2008 R2 Services for NFS User Mapping setup RRS feed

  • Question

  • Hi,

    I set up an NFS share on Server 2008 R2. The server settings are as follows:

    nfsadmin server
    The following are the settings on localhost
    Locking Daemon Grace Period : 45 seconds
    Activity logging Settings : Mount,Read,Write
    Protocol for Portmap  : TCP+UDP
    Protocol for Mount   : TCP+UDP
    Protocol for NFS   : TCP+UDP
    Protocol for NLM   : TCP+UDP
    Protocol for NSM   : TCP+UDP
    Protocol for Mapping Server : TCP+UDP
    Protocol for NIS   : TCP+UDP
    Enable NFS V3 Support  : Enabled
    Renew Authentication  : Enabled
    Renew Authentication Interval : 600 seconds
    Directory Cache    : 128 KB
    Translation File Name  :
    Dot Files Hidden   : Disabled
    Case Sensitive Lookups  : Enabled
    NTFS Case     : Preserve Case
    NetGroup Source    : ldap
    NIS Server     :
    NIS Domain     :
    LDAP Server or AD Domain : <FQDN>
    LDAP naming context (DN) :

    and since 2008 does not support a User Mapping Service anymore, I want to look things up in the AD:

    nfsadmin mapping
    The following are the settings on localhost
    Mapping Server Lookup  : Disabled
    Mapping Server    :
    AD Lookup     : Enabled
    AD Domain     : <FQDN, same as above>

    The event log shows that the service seems to be happily communicating with the active directory, however I do not understand how mapping is supposed to work.

    If I set a windows ACL on a file in the share

    nfsfile /cw /r wu=USER /r wg=GROUP test.txt

    it looks good on the windows side

    nfsfile test.txt
    Start to process 'test.txt'...
    W -rwx------ <0700> DOMAIN\USER DOMAIN\GROUP

    however under linux the ids are broken (-2):

    /mnt <0> - ls -laF test.txt
    -rwx------ 1 4294967294 4294967294 7 Mar 30 09:06 test.txt*

    If I use UNIX ACL, it is the other way around. Windows does not understand what I mean:

    nfsfile /cx -r u=<uid> -r g=<gid> test.txt
    Start to process 'test.txt'...
    Successfully processed 1 files; Failed processing 0 files
    nfsfile test.txt
    Start to process 'test.txt'...
    X -rwx------ <0700> <uid> <gid> C:\Freigabe\test.txt

    Furthermore, this results in an ACL containing SIDs that are generated from the unix ids and have no meaning under Windows, e.g. S-1-5-88-1-<uid>.

    But, linux understands now

    /mnt <0> - ls -laF test.txt
    -rwx------ 1 USER GROUP 7 Mar 30 09:06 test.txt*

    I have no idea how this is supposed to work. I enabled mapping debug output in the registry (VerboseMappingFailureLogging=1), but I do not even understand which operations result in the errors I get in the event log, as they seem to pop up with a significant delay (yes, I have been hammering F5 to no avail). The errors state that NFsService can (of course) not look up uid/gid -2 in the LDAP.

    And yes, USER has exactly <uid> as uidNumber and <gid> as gidNumber in ADSI Edit.

    So: how am I supposed to work with this? When does mapping happen and on which data?
    I think it has been discussed often enough that the documentation on technet ( actually is still for Windows Server 2003 and only the 'applies-to' string was changed (this can be seen in the User Mapping Service description which does not exist anymore)


    • Edited by Guido.Reina Friday, April 8, 2011 2:29 PM formatted own text in italics so posting can actually be understood
    Friday, April 8, 2011 2:21 PM

All replies

  • Hi,

    Any luck with this.  I have the same problem.  If I chmod the directory from linux, it seems to change the DACL with the correct user name, but the group populate as SIDs.  I can tell the group by the GID at the end of the SID, but why doesn't it map it.


    Tuesday, August 9, 2011 8:00 PM