Mounting NFS share from Linux to Windows server

Servers used: RHEL 7.6 as NFS server & Windows 2016 as NFS Client

In this scenario, we have NFS server up and running with shares mounted across different Linux clients. The requirement here is, one of the share or a new share need to be mounted in Windows server with read/write access to AD user.

Installing NFS Client on Windows Server

Windows has built-in feature available to support NFS. However often this will not be enabled by default. We need to install this “optional feature” first.

Login to the client server. Ensure that you have admin rights to that server in order to do this.

• Start the command console as the administrator (Click Start > All Programs > Accessories > Windows Powershell or Command Prompt)
• Right-click the Windows Powershell or Command Prompt, and select Run as administrator.
• Verify that the feature is available using the command Get-WindowsFeature -Name NFS*
• You should be getting output as shown below:

Display Name                                            Name                       Install State
 ------------                                            ----                       -------------
 [ ] Client for NFS                                      NFS-Client                     Available

• This shows, you have the feature available, but not installed.
• Run the command Install-WindowsFeature -Name NFS-Client to install the feature. Alternatively you can go through Add Roles and Features options with plenty of clicks. Command line are always easier way.

PS C:\Users\Admin_test> Install-WindowsFeature -Name NFS-Client

Success Restart Needed Exit Code      Feature Result
 ------- -------------- ---------      --------------
 True    No             Success        {Client for NFS}

Now that you have NFS Client features enabled. This now need to configure.

Configure NFS Client on Windows server

By default, NFS Client in windows uses Anonymous UID and GID value with -2. Often this works for just mounting, but give troubles while you try to insert / update contents.

• Open command prompt as admin and run command nfsadmin client stop. This will stop NFS client services on your system.
• We need to fix Anonymous UID and GID to 0 to work better. Start regedit (Click search windows button, type regedit) to enter registry editor.
• Navigate to,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ClientForNFS\CurrentVersion\Default

• In the main window, right-click and select New > DWORD 32-bit Value. Set the name as AnonymousGID.
• Right-click and select New > DWORD 32-bit Value again. Set the name as AnonymousUID.
• Double-click on AnonymousGID and AnonymousUID, set the value as 0 and the base as Decimal respectively.
• Click OK.
• Close Regedit.
• In the command prompt opened as admin, type nfsadmin client start
• Run the following command in a command prompt (not Powershell) to set the NFS configuration:

nfsadmin client localhost config fileaccess=755 SecFlavors=+sys -krb5 -krb5i

Now that you have configured your NFS Client. We now need to export the directory in Linux to share.

Exporting directory in Linux with correct parameters

If Linux is using AD authentication, the NFS export features may not be work well with AD. So, it is better to use anonymous user with correct permission settings. This way we can avoid security risk by giving full read-write access to all of them ( user, group and others ). People tend to give permission level 777 to folders for easy fix. However, this invites more security risk.

NFS server in Linux always have a user called nfsnobody. When we mount a share in other places with anonymous option, this nfsnobody can play well with that. However we need to set its UID and GID correctly with the share we exports.

• Find out nfsnobody UID and GID using command grep nfsnobody /etc/fstab
• Often this will be 65534.
• Now export your share with options rw,sync,no_root_squash,all_squash,anonuid=65534,anongid=65534
• If you are using /etc/exports, the content will be like this: /etc/exports:
/test_nfs_share *(rw,sync,no_root_squash,all_squash,anonuid=65534,anongid=65534)
• The “all_squash” option maps all client requests to a single anonymous uid/gid on the NFS server
• If you are using NFS cluster on RHEL native cluster, run update the pcs resource with following command: pcs resource update NFS_test_Share options=rw,sync,no_root_squash,all_squash,anonuid=65534,anongid=6553
• Set the folder permission: chown nfsnobody:nfsnobody /test_nfs_share
chmod 770 /test_nfs_share
• If you are using NFS cluster as stated above, don’t forget to refresh the resource by using the command: pcs resource refresh NFS_test_Share

That’s all. We are now ready to mount the share on a windows server where it allowed to mount. You can do this using either of 2 ways as given below:

• Via command line as mount -o anon \\<nfs server>\<exported share path> <drive letter>:
• Open my computer –> This PC –> From top computer –> Map Network Drive

Your share is now ready and you can write contents to it.