ACL and windows server 2012 R2 NFS and file sharing

Posted on 2016-08-26
Last Modified: 2016-08-27
Hi experts

i just installed windows 2012 R2 file server and i added role to support NFS share in order to create share that AD user can access it with NTFS permission and mount the same share on linux server with root access

but i start to get issue which i dont know how to fix it

after i setup the NTFS permission on the shared file system and give root access to the linux server

so i mount this share    mount filertwo:/archive /export/archive

so please check the attached files  how look like

so when i change the owner and group  with this command    chown -R root:root *

then i go to windows i find that the all NTFS permissions got damaged so when i try to fix it on windows side got damaged on linux side

so how can use  NFS shearing feature with windows with such issue

note :   on linux i just want to give access to local root  and maybe other user

kindly advice
Question by:sword12
  • 5
  • 4
  • 2
LVL 12

Expert Comment

ID: 41772395
I have experienced this problem also in the past.
What you could do as an alternative is to fix the NTFS permissions
And only use Everyone or Authenticated Users with read or modify permissions and set this up via the normal NTFS permissions.
The disadvantage of course is that everyone with a user account has access.
It's possible to set it more strictly but this would need a mapping server which maps the Linux account (group/user) to the Windows account.
LVL 78

Expert Comment

ID: 41772562
Define the rights you want on the Windows side to match access you want users in the Linux side to have.

Once you envoke user ownership changes , chown the NFS server component on the Windows server that runs with system rights, makes the adjustments.

It is similar to painting a room blue, and allowing someone else to paint the room.
Once you have this type of setup, you can not control which color the room will have

What is the reason you are tunning chown on the NFS share versus letting ....

Was the existing setting preventing root from doing what you needed?

Do you have a Windows account with a a uid 0 to correspond to root on Linux?

Author Comment

ID: 41772663
Hi Zalazar

it is look like you understand my pain very well

do you have any idea for my case how can i configure mapping server - or mapping service

which can help me to avoid this pain

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  


Author Comment

ID: 41772938
Hi Zalazar

i made so test and you are absolutely right  without user mapping service it will be so difficult to mange

so can you please advice me how can i configure mapping service

we have AD 2008 R2  and we have windows server 2012 R2 as file server

and i want to share one file sysytem with our intranet server  which include web services

our users (( windows users will add some file like pdfs files and photos )) on this share and at the same time i have to provide access to our windows users and  Linux users like root and www

so please tell me step by step how can configure users mapping for such scenario

LVL 78

Expert Comment

ID: 41772952
Windows services for UNIX should add the schema to ad user accounts a uid/gid UNIX related info.
You would need to tie the Linux/UNIX system into tge AD using smb/winbind or reconfigure your DCs to allow slap/ldaps access from the Linux/Unix systems.p for purpose of querying/authenticating/authorizing users.

Author Comment

ID: 41772970
Hi arnold

i just added these feature to my test AD  please check the attached files

but i dont know how to configure them in order to reach my target

i thought i can just add these roles and then do nothing on linux side

but it is look like i have to install samba on linux side then create the same users on AD as local users on linux server then add they UID and GUI in AD user profile in order to configure user mapping

if you know any shorter way which will help me to reach my target please update me

plus this is the first time i will do this so i need some sort of step by step doc or help

thank you in advance for your kind help

LVL 78

Expert Comment

ID: 41772981
If you are using nis, you would need to configure your Linux/Unix systems as clients utilizing nis to authenticate/authorize ad users on Linux/UNIX.
Which Linux/UNIX distro are you using.
Note, your Linux will be a nis client.

Upon the change the /etc/nsswitch.conf will have nis in addition to files in the hosts, passwd, groups lines.

Make sure you do not duplicate local/ad users.

Author Comment

ID: 41772996
Hi arnold

yes we have nis in our environment . but we are going to take it away

so now i want to find a way that i can mange user mapping between our active directory and our linux systems

so can you tell me what options i have

i start to think about ingrate our Linux systems with AD  using SAMBA which will be installed on every linux system

i have right now scenario

i have linux server work as intranet  and i have windows server 2012 R2  work as file server

so i created shared file system on windows file server  this shared support CIFS and NFS

and gave root access to that intranet server and i manged to mount this share on intranet

but now i have difficulties to mange  user mapping in other words i have problem with permissions

for this i want to know what the best approach i can take in my case

and if you have doc or step by step doc this will be big help for me

LVL 78

Accepted Solution

arnold earned 500 total points
ID: 41773003
You just defined your windows server as a nis server.
You could configure your linux/unix systems as clients of the AD either by using samba/winbind or using LDAP where by the linux/unix clients will be querying the LDAP (AD DC) which you would need to adjust the windows firewall as well as adjust the registery to allow linux/unix system to query the LDAP/LDAPs when authenticating.

Which linux distribution do you have Redhat/centos, debian/Ubuntu, FreeBSD, etc.?

look for linux AD integration and follow the guides.

usually net ads join .... is the command to join the linux/unix system to the AD........

Author Comment

ID: 41773016
Thank you Arnold

i will make some test and maybe i will ask you another questions

thanks again
LVL 12

Expert Comment

ID: 41773267
Good to see that you got further with the AD integration possibility. Good luck with the implementation.

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question