Believe it or not, Windows NFS is a thing. Microsoft has its own NFS server and client, which can leverage RFC compliant NFSv3 calls to a Windows Server running NFS server or to a 3rd party NFS server, such as NetApp ONTAP. It’s actually so popular, that NetApp had to re-introduce it in clustered ONTAP (it wasn’t there until ONTAP 8.2.3/8.3.1).
While Windows NFS currently provides NFSv3 clients, they don’t have NFSv4.1 clients – yet. They do provide NFSv4.1 as a server option, though:
I cover Windows NFS support in TR-4067 starting on page 116. I am bringing this topic up because it has come up again recently and I wanted to create a quick and easy blog to follow, as well as call out how you can integrate AD LDAP to help identity management.
There are a few things you have to do to get it working in ONTAP.
- enable -v3-ms-dos-client option on the NFS server
- enable -showmount on the NFS server – this prevents some weirdness with writing files
- disable -enable-ejukebox and -v3-connection-drop
The command would look like this:
cluster::> set advanced cluster::*> nfs server modify -vserver DEMO -v3-ms-dos-client enabled -v3-connection-drop disabled -enable-ejukebox false -showmount enabled cluster::*> nfs server show -vserver DEMO -fields v3-ms-dos-client,v3-connection-drop,showmount,enable-ejukebox vserver enable-ejukebox v3-connection-drop showmount v3-ms-dos-client ------- --------------- ------------------ --------- ---------------- DEMO false disabled enabled enabled
Once that’s done, you can mount via NFS inside Windows clients using the standard “mount” command, provided you’ve enabled the Services for UNIX functionality. There’s plenty of documentation out there for that.
Just by doing the above, here’s an example of a working NFS mount in Windows:
C:\Users\Administrator>mount DEMO:/flexvol X: X: is now successfully connected to DEMO:/flexvol The command completed successfully.
Here’s the cluster’s view of that connection:
ontap9-tme-8040::*> network connections active show -node ontap9-tme-8040-0* -service nfs*,mount -remote-ip 10.193.67.236 Vserver Interface Remote CID Ctx Name Name:Local Port Host:Port Protocol/Service --------- --- --------- ----------------- -------------------- ---------------- Node: ontap9-tme-8040-02 2968991376 4 DEMO data:2049 oneway.ntap.local:931 TCP/nfs
When I write a file to the mount, there is something that can prove to be an issue, however. Users other than Administrator will write as UID/GID of 4294967294 (-2).
ontap9-tme-8040::*> vserver security file-directory show -vserver DEMO -path /flexvol/student1-nfs.txt Vserver: DEMO File Path: /flexvol/student1-nfs.txt File Inode Number: 1606599 Security Style: unix Effective Style: unix DOS Attributes: 20 DOS Attributes in Text: ---A---- Expanded Dos Attributes: - UNIX User Id: 4294967294 UNIX Group Id: 4294967294 UNIX Mode Bits: 755 UNIX Mode Bits in Text: rwxr-xr-x ACLs: -
That means users won’t show up properly/as desired in UNIX NFS mounts. For example, this is that same file from CentOS:
[root@centos7 /]# cd flexvol [root@centos7 flexvol]# ls -la | grep student1-nfs -rwxr-xr-x 1 4294967294 4294967294 0 Feb 5 09:18 student1-nfs.txt
So, how does one fix that?
Configuring Windows NFS clients to negotiate users properly
There are a few ways to have users leverage UID/GID other than -2.
One way is to “squash” every NFS user to the same UID/GID via the old Windows standby – the Windows registry. This is useful if only a single user will be using an NFS client.
This covers how to do that:
Some of the third party NFS clients (such as Cygwin and Hummingbird/OpenText) will provide local passwd and group file functionality to allow you to leverage more users. In some cases, all this does is add more registry entries.
Another was is to chmod/chown the file after it’s written. But that’s not ideal.
