8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

Published: May 4, 2009 Updated: October 26, 2011 Applies To: Windows Server 2008 R2

What is Services for NFS?

Services for Network File System (NFS) provides a file-sharing solution for enterprises that have a mixed Windows-based and UNIX-based environment. Services for NFS enables users to transfer files between computers running the Windows Server 2008 R2 operating system and UNIX-based computers using the NFS protocol. Note For a downloadable version of this document, see the Services for NFS Step-by-Step Guide for Windows Server 2008 R21 in the Microsoft Download Center (http://go.microsoft.com/fwlink/? LinkId=151755).

Services for NFS components

Services for NFS includes the following components: Server for NFS. This component corresponds to the server-side implementation of the NFS file-sharing protocol. Server for NFS enables a computer that is running Windows Server 2008 R2 to act as a file server for UNIX-based client computers. Client for NFS. This component corresponds to the client-side implementation of the NFS file-sharing protocol. Client for NFS enables a Windows-based computer that is running Windows Server 2008 R2 (or Windows 7) to access files that are stored on a UNIX-based NFS server. Windows Server 2008 R2 includes both the Server for NFS and Client for NFS components. However, Windows 7 includes only Client for NFS.

Whats new in Services for NFS

The following enhancements to Services for NFS are available in Windows Server 2008 R2: Netgroup support. Netgroups are used to create named groups of hosts across a network, and they simplify the ability to control user and group login and shell access to remote computers. Netgroups also allow administrators to easily manage NFS access control lists. In Windows Server 2008 R2, Server for NFS can retrieve netgroup settings from Network Information Services (NIS) and Lightweight Directory Access Protocol (LDAP) stores, such as Active Directory Domain Services (ADDS) and Active Directory Lightweight Directory Services (ADLDS). This new capability enables administrators to use netgroups to provision access to shares instead of host names of individual client computers. This makes it easier to administer and manage access to NFS shares. RPCSEC_GSS support. Services for NFS provides native support for RPCSEC_GSS, a remote procedure call (RPC) security feature that enables applications to take advantage of the security features available through the Generic Security Service Application
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx 1/11

8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

Programming Interface (GSS-API). GSS-API enables applications with the ability to leverage the integrity and authentication security services provided by the operating system. RPCSEC_GSS enables Services for NFS to use Kerberos authentication, and provides security services that are independent of the mechanisms being used. Note Services for NFS does not support the RPCSEC_GSS privacy security service. This means that Kerberos v5 authentication with privacy Krb5p (encryption of NFS traffic) is not supported.

To enable Kerberos protocol authentication methods for a shared folder, the following options have been added to the NFS Authentication page in the Provision a Shared Folder Wizard and to the Properties dialog box for shared folders on the NFS Authentication tab: Kerberos v5 authentication (Krb5) uses the Kerberos v5 protocol to authenticate users before granting access to the shared file system. Kerberos v5 authentication with integrity (Krb5i) uses Kerberos v5 authentication with integrity checking (checksums) to verify that the data has not been tampered with. You can combine these security options to allow clients to choose either type of Kerberos v5 protocol when they mount shares exported by the NFS file system. Using Windows Management Instrumentation to manage Server for NFS. Windows Management Instrumentation (WMI) enables IT pros to remotely manage NFS by allowing Web-Based Enterprise Management (WBEM) applications to communicate with WMI providers on the local or remote computers to manage WMI objects. WMI allows you to use scripting languages such as VBScript or Windows PowerShell to manage computers and servers that are running a Microsoft Windows operating system, both locally and remotely. In Windows Server 2008 R2, there is a new WMI provider that enables end-toend remote management of Services for NFS components. For more information, see WMI Provider for NFS2 on MSDN. Unmapped UNIX User Access (UUUA). An Unmapped UNIX User option is now available for NFS shares. In predominantly UNIX-based environments (deployments where the majority of client computers are running UNIX-based operating systems), Windows servers can be used for storing NFS data without creating UNIX-to-Windows account mapping. This configuration setting allows administrators to quickly provision and deploy Server for NFS without having to configure account mapping. With UUUA, Server for NFS creates custom security identifiers (SIDs) to represent unmapped users. Mapped user accounts use standard Windows security identifiers (SIDs) and unmapped users use custom NFS SIDs.

