Replacing everyone group through Registry – NFS


We recently had a query, where customer was trying to configure the following registry key so that the NTFS permission for the files which are created from Unix client on a NFS share changes from Everyone group to any group as specified in the below registry.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerForNFS\CurrentVersion\Mapping\EveryoneGroup

 

So we did some testing on our lab machines and for the below O/S version

 

·         Windows 2003 R2 as a Domain controller

·         Windows 2003 R2 as a member server

·         Windows 2008 R2 as a member server

·         Windows 2008 R2 as a Domain controller

 

 

 We configured NFS shares on all of the machines. Configured the “User name mapping” for one user. On the NTFS permission, we did allowed the mapped user /system/creator owner only.

 

First we replaced the above registry key with a domain group. It worked only in case of Domain controller and not in case of Member Server.

Then we replaced the entry on the member server as below (domain name\group name). Still the same issue (everyone group not getting replaced).

 

Then, we did replace the entries with a local group in the member servers and it started working.  Also to remember that with every change, we had to restart the NFS services.

Based on the research, it turned out that Server for NFS reads the local user database to resolve the group name and if the group name is not found it revert back to use the built-in Everyone group. In case of DCs, it can read the information from AD but with member servers, it only reads the local SAM database and not from AD. As a result, we don’t find it working with member servers if a local group with the same name doesn’t exist.

When you set “EveryoneGroup” to “nfstest1” this is treated just the same as if you had set the name to “<computername>\nfstest1” so unless the member servers had a local group account with the name “nfstest1” this was bound to fail.

Conclusion:

For member server the domain name would not work and this is true for windows 2003 R2 and windows 2008\2008 R2 as well. Looks like the registry key only works on a domain controller for domain group.  

Skip to main content