AD Lookup with ADAM/ADLDS

With removal of UNM in Vista/W2K8, it became really problematic to map users in non-AD environments to use with Vista/LH NFS Servers and Clients. For client, a workaround was discovered which was essentially a registry tweak and did allow more than user to be able to access the resources. Now, a guide exists that details the steps to install and configure ADLDS (Active Directory Lightweight Directory Services) and to use it with NFS for UNIX identity information source. I have not worked on ADAM but I suppose the steps would apply to ADAM. Although, ADAM is not supported on Vista, the word is that it works so if it is absolutely necessary to use ADAM on Vista - it shouldn't be difficult to get it to work.

While one of my colleague got it to work, it seems that the point is easily missed that the NFS Server or Client system should have all the users accounts created locally as well as in ADLDS to get this solution to work. That's some extra work.

Using ADLDS also makes it easy to replicate one ADLDS instance with another instance running on another computer with little efforts. This can help avoiding a single point of failure and to provide a mechanism where the ADLDS administration can be centralized. ADLDS would also make case when NFS/ADLDS should be used in isolated environments. Isolation can also be achieved using proxy object in ADLDS.

I haven't worked on ADLDS extensively but planning it now. If you have something to add to this post, please do so by way of comments for the benefit of others.

BTW, the guide is accessible here.

Removal of technology: Services for Macintosh (SFM)

This seems a little strange and SFM is being talked about on this blog. Well, SFM is one of the technologies that we support along with UNIX Interoperability components like NFS, NIS and SUA.

Anyways, this is not news and people who have used SFM would have noticed by now that SFM is not part of Windows Server 2008 and later releases. This technology has been in the maintenance mode since long and didn't change much since the Windows NT 4.0 days. Nevertheless, it was a very useful component and even today we come across a lot of customers leveraging it for Mac intoperability.

Removal of SFM - in a way paves - way for NFS to be used from Mac clients since Mac OS X comes with a NFS client. it also means that if you are using SFM now and have plans to upgrade to Windows Server 2008 - it's time that you derive a backup plan.

What can you do now?
You can switch to 3rd party AFP servers available out there if you have Mac applications that still look for resource forks. To the best of my knowledge - even though SMB is capable of handling alternate data streams such as resource forks found on Mac systems - the SMB client that ships with Mac OS X doesn't handle it well and splits the forks as separate files when copying. The NFS protocol is not an option since it doesn't handle the altername data streams as well.

Can I Set Up User Name Mapping in Windows Vista?

Unfortunately, no if you don't have a SFU 3.5 or W2K3 R2 machines on the network that is running User Name Mapping service. This has been a major disappointment with NFS deployments using Windows Vista.

However, there is a tiny little good news for you if you are looking for a way to enable Client for NFS in Windows Vista to be able to do something other than anonymous mounts. There is a registry tweak that you can modify to tweak Vista NFS client to use a pair of UNIX UID and GID while mounting and accessing NFS shares.

Here's how you can do it -

• Start Registry Editor
• Locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ClientForNFS\CurrentVersion\Default
• Create two DWORD values namely AnonymousUid and AnonymousGid
• Set these values to the UID and GID you would like this NFS client to use
• Restart your Client for NFS service using the Microsoft Services for NFS MMC snap-in

Go ahead and mount shares on this machine and now the Client for NFS driver will send those values as the UID and GID to the NFS server. You can also use the mount command without any parameters to verify if these values are being used. You should see something like this -

C:\>mount

Local    Remote                                 Properties
-------------------------------------------------------------------------------
x:       \\NFSSERVER\NFSSHARE                   UID=10012, GID=10011
                                                rsize=8192, wsize=8192
                                                mount=soft, timeout=1.6
                                                retry=1, locking=yes
                                                fileaccess=644, lang=ANSI
                                                casesensitive=no

Try creating a file on the share and on the UNIX box, you can see that they bear the same UID and GID values as we have mentioned in the above DWORD values. If you use the ls command that comes with SUA, you will not see the correct ownership information because the client is still doing anonymous mounts and as you might have guessed already - we are just changing the UID and GID that the client is sending to the server. It is more like squashing from a client side instead of doing it from the server.