Services for NFS usage scenarios

Services for NFS enables you to support a mixed environment of Windows-based and UNIXbased operating systems. The following scenarios are examples of how enterprises can benefit from deploying Services for NFS. Enable UNIX-based client computers to access resources on computers running Windows Server 2008 R2. Your company may have UNIX-based client computers accessing resources, such as files, on UNIX-based file servers. To take advantage of features in Windows Server 2008 R2 such as Shadow Copies for Shared Folders, you can move resources from your UNIX-based file servers to computers running Windows Server 2008 R2. You can then set up Services for NFS to enable UNIX-based clients that
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx 2/11

8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

are running NFS software to access files shared by these computers. All of your UNIXbased clients will be able to access resources by using the NFS protocol without additional configuration. Enable computers running Windows Server 2008 R2 to access resources on UNIXbased file servers. Your company may have a mixed Windows-based and UNIX-based environment with resources, such as files, stored on UNIX file servers. You can use Services for NFS (specifically, Client for NFS) to enable computers that are running Windows Server 2008 R2 to access these resources when the file servers are running NFS server software. Take advantage of 64-bit hardware. You can run Services for NFS components on 64bit editions of Windows Server 2008 R2 and benefit from the improved performance and scalability of 64-bit computing.

Services for NFS administrative tools

Windows Server 2008 R2 provides a Microsoft Management Console (MMC) snap-in and several command-line tools for managing Services for NFS components.

Services for NFS snap-in

You can use the Services for NFS snap-in to manage Client for NFS and Server for NFS. When you open the snap-in, the components that are installed on the computer that is being managed will be available. Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must be delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider running Services for Network File System as an administrator. To get help for an item in this snap-in, right-click the item, and then click Help.

To open Services for Network File System

Click Start, point to Administrative Tools, and click Services for Network File System (NFS).

Services for NFS command-line tools

The following Windows command-line administration tools are available to manage Services for NFS. To run a tool, type its name in a Command Prompt window. For information about the parameters that are available for a tool, type the tool name followed by the /? command-line option. mount. Mounts a remote NFS share (also known as an export) locally and maps it to a local drive letter on the Windows client computer. nfsadmin. Manages configuration settings of the Server for NFS and Client for NFS components. nfsshare. Configures NFS share settings for folders that are shared using Server for NFS. nfsstat. Displays or resets statistics of calls received by Server for NFS.
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx 3/11

8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

showmount. Displays mounted file systems exported by Server for NFS. umount. Removes NFS-mounted drives.

Test scenario
This test scenario requires you to deploy Services for NFS in a lab environment to assess how this technology would function if it is deployed in your production environment. The instructions provided in this document will help you do the following: Create an NFS shared resource on a computer that is running Windows Server 2008 R2 and Server for NFS that can be mounted and used by a UNIX-based client computer. Create an NFS shared resource on a UNIX-based file server that can be mounted and used by a client computer that is running Windows Server 2008 R2 and Client for NFS.

Prerequisites and assumptions

This guide assumes that you: Have basic familiarity with Windows and UNIX operating environments and file security. Know how to install and operate Windows Server 2008 R2. Understand client-server interaction in a networked environment.

Steps for deploying and testing Services for NFS

This section describes how to set up a basic test environment to deploy and validate Services for NFS. It discusses how to install and configure the Services for NFS components and how to test the deployment.

Reviewing system requirements for Services for NFS

Services for NFS can be installed on computers that are running any edition of the Windows Server 2008 R2 operating system. The two main components of Services for NFS (Server for NFS and Client for NFS) can be installed on the same computer or on separate computers. Server for NFS and Client for NFS support both version 2 and version 3 of the NFS protocol. You can use Services for NFS with UNIX-based computers that are running an NFS server or NFS client if these NFS server and client implementations comply with one of the following protocol specifications: NFS Version 2 Protocol Specification (as defined in RFC 10943 (http://go.microsoft.com/fwlink/?LinkId=150364) NFS Version 3 Protocol Specification (as defined in RFC 18134 (http://go.microsoft.com/fwlink/?LinkId=150365)

Note By default, Server for NFS supports UNIX-based client computers that are using either NFS Version 2 or NFS Version 3. However, you can override this and configure Server for NFS to allow access only to clients that are running NFS Version 2. For instructions, see "Configuring Server for NFS" in the Services for NFS Help. Client for NFS supports both versions, and this is not configurable.

technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx

4/11

8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

Setting up the environment for Services for NFS

The next step is to set up the environment for Services for NFS by deploying computers and creating user accounts for testing.

