_____________________________________________________________________ Microsoft(R) Services for Network File System Build 7.1.2239.1 Release Notes May 2003 _____________________________________________________________________ Please read the following important information before you install and use the Microsoft Services for Network File System. ====================================================================== CONTENTS ====================================================================== 1. PREREQUISITES FOR INSTALLING THIS FEATURE 2. PURPOSE OF THIS FEATURE 3. IMPROVEMENTS 4. STEPS TO INSTALL 5. KNOWN ISSUES 6. ANONYMOUS USERS HAVE NO ACCESS BY DEFAULT 7. NFS SHARES ARE READ-ONLY BY DEFAULT 8. CASE SENSITIVITY AND SYSTEM SECURITY 9. NEW FUNCTIONALITY IN NFSSHARE.EXE ====================================================================== 1. PREREQUISITES FOR INSTALLING THIS FEATURE ====================================================================== This feature is part of the Microsoft Server Appliance Kit 3.0, and can only be installed as part of its installation. ====================================================================== 2. PURPOSE OF THIS FEATURE ====================================================================== This feature provides a server-side implementation of the Network File System, including User Name Mapping and Authentication Services. It is only intended to run as part of a Microsoft Server Appliance Kit 3.0 installation of Microsoft-power Network Attached Storage solution. ====================================================================== 3.IMPROVEMENTS CONTAINED IN THIS Release over previous releases of Microsoft Windows Services for UNIX. ====================================================================== * Significant read and write performance improvements (non cached I/O etc) have been incorporated into the NFS server. * Improved caching of file handles and attributes. * Improvements in rpcxdr - packet processing, decoding and unmarshalling. * Better cleanup of file handle cache entries * NFS Access to Snapshots The Server can now provide access to VSS snapshots for Unix and Windows NFS clients. Each available snapshot is accessible under the export root as a read-only directory whose name is the concatenation of ".@" and the UNC time that the snapshot was taken. * New Functionality: This fix includes new functionality to provide faster performance. A new executable file, nfsonly.exe, allows a share to be modified to do more aggressive caching to improve performance. You can set this on a share-by-share basis. You must not use this function on any share that can be accessed by any means other than via NFS, as data corruption can occur. However, much as a 15% improvement in performance has been observed when using an NFS only share. The syntax of this command is: NfsOnly [/enable|disable] Resourcename|sharename is the name of the cluster resource or the name of the NFS share The /enable option turns on NfsOnly for the specified resource or share. The /disable option turns off NfsOnly for the specified resource or share. If a share is created as a cluster resource and a share of the same name is created on the node of a cluster where nfsonly.exe was run, only the cluster resource will be changed to an NFS only share. * Anonymous UID/GID are both now set to -2 by default. This is to match recent changes to standard NFS behavior. * Server for NFS provides administrators the ability to configure whether Inherited Access Control Entries (ACEs) should apply to newly created files/directories over NFS. This is controlled by the value of the following registry entry: HKLM\Software\Microsoft\Server for NFS\CurrentVersion\Mapping\KeepInheritance This registry value is 0 by default, which means Inherited ACEs will not be present on newly created files/directories on the NFS share. For example, if administrators want the ability to read/write every file/directory created in the hierarchy, they should set this value to 1 and set Inheritable read/write ACE at the root of the hierarchy. Note: * Setting this value to 1 could have some effects on how the permissions would look like from the UNIX side because of the additional inherited ACEs. * This feature is somewhat similar to the functionality provided by the AugmentDACL registry setting in Microsoft Services for UNIX 2.x; however, these two features are not exactly the same. The AugmentDACL key is deprecated in this release. ====================================================================== 4. STEPS TO INSTALL ====================================================================== This feature can only be installed as part of a Server Appliance Kit 3.0 installation. ====================================================================== 5. KNOWN ISSUES ====================================================================== Double-byte character set (DBCS) characters are not supported in computer names, domain names, host names, share names, client group names and user names, except in User Name Mapping, where DBCS characters are