Mounting Unix Shares with a Windows NFS Client (2024)

Network File System (NFS) is an open standard for distributing a file system across a network for multi-client access. Designed in 1984, NFS has grown to include many authentication methods at both the share (export) and file system levels, including client IP/hostname, auth_sys (Unix auth), Kerberos and NFSv4.x ACLs.

This blog post explains how to mount an NFS share on a Windows client.

Handpicked related content:

How NSF works with Windows operating systems

While you’re likely to be familiar with accessing network file shares via Server Message Block (SMB) or the Windows implementation of SMB (CIFS), NFS is still prevalent in production environments with Unix servers.

Unfortunately, NFS traditionally did not play well with environments that mix Windows with Unix: To enable Windows client access to NFS exports, each NFS export needed a Samba share equivalent (an SMB implementation for Unix).

However, this changed when Microsoft implemented NFS client and server tools. Microsoft’s NFS documentation lists the following operating system support:

Operating SystemsNFS Server VersionsNFS Client Versions
Windows 7, Windows 8.1 Windows 10N/ANFSv2, NFSv3
Windows Server 2008, Windows Server 2008 R2NFSv2, NFSv3NFSv2, NFSv3
Windows Server 2012, Windows Server 2012 R2,
Windows Server 2016, Windows Server 2019
NFSv2, NFSv3, NFSv4.1NFSv2, NFSv3

How to Configure Windows as an NFS Client

Prerequisite: Enable the necessary Windows features.

Before we mount an NFS share on a Windows client, we need to enable certain features within Windows to perform NFS client operations. The PowerShell command to use depends on your client environment:

For Windows 10:

Enable-WindowsOptionalFeature -FeatureName ServicesForNFS-ClientOnly, ClientForNFS-Infrastructure -Online -NoRestart

For Windows Server:

Install-WindowsFeature NFS-Client

Now we need to mount NFS exports from a Unix server. However, Unix and Windows use different mechanisms for identifying users and groups: In Unix-like operating systems such as Linux, users and groups are identified by user identifiers (UIDs) and group identifiers (GIDs), respectively. In Windows, users and groups are identified using security identifiers (SIDs).

Therefore, in order to authenticate to a Unix server providing NFS exports, we need to map Windows users to Unix UIDs and GIDs. With this UID/GID mapping, the Unix server will be able to determine which user created the request for the NFS export.

Here are three methods you can use to perform the identity mapping and mount the NFS export.

Method 1 (preferred). Perform identity mapping in Active Directory (AD).

If both the Unix NFS server and Windows NFS client are joined to the same Active Directory domain, then we can handle identity mapping in Active Directory. This is the preferred method for security purposes when possible.

NOTE:This method is not available if method 2 (below) is in use, since the presence of a local etcpasswd file will take precedence for identity mapping.

By default, our NFS client won’t look up identity mapping in Active Directory. However, we can change that by running the following command in an elevated PowerShell session on the NFS client:

» Set-NfsMappingStore -EnableADLookup $True -ADDomainName "<your_domain>"

Now we can run the Get-NfsMappingStore command to check the current Windows user’s UID/GID mapping. As you can see, ADLookupEnabled is set to True, and a domain is specified for ADDomain.

» Get-NfsMappingStore
UNMServer :UNMLookupEnabled : FalseADDomain : <your_domain>ADLookupEnabled : TrueLdapServer :LdapNamingContext :LdapLookupEnabled : FalsePasswdFileLookupEnabled : False

Next, we need to configure our identity mapping in Active Directory Users and Computers. To view the uidNumber and gidNumber attributes for each user, make sure you have Advanced Features enabled under the View dropdown:

Mounting Unix Shares with a Windows NFS Client (1)

You’ll then be able to view and edit those fields in a user or group’s Properties menu, on the Attribute Editor tab:

Mounting Unix Shares with a Windows NFS Client (2)

It can be cumbersome to manually map UIDs and GIDs for many Active Directory users. To automate the process, you can use the following PowerShell command to set the appropriate attribute values for each desired user, using a CSV file with UID/GID data:

Set-ADUser -identity <UserPrincipalName> -add @{uidNumber="<user_unix_uid>";gidNumber="<user_unix_gid>"}

.

NOTE:In the Set-ADUser command, “add” should be changed to “replace” if a user already has a value for either uidNumber or gidNumber.

Using this approach, we can now map an NFS share in Windows to an available drive letter via command prompt, and the UID/GID will be mapped per the current Active Directory user’s uidNumber and gidNumber attribute values.

» mount \<nfs_server_ip_address>pathtonfsexport Z:

The path after the NFS server’s IP is the local path to the NFS export on the NFS server, and the drive letter is any available drive letter on the Windows NFS client.