There's a security consideration as well - Every user on this machine will start sending these same NFS credentials so if you are going to have multiple users using this machine - think carefully about using this registry tweak. You also will not be able to use any secondary groups. I guess that can also be a consideration for many environments.

BTW, this works the same way on Windows 7 Beta box ;)

NFS and SUA in Windows 7

Finally, the Windows 7 beta is released to the public and we can now experience it ourselves. The PSS people in Microsoft are always excited to try their hands on the latest betas and Windows 7 is not an exception.

The first thing that we did, after exploring the new GUI experience, was to add Client for NFS and Subsystem for UNIX-based Applications (SUA) components. The addition is completely alike Windows Vista so no surprises here but it was much faster than Vista. The management is also the same with almost no visible difference.

But, things are really better underneath – there have been a lot of bug-fixes in both – Client for NFS and SUA – both.

On the NFS front, the User Name Mapping support (not the UNM component itself – like Vista) is there. Perhaps, the biggest change to notice is newly added support for KRB5/KRB5i security mode to come up to the mark with latest technologies available. More information is not available on this as of now and I will post new information as soon as it is available.

On SUA front, there are talks of a lot of improvement in terms of bug fixes. The SDK for Win7 is not released as of now and we expect it to be available only during Win7 RC phase.

Limitation with Active Directory Lookup feature in Microsoft Services for NFS

The Active Directory Lookup feature that was introduced with Windows Server 2003 R2. This feature greatly simplifies the UNIX identity information management but has its own set of limitation. I thoughy I'll document them here -

1. If you are using Client for NFS in conjunction with Active Directory lookup, the client will not send the secondary groups information of the user to the server. This is a limitation in the RFC2307 specifications because it doesn't define a place to store this information with the user object itself. The only way to get this information would be to query all the groups and maintain a cache of this information for future use. This is expensive on the performance side. I have not had exposure to 3rd party NFS servers offering RFC2307 support so not sure how it works with them. You are welcome if you can share some information on this aspect. Please use the comments form to do so.

2. The UIDs and GIDs fetched seems get lost after a while and unless you unmount and remount the share, it doesn't list the correct user and group names on the file. A user can get his information to be refreshed by doing something as simple as running cat command on the files he owns but it will still show the other files owned by nobody/nogroup which belong to other users. This is being worked on and I hope there's a fix for this soon.

UPDATE 06/24: The hot fix for the AD Lookup issue mentioned above has been released publicly. The associated knowledgebase article number is 969874 and this can be accessed here. Please note the fix is only required on Windows Server 2008 systems. In Windows Server 2003 R2, this problem can be worked around by changing the domain name to NETBIOS domain name in the NFS configuration.

Set up Services for Network File System in Windows Server 2008

The Microsoft Services for NFS continues to be the part of the operating system in Windows Server 2008 and seems we will see more improvements when Windows Server 2008 R2 is released.

In Windows Server 2008, a major change from the Windows Server 2003 R2 is the elimination of User Name Mapping service. Although, you can still use an existing UNM server to fetch the UNIX Identity information on a Windows Server 2008 system, it doesn't provide an option to install it on W2K8 system.

The other and newer option to use is Active Directory Lookup that debuted with Windows Server 2003 R2 and is yet to get accepted widely.

Using this feature, you can configure the Server for NFS and Client for NFS to directly fetch the UNIX identity information from Active Directory. This feature simplifies the identity management because now you just have to populate the information in just your Active Directory backend and it can be used to identify the UNIX users accessing the Windows NFS shares.

There are some glitches with this feature that I'll talk about in a post of its own. For now, let's move on to find out how we can enable the NFS services on a Windows Server 2008 box.

You can install Services for Network File System using the Add Roles Wizard from the Server Manager. To install Services for Network File System feature, the File Server role must be installed if it has already not been done. If the File Server role has not been added already, you can add this role and the Services for Network File System feature in a single go.

