lab environment to assess how this technology would function if it is deployed in your production environment. The instructions provided in this document will help you do the following: Create an NFS shared resource on a computer that is running Windows Server 2008 R2 and Server for NFS that can be mounted and used by a UNIX-based client computer. Create an NFS shared resource on a UNIX-based file server that can be mounted and used by a client computer that is running Windows Server 2008 R2 and Client for NFS.
Note By default, Server for NFS supports UNIX-based client computers that are using either NFS Version 2 or NFS Version 3. However, you can override this and configure Server for NFS to allow access only to clients that are running NFS Version 2. For instructions, see "Configuring Server for NFS" in the Services for NFS Help. Client for NFS supports both versions, and this is not configurable.
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx
4/11
8/5/12
Deploy computers
You need to deploy the following computers and connect them on a local area network (LAN): One or more computers running Windows Server 2008 R2 on which you will install the two main Services for NFS components: Server for NFS and Client for NFS. You can install the components on the same computer or on different computers. Installation instructions for installing all Services for NFS components are provided later in this document. One or more UNIX-based computers that are running NFS server and NFS client software. The UNIX-based computer that is running NFS server hosts an NFS shared resource (known as an NFS share or export), which is accessed by a computer that is running Windows Server 2008 R2 and Client for NFS. You can install NFS server and client software either in the same UNIX-based computer or on different UNIX-based computers, as desired. A Windows Server 2008 R2 domain controller running at the Windows Server 2008 R2 functional level. The domain controller provides user authentication information for the Windows environment. Or, if you prefer, you can use local user accounts. A Network Information Service (NIS) server to provide user authentication information for the UNIX environment. Or, if you prefer, you can use Password and Group files that are stored on the computer that is running the User Name Mapping service. The User Name Mapping service can be deployed on a computer that is running Windows Server 2003 R3.
For the Windows operating system, you can create the user accounts (domain user accounts) on the Windows Server 2008 R2 domain controller. Or if you prefer, you can create local user accounts on each Windows-based computer in the deployment. For instructions about how to configure user accounts, consult your Windows Server 2008 R2 documentation. For the UNIX-based operating system, you can create the user accounts on the NIS server or in the UNIX /etc/passwd and /etc/group files. For instructions about how to create NIS user accounts, see the documentation for your NIS server software. For instructions on creating /etc/passwd and /etc/group files, see the documentation for your UNIX-based operating
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx 5/11
8/5/12
system. The following table lists some examples of fictitious users and corresponding user and group accounts that you can use for this test.
LAlverca@NISDomain WinGroup
Important Before installing Services for NFS, you must remove any previously installed NFS components. We recommend that you back up your computers or record your configuration before you remove the NFS components, so that you can restore the configuration on Services for NFS.
8/5/12
9. When the installation completes, the installation results appear. Click Close.
8/5/12
Members.
Specifying default permissions for new files and folders on a compu ter that is running Client for NFS
You can specify the default permissions that are applied to an NFS shared resource by the computer that is running Client for NFS. You can assign Read, Write, and Execute permissions to Owner, Group, and Others. Owner. The person creating the file. By default, Owner has Read, Write, and Execute permissions. Group. The primary group of the person creating the file. By default, Group has Read and Execute permissions. Others. Other file system users (equivalent to Everyone in a Windows operating system). By default, Others have Read and Execute permissions.
Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must be delegated the appropriate authority.
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx
8/11
8/5/12
Test 1: On the computer that is running Client for NFS, map a drive letter to a UNIX-based NFS shared resource.
The test is successful if you can map the drive and view the test file on the NFS shared resource from the computer that is running Client for NFS.
Test 2: On the computer that is running Client for NFS, create a tes t file and verify its permissions.
The test is successful if you can create a new document, and its ownership and permission match the default file permissions that you specified.
8/5/12
mount hostname :/ sharename mountpoint Refer to the man pages of your UNIX-based operating system for specific command line switches supported by the mount utility.
Variable hostname
Description The name of the computer that is running Server for NFS, on which you previously created an NFS shared resource (as described in "Creating an NFS shared folder").
Sharename The name of the NFS shared resource. The point in the file system where the command will mount the NFS shared resourcefor example, /home/username/testshare.
mountpoint
Test 4: On a UNIX-based client, create a test file and verify that th e file permissions match those in the Windows operating system.
The test is successful if you can create the text file and the file permissions match in the Windows operating system and the UNIX operating system.
To create a test file and verify that the file permissions match
1. On the same UNIX client that you used in Test 3, create a text file by using a simple text editor. Save the file to the NFS shared resource that you mounted in Test 3. 2. On the computer that is running Server for NFS and hosting the NFS shared resource, open Windows Explorer and browse to the NFS shared resource. 3. Right-click the file name, click Properties, and then click Security. 4. Compare the file permissions that are reported in the Windows operating system against the file permissions that are reported in the same UNIX-based client that you used in Test 3.
Additional references
For more information about using and configuring NFS, see the following resources: Managing NFS and NIS, Hal Stern, OReilly ISBN 0-937175-75-7 Article 324546 in the Microsoft Knowledge Base: HOW TO: Use the Client for NFS to Set the NFS Permissions for a File or Folder6 (http://go.microsoft.com/fwlink/?LinkId=44497) Article 233492 in the Microsoft Knowledge Base: The Major Differences Between NFS Versions 2 and 37 (http://go.microsoft.com/fwlink/?LinkId=44502) Article 324089 in the Microsoft Knowledge Base: HOW TO: Share Windows Folders by Using Server for NFS8 (http://go.microsoft.com/fwlink/?LinkId=44495) Article 324539 in the Microsoft Knowledge Base: How to perform maintenance and ancillary tasks after a UNIX-to-Windows migration9 (http://go.microsoft.com/fwlink/?LinkId=44493) Download page on the Microsoft Web site: Windows Services for UNIX 3.510
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx 10/11
8/5/12
(http://go.microsoft.com/fwlink/?LinkId=44501)
Links Table
1http://go.microsoft.com/fwlink/?LinkId=151755 2http://msdn.microsoft.com/en-us/library/ff706658(v=vs.85).aspx 3http://go.microsoft.com/fwlink/?LinkId=150364 4http://go.microsoft.com/fwlink/?LinkId=150365 5http://go.microsoft.com/fwlink/?LinkId=127917 6http://go.microsoft.com/fwlink/?LinkId=44497 7http://go.microsoft.com/fwlink/?LinkId=44502 8http://go.microsoft.com/fwlink/?LinkId=44495 9http://go.microsoft.com/fwlink/?LinkId=44493 10http://go.microsoft.com/fwlink/?LinkId=44501
Community Content
I think the NFS UNC you gave is wrong?
I think that the NFS UNC you gave is wrong, you said "hostname://sharedresourcename", which does not work, I think it should be "hostname:/sharedresourcename" which does (on Windows Server 2008 R2).
6/4/2012 JeffByers
NFS4
Thanks for the great information but mention of NFSv4 is noticeably absent. Is there a way to enable NFSv4 in 2008R2? If I'm not mistaken RPC_GSSD (i.e. Kerberos auth) only works with NFS4 on Linux/Unix clients. [tfl - 15 04 12] Hi - and thanks for your post. Community content is not the appropriate place for technical support queries. Instead, you should visit the Technet Forums at http://forums.microsoft.com/technet, where such posts are welcomed and where you stand a much better chance of getting your query resolved. Sorry if that's not the answer you wanted to hear.
1/24/2012 LA Richards
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx
11/11