Deploy computers
You need to deploy the following computers and connect them on a local area network (LAN): One or more computers running Windows Server 2008 R2 on which you will install the two main Services for NFS components: Server for NFS and Client for NFS. You can install the components on the same computer or on different computers. Installation instructions for installing all Services for NFS components are provided later in this document. One or more UNIX-based computers that are running NFS server and NFS client software. The UNIX-based computer that is running NFS server hosts an NFS shared resource (known as an NFS share or export), which is accessed by a computer that is running Windows Server 2008 R2 and Client for NFS. You can install NFS server and client software either in the same UNIX-based computer or on different UNIX-based computers, as desired. A Windows Server 2008 R2 domain controller running at the Windows Server 2008 R2 functional level. The domain controller provides user authentication information for the Windows environment. Or, if you prefer, you can use local user accounts. A Network Information Service (NIS) server to provide user authentication information for the UNIX environment. Or, if you prefer, you can use Password and Group files that are stored on the computer that is running the User Name Mapping service. The User Name Mapping service can be deployed on a computer that is running Windows Server 2003 R3.

Create test user accounts

For the purposes of this test, you can create several fictitious users. For each user, you can create one security account for the Windows operating system and one security account for the UNIX-based operating system. Assign different user names to the two accounts. You can later use these accounts to test the advanced mapping feature of Services for NFS. Advanced mapping allows you to map a given user's credentials between Windows and UNIX, even when the user name is different. Note The alternative to advanced mapping is simple mapping. You can use simple mapping when the user names are the same on the Windows operating system and the UNIX-based operating system. For more information, see User Name Mapping administration5 (http://go.microsoft.com/fwlink/?LinkId=127917).

For the Windows operating system, you can create the user accounts (domain user accounts) on the Windows Server 2008 R2 domain controller. Or if you prefer, you can create local user accounts on each Windows-based computer in the deployment. For instructions about how to configure user accounts, consult your Windows Server 2008 R2 documentation. For the UNIX-based operating system, you can create the user accounts on the NIS server or in the UNIX /etc/passwd and /etc/group files. For instructions about how to create NIS user accounts, see the documentation for your NIS server software. For instructions on creating /etc/passwd and /etc/group files, see the documentation for your UNIX-based operating
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx 5/11

8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

system. The following table lists some examples of fictitious users and corresponding user and group accounts that you can use for this test.

Fictitious user Carol Philips Roger Harui Luis Alverca

Windows user name

UNIX user name

Windows group name

UNIX group name UNIXGrp UNIXGrp UNIXGrp

WindowsDomain\CarolP CPhilips@NISDomain WinGroup WindowsDomain\RogerH RHarui@NISDomain WindowsDomain\LuisA WinGroup

LAlverca@NISDomain WinGroup

Installing Services for NFS

You need to install the Services for NFS components on a computer that is running Windows Server 2008 R2. These instructions assume that you are installing all of the components on a single computer. Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must be delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider running Services for Network File System as an administrator.

Important Before installing Services for NFS, you must remove any previously installed NFS components. We recommend that you back up your computers or record your configuration before you remove the NFS components, so that you can restore the configuration on Services for NFS.

To install Services for NFS components

1. Click Start, point to Administrative Tools, and then click Server Manager. 2. In the left pane, click Manage Roles. 3. Click Add Roles. The Add Roles Wizard appears. 4. Click Next. The Select Server Roles options appear. 5. Select the File Services check box, and then click Next. 6. The File Services screen appears. Click Next to view the Role Services options. 7. Select the Services for Network File System (NFS) check box, and then click Next. 8. Confirm your selection and click Install.
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx 6/11

8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

9. When the installation completes, the installation results appear. Click Close.

Configuring NFS authentication

The required configuration for this test uses a Windows Server 2008 R2 domain controller running at the Windows Server 2008 R2 functional level. For security reasons, we recommend installing Windows Server 2008 R2 and all the latest security updates.

Creating an NFS shared folder

The next step is to use NFS sharing to create an NFS shared folder on the computer running Server for NFS. You can later mount this shared folder on a UNIX-based client computer and create a test file on it. Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must be delegated the appropriate authority.