To get started, start Server Manager and click on the Add Roles link to start the Add Roles wizard. After you have followed the screens below, the necessary components and services will be added to your system -

From now on, you can manage most of the server and client configuration option from the Services for Network File System MMC snap-in -

To configure how it should fetch the UNIX identity information, right click on the top most node in the left pane in this MMC snap-in and click on Properties. You will be presented with the following dialog box and you can make your choices to use Active Directory Lookup by providing your Active Directory domain name and/or the server name of the system running User Name Mapping service -

Note: Active Directory Lookup feature is RFC2307 compliant and will work only when you have populated the RFC2307 attributes for the user and group objects in Active Directory. The attributes uidNumber and gidNumber contain the unique UID and GID information for users and groups.

The sharing of the folders over NFS remains more or less same as seen in the following screen shots -

UNIX side activities after you have installed the Services for Network File System and have exported some folders over NFS are same as documented here - http://blogs.msdn.com/sfu/pages/mounting-nfs-share-on-nfs-client.aspx

I was looking at the referrals this blog gets and I noticed that a lot of times people look for information on Client for NFS in Services for UNIX, Windows Server 2003 R2 or in Windows Vista and come to this blog, but I don't really have much useful information on installation, configuration and performance on Client for NFS. Now, that will not be the case.

I have received requests to put together something about Client for NFS since there doesn't seem to be a detailed single document which talks about it. There are KB articles which cover installation and configuration of Client for NFS. There are also some of them about issues and registry settings to help optimize the settings for CNFS.

Since it has also been a long time I have spent time on this blog, I guess it's high time I talk about Client for NFS and add some value to my blog.

Client for NFS is a very important offering from Microsoft for small and big enterprises to integrate their Windows systems with existing UNIX based environment. It now comes with RFC2307 support as well. It's one of the most simple component among Services for UNIX components. Client for NFS doesn't really ask for any configuration/restarts in most of the installations and offers true out-of-the-box NFS connectivity. You can see in the following screen shot how Client for NFS can be added/removed if Services for UNIX software is already installed -

In Windows Server 2003 R2, you can find CNFS listed in "Microsoft Services for NFS" under "Other File and Print Services" -

And, on a Windows Vista Enterprise/Ultimate systems, here's how you can add it -

Once you have installed Client for NFS, you are ready to start connecting to UNIX NFS shares where anonymous access is allowed. If your environment doesn't have any such shares to test connectivity, you now need to configure this system to fetch UNIX identity information from an existing User Name Mapping server or configure one if it is not already running.

See these posts to learn more about User Name Mapping, especially Configuring User Name Mapping, Configuring User Name Mapping - Part 1, Configuring User Name Mapping - Part 2 (Simple Mapping) and Configuring User Name Mapping - Part 3 (Advanced Mapping).

With Windows Server 2003 R2 and Windows Vista, you can configure Client for NFS to directly fetch this information from AD if it's already there since they offer RFC2307 support. In fact, you can use any RFC2307 compliant directory service.

Configuration for Client for NFS is over with this and you can start using it. To connect to NFS shares, you can use the same built-in mechanisms as you would with a normal Windows share. In fact, you also get to use the familiar mount command to use.

Run the nfsadmin client command to see what options Client for NFS is configured to use. It might show something like this and is self-explanatory -

The File Setting in the above screen shot is the UMASK value Client for NFS will use when you create a new file or a folder on an NFS mount.

You can use NET command, the mount command which comes with it or the "Map Network Drive..." to map a drive to remote NFS shares. You can also browse the network and look for system which export NFS shares using "Network Neighborhood" or "My Network Places" since Client for NFS adds "NFS Network" under "Entire Network" for people who find it easier to search for machines they would like to connect to.

The mount command is useful because it lets you override the default parameter which applies to the NFS connections from this computer. The help for mount command can be displayed by running it with /? command line switch -

It uses a similar syntax like the NET USE command but it's not completely identical. For example, following is what you can use to map z: drive a remote NFS export -

mount \\servername\sharename z:

On the performance side, Client for NFS is tuned with parameters which suit most of the environments, but still there are things which can be tweaked to see if it helps you the way you want it -

1. Read and Write buffers - This can tuned from the MMC snap-in or per mount using the mount command. If you do it using the mount command, the syntax will look like -
   mount -o rsize=16,wsize=16 \\servername\sharename drive
   The default is 32 KB and works perfectly in most of the scenarios.
   