The best way is to leverage an existing name service (such as NIS or LDAP) and have Windows clients query for the UID and GID. If you have one already, great! It’s super easy to set up the client. Just run the following command as an administrator in cmd. My NTAP.LOCAL domain already has an LDAP server set up:
C:\Users\administrator>nfsadmin mapping WIN7-CLIENT config adlookup=yes addomain=NTAP.LOCAL The settings were successfully updated.
Once I did that, I wrote a new file and the UID/GID was properly represented:
ontap9-tme-8040::*> vserver security file-directory show -vserver DEMO -path /flexvol/prof1-nfs.txt Vserver: DEMO File Path: /flexvol/prof1-nfs.txt File Inode Number: 1606600 Security Style: unix Effective Style: unix DOS Attributes: 20 DOS Attributes in Text: ---A---- Expanded Dos Attributes: - UNIX User Id: 1100 UNIX Group Id: 1101 UNIX Mode Bits: 755 UNIX Mode Bits in Text: rwxr-xr-x ACLs: - ontap9-tme-8040::*> getxxbyyy getpwbyname -node ontap9-tme-8040-01 -vserver DEMO -username prof1 (vserver services name-service getxxbyyy getpwbyname) pw_name: prof1 pw_passwd: pw_uid: 1100 pw_gid: 1101 pw_gecos: pw_dir: pw_shell:
If you’re interested, a packet trace shows that the Windows client will communicate via encrypted LDAP to query the user’s UNIX attribute information:
An added bonus of having Windows clients query LDAP for UNIX user names and groups for NFS on ONTAP is that if you’re using NTFS security style volumes, you won’t have issues connecting to those mounts.
What breaks when doing NTFS security style?
When a UNIX user attempts to access a volume with NTFS security style ACLs, ONTAP will attempt to map that user to a valid Windows user to make sure Windows ACLs can be calculated. (I cover this in Mixed perceptions with NetApp multiprotocol NAS access)
If a user comes in with the default Windows NFS ID of 4294967294 (which doesn’t translate to a UNIX user), this is what happens.
- The UNIX user 4294967294 tries to access the mount.
- ONTAP receives a UID of 4294967294 and attempts to map that to a Windows user
- That Windows user does not exist, so access is denied. This can manifest as an error (such as when writing a file) or it could just show no files/folder.
That particular folder does have data. It’s just that the user can’t see it:
In ONTAP, we’d see this error, confirming that the user doesn’t exist:
2/5/2019 14:31:26 ontap9-tme-8040-02 ERROR secd.nfsAuth.problem: vserver (DEMO) General NFS authorization problem. Error: Get user credentials procedure failed [ 15 ms] Hostname found in Name Service Cache [ 19] Hostname found in Name Service Cache [ 23] Successfully connected to ip 10.193.67.236, port 389 using TCP **[ 28] FAILURE: User ID '4294967294' not found in UNIX authorization source LDAP. [ 28] Entry for user-id: 4294967294 not found in the current source: LDAP. Ignoring and trying next available source [ 29] Entry for user-id: 4294967294 not found in the current source: FILES. Entry for user-id: 4294967294 not found in any of the available sources [ 44] Unable to get the name for UNIX user with UID 4294967294
With LDAP involved, access to the access to the NFS mounted volume with NTFS security works much better, because ONTAP and the client agree that user 1100 is prof1.
So, uh… what if I don’t have LDAP or NIS?
Well, in a Windows domain, you ALWAYS have an LDAP server. Active Directory leverages LDAP schemas to store information and any version of Windows Active Directory can be used to look up UNIX users and groups. In fact, the newer versions of Windows make this very easy. In older Windows versions, you had to manually extend the LDAP schema to provide UNIX attributes. Now, UNIX attributes like UID, UIDnumber, etc. are all in LDAP by default. All you have to do is populate these values with information. You can even do it via PowerShell CMDlets!
Once you have a working Active Directory LDAP environment, you can then configure ONTAP to communicate with LDAP for UNIX identities and you’re well on your way to having a scalable, functional multiprotocol NAS environment.
The one downside I’ve found with Windows NFS is that it doesn’t always play nicely when you want to use SMB on the same client. Windows gets a bit… confused. I haven’t dug into that a ton, but I’ve seen it enough to express caution. 🙂