NFS authentication

NFS authenticates client hosts using the list of names or IP addresses created by an administrator and stored on the NFS server. If the client IP address or host name appears in the list, NFS grants permission for the client to access the shared folder.

When an NFS client and server are using Kerberos 5 authentication, the client and server must establish a security context for NFS requests. The security context is a data structure that indicates that the client and server have completed a mutual authentication procedure. If requested, the context also contains the encryption keys that are used for protecting exchanged data. The security context has a lifetime and might need to be refreshed by the client. When Kerberos authentication is the only allowed security method for an exported directory, the NFS client session must be properly authenticated before gaining access to any of the data in that directory.

Unmapped access is still secure because the file system permissions apply. However, unmapped access means that there is no corresponding Windows user, so the user does not appear in the local user database or in Active Directory. Assigning proper permissions to an unfound user is complicated, and creating mapped access can help resolve that.

By default, NFS server does not allow anonymous users to access a shared directory. When you share a directory, you can allow anonymous access to the directory and you can change the default, anonymous UID and GID values to the UID and GID of any valid UNIX user and group accounts. If you change the anonymous UID and anonymous GID for a shared resource, the system uses those values when reporting the owner of a file.