16th June, 2017
Recently I had the pleasure of setting up NFS on Windows 2008 R2, with an AIX 7.1 share. Simple you may think? Well, yes, if you know what you’re doing. If you’ve never done it before then it can be confusing. In the older versions of Windows it was simple. Create a share in AIX, map the username of the owner of the share to a chosen Windows user using the User Name Mapping tool in Windows Services for Network File System and it works! Simple! Well, things have changed somewhat in Server 2008 R2. The concept hasn’t changed, but the method has.
The first part, creating the share in AIX, is simple. However, when you install the NFS services on the Windows client, it’s not as simple. The services are split up, which is easy to see, but when you open the GUI for Services for NFS, the option to configure user name maps has been removed. So, where is it? Well, Microsoft have made it so, if setting this up only on individual systems, you can use the same password and group files as before, but now you simply put them somewhere in your System32 directory structure. This is slightly more awkward, as you now must read a manual to know that, instead of working your way through things logically. Anyway, since this is a domain, and we want to set this up elsewhere in the future, there’s no sense in doing this, so we can now use Active Directory.
To set things up in AD, you first need to install the software to handle it. This is akin to installing User Name Mapping, except it’s not called that any more. Back to Microsoft docs, and we find that we need to use “Identity Management for UNIX”. However, to install this you can’t simply go to Server Manager and select it as a feature or a role (as I find out after a lot of wasted time searching!). That would be too simple for Microsoft. You can only install this particular feature using CMD or PowerShell and one of 2 different executables! More detail was found here, after some digging:https://msdn.microsoft.com/en-us/library/cc731178(v=ws.11).aspx#BKMK_command
Once this is installed, you need to create a user map. Back to Microsoft docs again, and we find that in AD you need to create a new user with, or modify an existing user to have, the same GID and UID as the UNIX user that you wish to connect to in AIX. This is not so difficult, but I must say it is easier to do from the command line, once you can figure out the format of the command. Once this is done you’d think it’d work? Well, not necessarily. You must make sure the authentication method is the same as configured in AIX, else you get issues with sporadic connectivity.
Another catch was that we can now mount and write to the share, but Oracle can’t! As we are running an export, the services running Oracle must also run as the user that has access to the share, else datapump will complain that it can’t write to it. This can be disruptive in a production environment, but luckily for us this was not so we could make this change quickly.
So, after a roller coaster of emotion, many cups of tea and biscuits, I finally got this working. I hope this is helpful to someone, and if you need to see more detail on this then please get in touch for the write up which contains much more detail.Tom Moore