allowed in user names. DBCS is the character set used for languages such as Japanese, Korean, and Chinese. ====================================================================== 6. ANONYMOUS USERS HAVE NO ACCESS BY DEFAULT ====================================================================== In Windows Server 2003, the "Anonymous Logon" security group was removed from the "Everyone" group. As a result, it is no longer the case that "Anonymous Logon" has read-only access by default, but instead has no access by default. SinceNFS anonymous access is mapped to the "Anonymous Logon" user, anonymous access is effectively disabled. To enable anonymous access, add the "Anonymous Logon" user to the access-control list for the share via the "Security" tab on the folder properties for the share root. Alternatively, one can add the "Anonymous Logon" group to "Everyone", see the Windows Server 2003 help topic titled "To allow members of the Anonymous Logon group to be members of the Everyone group on a local computer" for details. ====================================================================== 7. NFS SHARES ARE READ-ONLY BY DEFAULT ====================================================================== For security reasons, by default an NFS share will be initially created as a read-only share. This is a change from the previous releases of NFS server functionality via SFU. You must explicitly choose the read/write option while creating an NFS share either using the nfsshare.exe command-line utility or using the NFS Sharing tab of the Windows Explorer properties page for a folder. ====================================================================== 8. Case sensitivity ====================================================================== In order to interoperate with UNIX-based NFS clients, installation of Microsoft Services for Network File System changes the behavior of the Windows Object manager to be case sensitive. On a system without Microsoft Services for Network File System, the names "c:\Dog" and "c:\dog" refer to the same file. After installing it, the names would refer to different files. To change the behavior back to the default (which will break interoperability with UNIX clients), you need to set ====================================================================== 9. NEW FUNCTIONALITY IN NFSSHARE.EXE ====================================================================== This patch adds the following new functionality to the nfsshare command. * You can now set all machines to no access via the, "na" option on the command line. EXAMPLE C:\> nfsshare myshare -o na This will result in the following permission settings... C:\> nfsshare myshare Alias = myshare Path = C:\shared Encoding = ansi ANONYMOUS access disallowed Anonymous UID = -2 Anonymous GID = -2 HOST ACCESS : ALL MACHINES no access Root Access Disallowed ansi * The nfsshare command may now be used to modify the options on an existing share. The syntax is identical to setting the options at share creation time. When run to modify an existing share, nfsshare will only modify or add the settings provided at the command line, and leave all the existing settings intact. Example: C:\> nfsshare myshare -o ro rw=client1 root=client2 anon=yes anonuid=-21 anongid=-3 myshare was modified successfully C:\> nfsshare myshare Alias = myshare Path = C:\shared Encoding = ansi ANONYMOUS access allowed Anonymous UID = -21 Anonymous GID = -3 HOST ACCESS : ALL MACHINES read-only Root Access Disallowed ansi client1 read-write Root Access Disallowed ansi client2 read-write Root Access Allowed ansi * An option has been added to deny root access. The "noroot" flag, which will set the root access permissions to false for ALL MACHINES if specified alone, and for specific machines if specified as noroot=client1:... * A new option is available to change client encoding on a per machine basis. The syntax is =. Example: C:\> nfsshare myshare Alias = myshare Path = C:\shared Encoding = ansi ANONYMOUS access disallowed Anonymous UID = -2 Anonymous GID = -2 HOST ACCESS : ALL MACHINES read-only Root Access Disallowed ansi client1 read-write Root Access Disallowed ansi C:\> nfsshare myshare -o euc-tw=client1 myshare was modified successfully C:\> nfsshare myshare Alias = myshare Path = C:\shared Encoding = ansi ANONYMOUS access disallowed Anonymous UID = -2 Anonymous GID = -2 HOST ACCESS : ALL MACHINES read-only Root Access Disallowed ansi client1 read-write Root Access Disallowed euc-tw * A new option has been added to remove a client from the permissions list. The syntax is "removeclient=client1:client2". Example: C:\> nfsshare myshare -o removeclient=client1 myshare was modified successfully C:\> nfsshare myshare Alias = myshare Path = C:\shared Encoding = ansi ANONYMOUS access disallowed Anonymous UID = -2 Anonymous GID = -2 HOST ACCESS : ALL MACHINES read-only Root Access Disallowed ansi The removeclient option cannot be used at creation time. An attempt to do so will prompt the following error: error: the removeclient option is used to remove entries from the host access list