Of course, the Unix rights given to the user we’ve mapped to ultimately decide what kind of access we have to the export, such as read/write or read-only.

Method 2. Perform identity mapping using the Local etcpasswd file.

Since using Active Directory is the preferred method for identity mapping, we won’t go into detail for the other two options. However, it’s worth briefly stating that Windows can perform local identity mapping using Unix-style passwd and group files, located in %SYSTEMROOT%system32driversetc.

If the passwd file is present and has identity mapping information for the current Windows user, then the mappings specified in the passwd and group files will be used for the client’s NFS mount requests rather than UID/GID mappings in Active Directory or the AnonymousUid/AnonymousGid Windows registry settings outlined below.

When running the Get-NfsMappingStore PowerShell command, you’ll notice PasswdFileLookupEnabled is True whenever this workflow is in effect for the current Windows user.

This approach uses the same mount syntax as the Active Directory identity mapping approach above:

» mount \<nfs_server_ip_address>pathtonfsexport Z:

Method 3. Perform identity mapping using AnonymousUid/AnonymousGid Windows registry settings.

The final method is considered an insecure approach and is not recommended. It potentially allows any local user to mount the target NFS export(s) with read/write access, as opposed to securing write permissions to specific local Windows users via the methods above.

To map the local Windows client to the UID and GID of the Unix user that owns the desired export(s), run the following in an elevated PowerShell:

» New-ItemProperty HKLM:SOFTWAREMicrosoftClientForNFSCurrentVersionDefault -Name AnonymousUID -Value <unix_export_owner_uid> -PropertyType "DWord"
» New-ItemProperty HKLM:SOFTWAREMicrosoftClientForNFSCurrentVersionDefault -Name AnonymousGID -Value <unix_export_owner_gid> -PropertyType "DWord"

After adding these keys to the Windows registry, you need to reboot in order to have them take effect.

Then use the following command to mount the NFS export with read/write access (assuming the client’s IP has permission to mount the export and that the UID/GID mapping is correct for each desired export):

» mount -o anon \<nfs_server_ip_address>pathtonfsexport Z:

FAQ

Does Windows 11 support NFS clients?

Yes.

How can I use NFS in Windows?

  • Provide access to the same file share using both the SMB and NFS protocols by using a Windows NFS file server.
  • Deploy a non-Windows operating system to provide NFS file shares accessible to non-Windows clients using the NFS protocol.
  • To enable applications to be migrated from one operating system to another, store data on file shares accessible using both the SMB and NFS protocols.

What improvements are included in NFS version 4.1?

  • TheRemote Procedure Call (RPC)/External Data Representation (XDR)transport infrastructure offers better support and provides better scalability
  • RPC port multiplexerfeature
  • Auto-tuned caches and thread pools
  • New Kerberos privacy implementation and authentication options

For complete details, visit the Microsoft page that describes all NFS versions.

How do I add the Server for NFS role service?

In Server Manager or Windows Admin Center, use the “Add Roles” and “Features Wizard”.

Which Windows command-line administration tools does Server for NFS contain?

  • Mount provides an NFS mount on Windows clients that maps to a local drive
  • Nfsadmin manages configuration settings of the Server for NFS and Client for NFS components.
  • Nfsshare sets up NFS share settings for folders that are shared via Server for NFS.
  • Nfsstat displays or resets statistics on calls received by Server for NFS.
  • Showmount lists the file systems that have been exported by Server for NFS.

NFS-mounted drives are unmounted using Umount.

Mounting Unix Shares with a Windows NFS Client (3)

Joe Dibley

Security Researcher at Netwrix and member of the Netwrix Security Research Team. Joe is an expert in Active Directory, Windows, and a wide variety of enterprise software platforms and technologies, Joe researches new security risks, complex attack techniques, and associated mitigations and detections.

I am an expert and enthusiast assistant. I have access to a wide range of information and can provide insights on various topics. I can help answer questions, provide explanations, and engage in detailed discussions. If you have any questions or need assistance, feel free to ask!

Now, let's dive into the concepts mentioned in the article you provided.

Network File System (NFS)

Network File System (NFS) is an open standard for distributing a file system across a network for multi-client access. It was designed in 1984 and has since grown to include many authentication methods at both the share (export) and file system levels. These authentication methods include client IP/hostname, auth_sys (Unix auth), Kerberos, and NFSv4.x ACLs.

NFS and Windows Operating Systems

While accessing network file shares via Server Message Block (SMB) or the Windows implementation of SMB (CIFS) is more common, NFS is still prevalent in production environments with Unix servers. Traditionally, NFS did not work well with environments that mixed Windows with Unix. To enable Windows client access to NFS exports, each NFS export needed a Samba share equivalent, which is an SMB implementation for Unix.

