I have an NFS share exported from a Centos 7.9 VM and mounted on a Windows 10 PC. The share is accessible from Windows, but directories who's permissions are set not readable by the user but readable by one of the groups of which the user is a member (such as the MOE directory in the image below) yield a Permission Denied error when attempting to access them from Windows.
Windows Environment (Client)
I'm using Active Directory to map Windows users to their corresponding Unix UID (via the uidNumber attribute). Likewise, the groups have been mirrored between the Linux environment and Active Directory, with the GIDs set in the gidNumber attribute in AD. On the Windows machine, I have ran nfsadmin mapping my_pc_name -u my_admin_account config ADLookup=yes ADDomain=my.ad.domain (suggested here).
Linux Environment (Server)
On the Linux side, I'm using nfs-utils with rpc.mountd running with --manage-gids (as per Kyle's post). This appears to be successfully querying Active Directory for groups when the Windows 10 user mounts the share (/proc/net/rpc/auth.unix.gid/content updates with the user's UID from AD and all correct associated group GIDs when the NFS share is accessed, as shown below).
Here's the exports file:
Notably, other Linux VMs joined to the AD domain can mount the NFS share (with NFSv3) and users have no problems accessing any directories restricted to their groups.
Here's one such fstab file:
Investigation
Wireshark reveals that the nfsadmin command successfully made Windows start querying for the UID and primary GID upon mounting the share. However, I don't see any indication that it queries for other groups. I would think this wouldn't matter, since the --manage-gids flag is forcing this to be handled on the Linux side, anyway. In fact, when trying to access one such problem directory from Windows (i.e., one that is only readable by a group of which the user is a member), Wireshark shows that the Linux NFS server returns the requested information with Status: NFS3_OK (0). This is in contrast to the Status: NFS3ERR_ACCES (13) returned when trying to access a directory readable solely by someone else.
So I get the impression Windows is doing its own permissions vetting and ignoring the OK status given by the server. This wouldn't be a problem but for some reason, Windows is not querying for the groups that the user is a member of.
Has anyone ran into this problem or have any insight into a cause or a potential solution? The alternative would be to setup a Samba server but, if the Windows NFS client works, it should be simpler for me to maintain. Thanks in advance.