To create a shared folder by using NFS sharing

1. On the Windows Server 2008 R2 computer that is running Server for NFS, create a folder to use as the NFS shared folder. 2. In Windows Explorer, right-click the folder that you created, and click Properties. In Properties, click the NFS Sharing tab. Note that the NFS Sharing tab is not available unless you install Services for Network File System components, as described in the previous section. 3. Click Manage NFS Sharing, and select Share this folder. Provide a name for the share that you would like to export to NFS client computers. 4. If you want to allow anonymous access, select Allow anonymous access. You can also specify the UID and GID to be used for anonymous access (the default is -2). 5. To configure share permissions, click Permissions, click Add, and then do one of the following: In the Names list, click the clients and groups that you want to add, and then click Add. In the Add Names text box, type the names of the clients or groups that you want to add (separate the names in the list with a semicolon). 6. In the Type of Access list, click the type of access that you want to allow the selected clients and groups. 7. Select Allow root access if you want a user who is identified as a root user to have access other than as an anonymous user. By default, the user identifier (UID) root user is forced to use the anonymous UID. 8. In the Encoding list, choose the type of directory and file name encoding to be used for the selected clients and groups. 9. Click OK twice, and then click Apply. Note To see a list of the members of a group, in the Names list, click a group, and then click
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx 7/11

8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

Members.

Specifying default permissions for new files and folders on a compu ter that is running Client for NFS

You can specify the default permissions that are applied to an NFS shared resource by the computer that is running Client for NFS. You can assign Read, Write, and Execute permissions to Owner, Group, and Others. Owner. The person creating the file. By default, Owner has Read, Write, and Execute permissions. Group. The primary group of the person creating the file. By default, Group has Read and Execute permissions. Others. Other file system users (equivalent to Everyone in a Windows operating system). By default, Others have Read and Execute permissions.

Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must be delegated the appropriate authority.

To specify default file permissions

1. On the computer that is running Client for NFS, open Services for NFS. To open Services for NFS, click Start, point to Administrative Tools, and then click Services for Network File System. 2. In the console tree, right-click Client for NFS, and then click Properties. 3. On the File Permissions tab, select the default file permissions to apply to each new file and folder that is created by this computer, and then click OK.

Enable file and printer sharing for administration tools

On the computer that is hosting the Services for NFS snap-in and Services for NFS commandline tools, you must enable file and printer sharing in Windows Firewall.

To enable file and printer sharing

1. On a computer that is running Services for NFS, click Start, click Run, type firewall.cpl, and then click OK. 2. Click the Exceptions tab, select the File and Printer Sharing check box, and then click OK. 3. Repeat these steps on each computer that is running Services for NFS.

Testing your deployment

Now that everything is set up, you can test your deployment to verify its functionality. The following are some suggested basic tests.

technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx

8/11

8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

Test 1: On the computer that is running Client for NFS, map a drive letter to a UNIX-based NFS shared resource.
The test is successful if you can map the drive and view the test file on the NFS shared resource from the computer that is running Client for NFS.

To map a drive letter to a UNIX-based NFS shared resource

1. On a UNIX-based server that is running NFS server software, create an NFS shared resource (also known as an NFS export). Create a test file on the shared resource. 2. Use one of the Windows user accounts that you created for this test to log on to the computer that is running Windows Server 2008 R2 and Client for NFS. 3. Open Windows Explorer, and on the Tools menu, click Map Network Drive. 4. Type the UNIX-style NFS server and shared resource name (hostname://sharedresourcename) or the Universal Naming Convention (UNC) path of the NFS shared resource on the UNIX file server. 5. Click OK. Using Windows Explorer, navigate to the mapped drive and check to see if you can view the test file that was created on the UNIX-based NFS server.

Test 2: On the computer that is running Client for NFS, create a tes t file and verify its permissions.
The test is successful if you can create a new document, and its ownership and permission match the default file permissions that you specified.

To create a test file and verify its permissions

1. Use one of the Windows user accounts that you created for this test to log on to the computer that is running Client for NFS. 2. Open the NFS shared resource that you used in Test 1. 3. In the file list, right-click and point to New, and then click Text Document. 4. Type a name for the file. Do not use spaces. 5. Right-click the file name, click Properties, and then click NFS Attributes. 6. Verify that the NFS attributes match the default attributes that you specified earlier (as described in "Specifying default permissions for new files and folders"). Also verify that the Owner UID and Group UID are correct.