   
2. Case-sensitive mounts - Since Windows is not case-sensitive, enabling case-sensitive option while mounting the NFS shares can reduces the time taken to look up a file on the server. When this is option is not turned on (which is the default behavior), Client for NFS can perform multiple lookups to locate a single file and that will show up as a performance problem
   This can only be done using the mount command and the syntax to do this is -
   mount -o casesensitive \\servername\sharename drive:
   
   
3. 8.3 name cache - As with Windows, Client for NFS also generates a 8.3 format name for the files on the NFS shares being accessed using Client for NFS. This adds up to the processing overhead. Turning off this option is recommended for performance gain. This is done with a registry change and this KB article explains the steps.
   8.3 name generation in Windows Server 2003 R2 and later releases are permanently turned off for the same reason.
   
   
4. NFS Caching - NFS v3 uses caching to improve performance but this can be problematic in certain scenarios. Create "RemoteWriteCache" and "FileAttributeCache" DWORD values under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Client for NFS\CurrentVersion\Users\Default\Cache and set these to 0 to disable caching.
   
   
5. Folder Content Caching - Client for NFS also caches the folder contents for 30 seconds to avoid performing lookups to the NFS servers. This can sometimes result in delayed folder content refresh. Follow the steps in this knowledgebase article to disable it.
   Set this registry setting to a value between 5-25.

Something worth taking a note - although the settings related to different aspects of caching may improves things on the client side, they can have performance percussions on the server side because when caching is not at work, the client may place more calls to the server and depending on the server and network conditions, it may cause the server to sweat more than it would normally. It's completely up to you to decide who would you like to work more for you - NFS client or the server.

Configuring User Name Mapping - Part 3 (Advanced Mapping)

Simply said - when you map users and groups manually with their UNIX counterparts, it's called Advanced Mapping.

From the last post on User Name Mapping, you may be aware that Simple Mapping automatically creates maps for all users and group who have the same names in your Windows and UNIX environment. It is possible that you aren't lucky enough to have the same names for users and groups in both the environments. Sometimes, you would want better control on this aspect and may not want to map all the users and groups automatically.

Advanced mappings can be used in such cases. Easy to configure - turn off Simple Maps in User Name Mapping Configuration and map them manually. You can read this page to see how it can be done in a Windows Server 2003 R2 environment.

In Services for UNIX 3.x environments, you can do by using the Services for UNIX Administration console. Select User Name Mapping in the left pane, define the UNIX data source and click on Apply -

To proceed further, click on Mappings in the right pane. You can now click on Show User Mappings or Show Group Mappings depending on what you want to do -

Now, you can display the users/groups in both Windows and UNIX side. Select the objects in both lists and click on Add. You're done.

Configuring User Name Mapping - Part 2 (Simple Mapping)

Continuing the discussion from Configuring User Name Mapping - Part 1 -  I will explain how to get Simple Mappings done in this post.

To rephrase, User Name Mapping (UNM) bridges the gap between the different user identification used in Windows and UNIX worlds. It's SID which identifies an object in Windows and Active Directory environment but it's UID and GID when it's a UNIX system in question. UNM is also a core authentication component in SFU World. When we are using it in conjunction with Server for NFS, UNM authenticates the incoming NFS access requests. With Client for NFS, it determines the effective UID and GID to be sent with the NFS requests to UNIX NFS servers.

UNM also provides a single point identity mapping database for all the machines running Server for NFS, Client for NFS and Interix/SUA components. For people looking for availability and clustering capabilities - you can configure UNM Server Pools and you can also run UNM on cluster nodes to achieve load balancing.

More on it later, back to Simple Mapping...

To match the Windows and UNIX identities, UNM uses Windows SAM or Active Directory to identify Windows users and UNIX files (/etc/passwd and /etc/group) or NIS domains as sources for identifying user and group information from UNIX perspective. This information is then mapped using Advanced and Simple Maps. Advanced maps are the ones that you create manually using the Administration Console while the Simple Maps are created automatically between the users and groups which have same names in Windows and UNIX databases.

It doesn't take much when creating Simple Maps apart from configuring basic things (I am assuming that you have installed the User Name Mapping service already and it's started).

