NFS Account Mapping Guide
Applies To: Windows Server 2008, Windows Server 2008 R2
Network File System (NFS) is a network file sharing protocol that allows remote access to files over a network. NFS implementations include an NFS server component, which enables the sharing of files for use by other networked computers, and an NFS client component, which enables computers to access files shared by NFS servers. NFS is typically used in networks with computers running UNIX, Linux, or Macintosh operating systems. These operating systems provide the ability to function as an NFS server or an NFS client.
Most NFS version 2.0 or 3.0 clients can access NFS shares on the Windows Server®°2008°R2 operating system. This document discusses NFS clients running UNIX operating systems. However, the same functionality is applicable to other operating systems, such as Linux or Macintosh operating systems.
NFS Account Mapping
The Services for NFS role service in Windows Server°2008°R2, Windows Storage Server®°2008°R2, Windows Server°2008, and Windows Storage Server°2008 provides the ability to function as an NFS server. These Windows Server operating systems also have the ability to function as an NFS client. All current Windows client operating systems provide NFS client capability based on the edition, such as Windows®°7 Ultimate and Enterprise editions.
For the remainder of this document, Windows Server collectively refers to Windows Server°2008°R2, Windows Storage Server°2008°R2, Windows Server°2008, and Windows Storage Server°2008 unless otherwise noted.
Windows and UNIX operating systems use different account and security systems. Windows operating systems represent users and groups with a unique security identifier (SID), while UNIX operating systems represent users with user identifiers (UIDs) and group identifiers (GIDs). Account mapping is the process of correlating the UNIX UIDs and GIDs to corresponding Windows user and group SIDs.
After installing and configuring the Services for NFS role service, you must select, install, and configure the appropriate NFS account mapping method. After completing these tasks, users on computers with an NFS client can access files and folders stored on Windows Server using the NFS protocol.
As illustrated in the following figure, Services for NFS in Windows Server are capable of using account mapping to determine user access to NFS shares using:
Mapped user access that includes:
AD DS mapped user access, which maps UNIX identities to Windows identities in Active Directory® Doman Services (AD DS) as discussed in the "Configure NFS Account Mapping Using AD DS" topic.
AD LDS mapped user access, which maps UNIX identities to Windows identities in Active Directory Lightweight Directory Services (AD LDS) as discussed in the "Configure NFS Account Mapping Using AD LDS" topic.
Unmapped user access that includes:
Unmapped UNIX User Access, which maps UNIX identities to automatically generated Windows SIDs as discussed in the "Configure Unmapped UNIX User Access" topic.
Anonymous user access, which allows access without providing valid credentials as discussed in the "Configure Anonymous Access" topic.
AD DS mapped user access, AD LDS mapped user access, and anonymous access are available in Windows Server°2008 and later. The Unmapped UNIX User Access (UUUA) feature is new in Windows Server°2008°R2 and Windows Storage Server°2008°R2. For a list of other new features in Services for NFS in Windows Server°2008°R2 and Windows Storage Server°2008°R2, see What's New in Services for NFS in Windows Server 2008 R2.
This document focuses on the following server roles and role services in Windows Server:
Services for the NFS role service that is part of the File Services server role.
Active Directory Domain Services (AD DS) server role
Active Directory Lightweight Directory Services (AD LDS) server role
Although this document focuses on Windows Server°2008°R2 and Windows Storage Server°2008°R2, many of the same features and capabilities are applicable to Windows Server°2008 and Windows Storage Server°2008.