Test 3: On a UNIX-based client, mount the Windows NFS shared re source.

The test is successful if you can mount the NFS shared resource.

To mount the Windows NFS shared resource

In a command shell on a UNIX client computer that is running NFS client software, type:
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx 9/11

8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

mount hostname :/ sharename mountpoint Refer to the man pages of your UNIX-based operating system for specific command line switches supported by the mount utility.

Variable hostname

Description The name of the computer that is running Server for NFS, on which you previously created an NFS shared resource (as described in "Creating an NFS shared folder").

Sharename The name of the NFS shared resource. The point in the file system where the command will mount the NFS shared resourcefor example, /home/username/testshare.

mountpoint

Test 4: On a UNIX-based client, create a test file and verify that th e file permissions match those in the Windows operating system.
The test is successful if you can create the text file and the file permissions match in the Windows operating system and the UNIX operating system.

To create a test file and verify that the file permissions match
1. On the same UNIX client that you used in Test 3, create a text file by using a simple text editor. Save the file to the NFS shared resource that you mounted in Test 3. 2. On the computer that is running Server for NFS and hosting the NFS shared resource, open Windows Explorer and browse to the NFS shared resource. 3. Right-click the file name, click Properties, and then click Security. 4. Compare the file permissions that are reported in the Windows operating system against the file permissions that are reported in the same UNIX-based client that you used in Test 3.

Additional references
For more information about using and configuring NFS, see the following resources: Managing NFS and NIS, Hal Stern, OReilly ISBN 0-937175-75-7 Article 324546 in the Microsoft Knowledge Base: HOW TO: Use the Client for NFS to Set the NFS Permissions for a File or Folder6 (http://go.microsoft.com/fwlink/?LinkId=44497) Article 233492 in the Microsoft Knowledge Base: The Major Differences Between NFS Versions 2 and 37 (http://go.microsoft.com/fwlink/?LinkId=44502) Article 324089 in the Microsoft Knowledge Base: HOW TO: Share Windows Folders by Using Server for NFS8 (http://go.microsoft.com/fwlink/?LinkId=44495) Article 324539 in the Microsoft Knowledge Base: How to perform maintenance and ancillary tasks after a UNIX-to-Windows migration9 (http://go.microsoft.com/fwlink/?LinkId=44493) Download page on the Microsoft Web site: Windows Services for UNIX 3.510
technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx 10/11

8/5/12

Services for NFS Step-by-Step Guide for Windows Server 2008 R2

(http://go.microsoft.com/fwlink/?LinkId=44501)

Links Table
1http://go.microsoft.com/fwlink/?LinkId=151755 2http://msdn.microsoft.com/en-us/library/ff706658(v=vs.85).aspx 3http://go.microsoft.com/fwlink/?LinkId=150364 4http://go.microsoft.com/fwlink/?LinkId=150365 5http://go.microsoft.com/fwlink/?LinkId=127917 6http://go.microsoft.com/fwlink/?LinkId=44497 7http://go.microsoft.com/fwlink/?LinkId=44502 8http://go.microsoft.com/fwlink/?LinkId=44495 9http://go.microsoft.com/fwlink/?LinkId=44493 10http://go.microsoft.com/fwlink/?LinkId=44501

Community Content
I think the NFS UNC you gave is wrong?
I think that the NFS UNC you gave is wrong, you said "hostname://sharedresourcename", which does not work, I think it should be "hostname:/sharedresourcename" which does (on Windows Server 2008 R2).

6/4/2012 JeffByers

NFS4
Thanks for the great information but mention of NFSv4 is noticeably absent. Is there a way to enable NFSv4 in 2008R2? If I'm not mistaken RPC_GSSD (i.e. Kerberos auth) only works with NFS4 on Linux/Unix clients. [tfl - 15 04 12] Hi - and thanks for your post. Community content is not the appropriate place for technical support queries. Instead, you should visit the Technet Forums at http://forums.microsoft.com/technet, where such posts are welcomed and where you stand a much better chance of getting your query resolved. Sorry if that's not the answer you wanted to hear.

4/15/2012 Thomas Lee

1/24/2012 LA Richards

2012 Microsoft. All rights reserved.

technet.microsoft.com/en-us/library/dd758767(d=printer,v=ws.10).aspx

11/11