First, you need to copy over the /etc/passwd and /etc/group files from your UNIX systems. Filter/Merge them so that they don't have any system account and duplicate UID/GID allocations. Now you can run this command -

mapadmin adddomainmap -d NTDomain -f Passwd/GroupDirectory

This command enables the Simple Mapping between the users and groups in Windows domain which is specified in place of NTDomain and the UNIX passwd/group files which have been stored under the directory specified in place of Passwd/GroupDirectory.

Now, you can run the following command to list all the maps -

mapadmin list -all

This lists all the maps which have been created. From my lab system -

The first command we ran is equivalent of making the following changes using the GUI -

1. Defining the UNIX files as the data source -
   
   
   
2. Enabling Simple Maps -
   
   
   
3. Displaying the Simple Maps -
   
   

It also takes care of enabling and creating Simple Maps for groups.

This KB article talks about installation and more command line options. I will soon post information in the form of Part 3 on UNM and talk about Advanced Mappings.

SFU hot fixes in email

Like any other Microsoft hot fix, you can also receive SFU hot fixes in your inbox - http://go.microsoft.com/?linkid=6294451

All you need is the KB article number which describes the fix you need. While we are talking about it, the following is also important to note -

"Hotfix Information

A Hotfix is a single package that includes one or more files that is used to address a very specific customer problem with a product. A supported Hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in the previous mentioned article. Only apply it to systems that are experiencing this specific problem. This Hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this Hotfix."

Why am I talking about it here?
At first, it doesn't sound like has anything to do with SFU or UNIX Interoperability components shipped with Windows. But, then users who use these components know that hot fixes get them out of many problems. I am sure a lot of them would prefer getting the hot fix using this form instead opening a case.

Before you rush to request the latest and greatest fixes for SFU or R2 components - be informed that there are a few of them which have very specific prerequisites and if they are not fulfilled, you may run in to other issues. Read below to know about them -

KB913030 - Applies only to Services for UNIX 3.5
You can install this hot fix on any system that's running Interix Subsystem, Server for NIS or Password Synchronization. It doesn't create any problems but is mentioned here since it contains some stability and reliability update for Interix subsystem and some utilities. You should install this fix before you install any other Interix subsystem hot fix which is newer than this one.

KB921599 - Applies only to Services for UNIX 3.5
Many people get confused with the information in the Kb article. This hot fix again applies only to Services for UNIX 3.5 Server for NIS and Password Synchronization components. You need this hot fix only if you have added a Windows Server 2003 R2 DC (or upgraded one of the DCs to R2) AND have also installed Server for NIS Identity Management for UNIX (IdMU) component which comes with Windows Server 2003 R2.

Since IdMU components in R2 use RFC2307 schema classes and attributes, when you install these components in SFU 3.5 environment, the installation process upgrades all of the NIS objects (NIS Domains, maps, users, groups etc.) to use R2 schema enhancements. This breaks Services for UNIX 3.5 Server for NIS and Password Synchronization components since they use a different schema. Installing this hot fix updates the SFU 3.5 Server for NIS and Password Synchronizarion binaries to use RFC2307 classes and attributes and helps SFU 3.5 and R2 IdMU components to co-exist.

KB936529 - Applicable to Services for UNIX 3.5
The previous post talks about it. Windows Server 2003 Service Pack 2 installation breaks SFU 3.5 Interix Subsystem and Password Synchronization components and this hot fix helps you to undo that. This hot fix should not be installed on Windows Server 2003 R2 SP2 systems because if you are using Password Synchronization IdMU component, this hot fix replaces the pswdsync.dll file with the one meant for SFU 3.5. As a result, Password Synchronization stop working.

If you have any questions about any SFU hot fixes, please use the Email button on the blog side bar and shoot me a mail.

This post discussed about a problem with SFU 3.5 Interix and Password Synchronization components which break when you install Windows Server 2003 Service Pack 2. It also lists steps to fix it manually using files from another hot fix.

Microsoft has released a new hot fix - KB936529 - which fixes this issue and removes the burden of replacing the correct files manually.

If you've installed Windows Server 2003 Service Pack 2 and running in to this problem, please get this hot fix from PSS and install it. Make sure you don't install this hot fix on an R2 system because that may break correponding R2 components.

Configuring User Name Mapping - Part 1

On this page, I have put some information about how you can configure User Name Mapping. It doesn't have the complete step-by-step kind of touch to it since that article was all about getting Server for NFS to work.

