New security features on Windows 2008 R2 effects NFS permissions

  • Article

On Windows Server 2008 R2 based cluster, when we add or remove the hosts (using the Permissions button on NFS sharing tab), the changes are not reflected unless we bounce the resources. Because of tighter integration, the NFS shares that we create using Windows Explorer on the clustered disks also show the same behavior.

We experienced this scenario:

1. Create NFS resource using cluster manager

2. While setting it up change the access for All_MACHINES to NO Access

3. Bring it online

4. Run showmount -e on the server itself or showmount -r <server> on the NFS Client and verify that it shows up and displays (noone) in the allowed hosts field

5. Now using the cluster manager, change the properties and add a host under permission and give it read-write or read-only access

6.  Click on OK and come back to the cluster manager

7.  Run the showmount command on the server or client - it doesn't reflect the changes

NFS Permission_ no access

 

On running the showmount –e localhost command you will see the below output

Showmount output

Now let’s add few hosts and give them read write access

NFS permission_all machine

 

Still running the showmount –e localhost command will give the below output

Permission output_before

 

 

 

 

 

Now let’s take the resource offline and online

NFS permission output_after

Workaround:

There is couple of workaround for the issue:

1. Take the NFS resource offline and bring it online. Run showmount –e localhost command to confirm the same

2. On the NFS permission window->

a) Set the permission of all machine to no access

b) Do not click on ok – apply

c) Add the host /client group and set appropriate R/W or R/O access

d) Then click on ok and apply

e) Run showmount –e localhost command to confirm the same