However, Microsoft has implemented NFS client and server tools, allowing Windows clients to access NFS exports. The operating system support for NFS varies depending on the Windows version. For example, Windows 7, Windows 8.1, and Windows 10 support NFSv2 and NFSv3, while Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 support NFSv2, NFSv3, and NFSv4.1.

Mounting an NFS Share on a Windows Client

To mount an NFS share on a Windows client, certain features need to be enabled within Windows. The specific PowerShell command to use depends on the client environment.

For Windows 10, the following command can be used to enable the necessary features:

Enable-WindowsOptionalFeature -FeatureName ServicesForNFS-ClientOnly, ClientForNFS-Infrastructure -Online -NoRestart

For Windows Server, the following command can be used to install the NFS client feature:

Install-WindowsFeature NFS-Client

After enabling the necessary features, the NFS exports from a Unix server can be mounted on the Windows client. However, it's important to note that Unix and Windows use different mechanisms for identifying users and groups. In Unix-like operating systems, users and groups are identified by user identifiers (UIDs) and group identifiers (GIDs), respectively. In Windows, users and groups are identified using security identifiers (SIDs).

To authenticate to a Unix server providing NFS exports, Windows users need to be mapped to Unix UIDs and GIDs. There are three methods mentioned in the article for performing this identity mapping and mounting the NFS export:

  1. Method 1 (preferred): Perform identity mapping in Active Directory (AD) if both the Unix NFS server and Windows NFS client are joined to the same Active Directory domain. This method allows for identity mapping in Active Directory, which is the preferred method for security purposes.

  2. Method 2: Perform identity mapping using the local etcpasswd file. Windows can perform local identity mapping using Unix-style passwd and group files located in %SYSTEMROOT%\system32\drivers\etc. If the passwd file is present and has identity mapping information for the current Windows user, the mappings specified in the passwd and group files will be used for the client's NFS mount requests.

  3. Method 3: Perform identity mapping using the AnonymousUid/AnonymousGid Windows registry settings. This method is considered insecure and not recommended. It potentially allows any local user to mount the target NFS export(s) with read/write access. The local Windows client is mapped to the UID and GID of the Unix user that owns the desired export(s) by adding keys to the Windows registry.

These methods provide different approaches to authenticate and map Windows users to Unix UIDs and GIDs, allowing for the successful mounting of NFS exports on Windows clients.

I hope this information helps you understand the concepts related to NFS and its usage on Windows clients. If you have any further questions, feel free to ask!

Mounting Unix Shares with a Windows NFS Client (2024)

FAQs

What is the command to mount NFS share on the client server? ›

After adding this line to /etc/fstab on the client system, use the command mount /pub , and the mount point /pub is mounted from the server. Copied! The variables server, /remote/export, /local/directory, and options are the same ones used when manually mounting an NFS share.

Does Windows support NFS shares? ›

Network File System (NFS) provides a file sharing solution that lets you transfer files between computers running Windows Server and UNIX operating systems by using the NFS protocol.

What is the command to check NFS mount in Unix? ›

Using the showmount Command

The showmount command provides information about NFS exports on a server, including the version of NFS being used. Further, it provides various options that are useful for obtaining more detailed NFS export data like the protocol version.

How to check NFS mount in Windows? ›

You can use showmount to display information about mounted file systems exported by Server for NFS on a specified computer. If you don't specify a server, this command displays information about the computer on which the showmount command is run.

How does NFS mount work? ›

NFS enables system administrators to share all or a portion of a file system on a networked server to make it accessible to remote computer users. Clients with Authorization to access the shared file system can mount NFS shares, also known as shared file systems.

What port does NFS share use Windows? ›

UDP port 2049: The default port of NFS server listening. -TCP/UDP port 111: RPC binding port is used to establish connections between clients and servers.

Can I mount NFS share? ›

Mount an NFS share using the Azure portal

You can use the nconnect Linux mount option to improve performance for NFS Azure file shares at scale. For more information, see Improve NFS Azure file share performance. Once the file share is created, select the share and select Connect from Linux.

How do I access NFS share from Windows Explorer? ›

Click the Start button, point to Programs, and then click Windows Explorer or Windows NT Explorer. From the Tools menu, click Map Network Drive. The Map Network Drive dialog box opens. In the Path text entry box, type the NFS name of the network resource to which you want to connect.

How to show NFS exports on client? ›

NFS clients can use the showmount -e command to see a list of exports available from an ONTAP NFS server. This can help users identify the file system they want to mount. Beginning with ONTAP 9.4, ONTAP allows NFS clients to view the export list by default.

References

Top Articles
Latest Posts
Article information

Author: Virgilio Hermann JD

Last Updated:

Views: 6121

Rating: 4 / 5 (41 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.