To do justice to User Name Mapping, I am beginning a series of posts which discusses different UNIX environments and how they can be used with User Name Mapping to allow Windows systems to interoperate with UNIX environment and help migrating data from UNIX systems to Windows. This post, again, will not have step-by-step guide to configure User Name Mapping. That's something to follow in the next posts.

A typical UNIX environment may use local files (/etc/passwd and /etc/group) to manage authentication and manage access. In addition to local files, a UNIX system can also make use of NIS and LDAP to authenticate users centrally. Having centralized authentication make more sense if people need to access data on NFS servers – more so because all NFS cares about is UIDs and GIDs to allow access to data.

If an environment doesn't have centralized control on user and group accounts, it presents many challenges when it comes to security and managing unique UIDs and GIDs across all UNIX systems. NIS and LDAP reduce this overhead and provide easy to manage repository of user and group accounts. They also provide mechanisms such as netgroups to further strengthen security on NFS shares.

If your environment doesn't use NIS or LDAP for authentication and if your users and groups are scattered on different UNIX systems having their own user and group naming conventions and the UIDs and GIDs are duplicated between them – you really need to make a lot of changes before you can reap the benefits of UNIX interoperability components shipped with Windows and Services for UNIX 3.5 product.

To start with – you would need to ensure that your users and group have unique UIDs and GIDs and there are no conflicts across all systems.
You, of course, need to ensure that the user and group names are unique too.

Most difficult part is to plan and change UIDs and GIDs on UNIX systems. It’s not easy but you follow some simple steps to get it done sooner than later -

1. Allocate a range of UIDs and GIDs for each of your UNIX system. This range needs to be calculated based on the number of users and groups created on them.
2. Changing the UIDs and GIDs can be done quickly using the awk command. A simple awk script can scan the /etc/passwd and /etc/group files and change the UIDs and GIDs based on the range you allocated in first step.
3. Changing UIDs and GIDs will immediately result in access being revoked on the local and remote file system resources since it’s based on UIDs and GIDs and not names of the users and groups. However, you can run a find command with the right syntax to search for the files and directories owned by a user’s old UID and change it to the new UID. Same applies for groups.
   It becomes really easy if you can put together a script which searches and changes UIDs and GIDs on files and folders simultaneously when changing the UIDs and GIDs in /etc/passwd and /etc/group files.
4. Depending upon how it worked earlier, you might also have to look for accounts which belong to same users and groups on different UNIX systems and match their UIDs and GIDs so that they have same values on all of those systems.
5. Last and most important part is to now combine /etc/passwd and /etc/group files from all of the systems and form a single master database.
   You can very well use this database to implement a centralized authentication using NIS. Check back later on this blog to look for the steps to do that.

For now, you need to move this master database to the server running the User Name Mapping service and use it configure appropriate user and group mappings.

On the other hand, things become really easy if you have NIS or LDAP already running in your environment – User Name Mapping can directly connect to your NIS servers and fetch the details to create mappings for user and group accounts.

Server for NFS and Client for NFS which ship with Windows Server 2003 R2 and Windows Vista can also talk to your RFC2307-compliant LDAP store to fetch the UID and GID information directly. This will also be featured in Windows Server 2008. It also helps you eliminate User Name Mapping service from your setup and stop worrying about mapping users and groups manually when adding new accounts (if you are not making good use of Simple Mappings).

"Network Error 53", "The data area passed to a system call is too small" or "Unknown Error"

Client for NFS included with Windows Server 2003 R2 returns different errors when trying to access NFS shares on UNIX-based NFS servers. The exact error message may depend on your environment - you might get one or more from the ones mentioned above. And, at the same time, SFU 3.5 Client for NFS may work just fine.

Analyzing the network traffic may show MOUNT or NFS calls being "rejected for security reasons (5)".

The R2 Client for NFS uses high ports (>1024) to connect to NFS servers and that's known to cause the above errors. There are two ways to fix this -

• Change how your NFS servers export the NFS shares and make them allow connections from high ports, or,
• Add UseReservedPorts DWORD value under HKLM\Software\Microsoft\Client for NFS\CurrentVersion\Default and set it to 1. Restart the Client for NFS service to allow the change to take effect.

