Network File System (NFS) is a popular means for accessing file resources on UNIX and Linux servers as well as certain virtualization vendors such as VMWare. NFS is a subrole within the File and Storage Services role. Once activated, NFS is managed through the Services for Network File System Administrative Tool. NFS shares are managed through the File and Storage Service management console.
An important component when working with NFS is user identity mapping, which enables users on non-Active Directory systems such as Linux to work with NFS in Windows by enabling NFS clients to loop up external identity information in Active Directory. This process connects the User Identifier (UID) and Group Identifier (GID) from a UNIX environment to a unique Active Directory Security Identifiers (SID) for each user.
This is typically accomplished either through the Identity Management for UNIX or using Active Directory Lightweight Directory Service (AD LDS). Identity Management for UNIX is installed via the Deployment Image Servicing and Management (DISM) tool using these commands:
- Install the administration tools:
Dism.exe /online /enable-feature /featurename:adminui /all
- Install the server for Network Information Service (NIS):
Dism.exe /online /enable-feature /featurename:nis /all
- Install password synchronization:
Dism.exe /online /enable-feature /featurename:psync /all
Mapping via Active Directory Domain Services (AD DS) is the typical enterprise scenario because shares are frequently created to support both SMB and NFS.
Mapping via AD LDS is another scenario but less common for enterprises because the method is appropriate for environments that don’t already have an existing AD DS infrastructure.
You also can configure the NFS service to allow all connections with no authentication, as discussed later. The authentication options are set when configuring the share and can also be changed later. Figure 1-35 shows the authentication options dialog box for a new share.
FIGURE 1-35 Setting authentication options when creating an NFS share.
--------------------
NOTE: ACCOUNT MAPPING
AD LDS enables account mapping of UNIX UIDs and GIDs to Active Directory accounts; ADDS does not.
--------------------
Figure 1-36 shows the Authentication pane for a share named E.
FIGURE 1-36 Authentication properties of an NFS share.
Among the authentication options, Kerberos v5 (Krb5) uses the Kerberos v5 protocol for authentication, Krbv5i provides integrity checking to verify that authentication data has not been altered, and Krb5p provides privacy, which is a new addition for Windows Server 2012.
Unmapped user access is useful for scenarios where integration doesn’t occur between the clients accessing the shares. Unmapped user access comes in two forms: anonymous and unmapped. With unmapped, the server for NFS creates custom SIDs that correspond to the UIDs and GIDs for the UNIX accounts accessing the share. When allowing anonymous access,especially root access, your best bet is to use Windows Firewall or other firewalls to deny access to the NFS service from all but the required IP addresses or subnets.
Up to this point only simple file sharing scenarios have been discussed. Using advanced share options for NFS requires that both the NFS Server role and the File Server Resource Manager role be installed. When the File Server Resource Manager is available, you can configure extended properties of NFS shares, including Folder Usage Scenarios and Quotas.