Should you worry about security when you change your NFS server to allow connection from high ports? The answer is NO. An excerpt from RFC2623 says so -

Many NFS servers will require that the client send its NFS requests
from UDP or TCP source ports with values < 1024. The theory is that
binding to ports < 1024 is a privileged operation on the client, and
so the client is enforcing file access permissions on its end. The
theory breaks down because:

*    On many operating systems, there are no constraints on what port
     what user can bind to.
*    Just because the client host enforces the privilege on binding
     to ports < 1024 does not necessarily mean that a non-privileged
     user cannot gain access to the port binding privilege. For
     example with a single-user desk-top host running a UNIX
     operating system, the user may have knowledge of the root user
     password. And even if he does not have that knowledge, with
     physical access to the desk-top machine, root privileges are
     trivially acquired.

On the other hand, turning off low ports check on the NFS servers ensures compatibility with NFS clients irrespective of clients using high or low ports to access the NFS servers.

Note that above mentioned errors can be caused by number of other factors as well so if the solutions mentioned above don't work for you - focus your troubleshooting on other aspects.

How User Name Mapping works?

User Name Mapping is the core NFS authentication component in Services for UNIX, Windows Server 2003 R2 and Windows Vista. It bridges the gap presented by difference in user identification methods used by Windows and UNIX systems. It plays equally important role for Server for NFS and Client for NFS both.

When Server for NFS receives NFS access request from a UNIX client, all it gets is UID, GID and a set of auxiliary GIDs (which represents the secondary group memberships of that user in the UNIX world). Server for NFS then typically performs the following actions to authenticate the UNIX user who’s trying to access Windows NFS share –

• Server for NFS uses User Name Mapping to obtain the corresponding Windows user name or group name.
• After the user name is obtained, Server for NFS connects to a domain controller (for a domain account), or to local security authority for a local user –
• The domain controller authenticates the domain account using Kerberos extension called Service-For-User (S4U).
• Server for NFS Authentication is needed if the user account in question is a local account. Without Server for NFS authentication, the local security authority cannot authenticate the user and access to the UNIX client will be denied.

UNIX Interoperability and Windows Vista

There was SFU 3.5 Interoperability components. It got ported to Windows Server 2003 R2. And now we have similar interop components packaged with Windows Vista too. Windows Vista Ultimate and Enterprise editions include the Client for NFS and Subsystem for UNIX-based Applications (SUA). These Vista editions are targeted towards power users and large enterprise customers who are more likely to be benefitted from these components. However, none of the server components from SFU product line (namely Server for NFS, User Name Mapping, Server for NIS, Password Synchronization etc) are included with Vista.

You can install these components using the Programs and Features in Control Panel and then using the Turn Windows Features on or off -

Installing SUA adds only the subsystem and a program group - Subsystem for UNIX-based Applications. You need to download the utilities and SDK separately. The newly-added program group has a link to the Utilities and SDK download page.

New additions are SVR-5 Korn shell and over 150 utilities (which are found in the /svr-5 directory) and a Visual Studio Debugger add-in. This release also enables development and porting of custom UNIX applications using the Windows OCI (Oracle Call Interface) and Windows ODBC libraries which are collectively referred to as Mixed Mode.

Shanmugam, Program Manager with Microsoft maintains a blog about SFU, SUA and IDMU. You read more about these components in his blog.

Installing Client for NFS adds a Services for Network File System (NFS) MMC Snap-in to manage the Client for NFS configuration. The noticeable difference from R2 (apart from the GUI itself) is that you have two check-boxes to selectively enable User Name Mapping and/or Active Directory lookup for the UNIX identity mapping information -

Another difference is that now you can use the GUI to instruct the Client for NFS to use (or not to) reserved ports. This was otherwise done by tweaking a registry key (HKLM\software\Microsoft\Client for NFS\CurrentVersion\Default\UseReservedPorts) in previous releases -

Client for NFS in Windows Vista and Windows Server 2003 R2 supports RFC2307 attributes so it can also fetch UIDs/GIDs etc from any LDAP store which is RFC2307 compliant. I have tested this feature with Active Directory and this really is a cool addition to this component.