Supports file or directory Access Control Lists (ACLs)
No
Yes. Supports up to 50 Access Control Entries (ACEs) per list.
Groups support
Up to 16 groups
Unlimited groups support when connected to Managed Microsoft AD.
Security setting
sys. Creates a trust channel.
sys. Creates a trust channel. krb5. Authenticates the client and server. krb5i. Provides authentication and message integrity checks.krb5p. Provides authentication, message integrity checks, and in-transit data encryption.
Operations latency
None
Operations latency increases with the security level selected.
Recovery type
Stateless
Stateful
File locking type
Network Lock Manager (NLM). The lock is controlled by the client.
Lease-based advisory locking. The lock is controlled by the server.
The NFSv3 protocol offers quick setup for standard POSIX access.
NFSv3 limitations
The following is a list of NFSv3 limitations:
Lacks client and server authentication and encryption.
Lacks client failure handling.
Benefits of NFSv4.1
The NFSv4.1 protocol uses the RPCSEC_GSS Authentication
method, which is implemented using LDAP
and Kerberos to provide client
and server authentication, message integrity checks, and in-transit data
encryption.
These security capabilities make the NFSv4.1 protocol compatible with modern
network security compliance requirements:
Uses a single server port, 2049, for all communication, helping simplify
firewall configurations.
Supports NFSv4.1 file access control lists (ACLs).
Each ACL supports up to 50 access control entries (ACEs) per file or
directory. This includes inheritance records.
Unlimited groups support when using Managed Microsoft AD integration.
Supports better client failure handling with lease-based advisory locking.
The client must verify continued connection with the server. If the client
doesn't renew the lease, the server releases the lock and the file becomes
available to any other client requesting access through a lock lease.
In NFSv3, if a client is deleted while under lock, the file can't be
accessed by another client, such as a new GKE node.
Supports stateful recovery.
Unlike NFSv3, NFSv4.1 is a TCP- and connection-based stateful protocol.
The state of the client and server in the previous session can be resumed
after recovery.
Automates unique identifier (UID) and globally unique identifier (GUID) user
mapping.
Users and groups can be created in or migrated to Managed Microsoft AD.
Administrators can create a domain trust with the current on-premises,
self-managed, Active Directory (AD) and LDAP domain. With this option,
migration is not necessary.
Provides an SLA.
Access control and additional behaviors
Filestore NFSv4.1 ACEs are managed on Linux using the following
commands:
nfs4_setfacl: Create or
edit ACEs on a file or directory.
nfs4_getfacl: List the
ACEs on a file or directory.
Each ACL supports up to 50 ACEs. Six entries are reserved for autogenerated
ACEs created by client chmod operations. These ACEs can be modified after
creation.
The autogenerated ACE records representing the mode bits are listed in the
following order of priority:
DENY and ALLOW ACEs for the OWNER@
DENY and ALLOW ACEs for the GROUP@
DENY and ALLOW ACEs for EVERYONE@
If such ACEs are already present, they will be re-used and modified
according to the new applied mode bits.
Filestore NFSv4.1 supports checking the required access only in
POSIX mode RWX (read, write, and execute). It won't differentiate between
write append and write operations that modify the content or SETATTR
specification. The nfs4_setfacl utility also accepts RWX as a shortcut and
automatically turns on all the appropriate flags.
The nfs4_getfacl doesn't do any translation of the principal on its own. The
nfs4_getfacl utility will show the numeric UID and GUID for the
principals. As a result, the special principals of OWNER@, GROUP@, and
EVERYONE@ will be shown.
Regardless of whether using Managed Microsoft AD, when working with
AUTH-SYS and the nfs4_setfacl utility, administrators must specify the
numeric UID and GUID, not user names. This utility isn't able to
translate names to these values. If not provided correctly, the
Filestore instance will default to the nobody ID.
When specifying write permissions for a file, or even files affected by
an inherited ACE, the ACE must include both the w (write) and a (append)
flags.
When checking permissions for SETATTR, the returned response is similar to
POSIX in the following way:
The superuser or ROOT user can do anything.
Only the file owner can set the mode bits, ACLs, and time stamps to a
specific time and group, such as one of the GUIDs it belongs to.
Users other than the file owner may view the attributes, including the ACL.
A single ACE encompasses both effective and inherit-only permissions. Contrary
to other NFSv4.1 implementations, Filestore won't automatically
replicate inherited ACES for the purpose of distinguishing between effective
and inherit-only ACEs.
NFSv4.1 limitations
The following is a list of NFSv4.1 limitations:
The NFSv4.1 protocol can't be combined with the following features:
The NFSv4.1 protocol doesn't support AUDIT and ALARM ACEs. Filestore
doesn't support data access auditing.
Once configured, don't delete Managed Microsoft AD and network peering.
Doing so causes the Filestore share to be inaccessible while mounted
on a client, making your data inaccessible. Google Cloud is not
liable for outages caused by administrator or user actions.
When using any of the authenticated Kerberos security settings, users can
expect some operations latency. Latency rates vary by the service tier and
security setting specified. Latency increases with each increasing security
level.
Data access auditing is not supported.
The Filestore NFSv4.1 solution uses RPCSEC_GSS Authentication, which is implemented using LDAP and Kerberos, both available in Managed Microsoft AD. Filestore NFSv4.1 can also be used without any authentication mechanisms, similarly to NFSv3.
Other authentication mechanisms are not supported.
If you want a Filestore instance to join Managed Microsoft AD
through a Shared VPC, you must use gcloud or the Filestore
API. You can't join the instance to Managed Microsoft AD using the
Google Cloud console.
The Managed Microsoft AD domain name must not exceed 56 characters.
To create an enterprise instance, you must run operations
directly through the Filestore API. For more information, see
Service tiers.
When restoring a backup, the new instance must use the same protocol as the
source instance.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eFilestore supports two primary file system protocols: NFSv3, which offers quick setup for standard POSIX access, and NFSv4.1, which provides enhanced security and compatibility with modern network configurations.\u003c/p\u003e\n"],["\u003cp\u003eNFSv4.1 requires RPCSEC_GSS authentication, leveraging LDAP and Kerberos for client and server authentication, message integrity checks, and in-transit data encryption, and is best suited for environments with strict security needs.\u003c/p\u003e\n"],["\u003cp\u003eNFSv3 is available in all service tiers and offers bidirectional communication, while NFSv4.1 is available in zonal, regional, and enterprise tiers and uses a single server port for communication, simplifying firewall management.\u003c/p\u003e\n"],["\u003cp\u003eNFSv4.1 supports file access control lists (ACLs) with up to 50 entries per list, along with unlimited group support when integrated with Managed Microsoft AD, which is the recommended solution for managing LDAP and Kerberos for NFSv4.1.\u003c/p\u003e\n"],["\u003cp\u003eWhile offering security advantages, NFSv4.1 has limitations, including increased operational latency with higher security levels, the inability to use it with the Filestore GKE CSI driver or multishares for GKE, and the lack of data access auditing.\u003c/p\u003e\n"]]],[],null,["# About supported file system protocols\n\nFilestore supports the following file system protocols:\n\nNFSv3\n\n- Available in all service tiers.\n- Supports bidirectional communication between the client and server.\n - Uses multiple ports.\n - Creates a trust channel for network traffic and operations.\n- Offers quick setup for standard POSIX access.\n\nNFSv4.1\n\n- Available in [zonal, regional, and\n enterprise service tiers](/filestore/docs/service-tiers).\n- Compatible with modern firewall configurations and supports network security compliance requirements.\n - Communication is always initiated by the client and always served through a single server port, `2049`.\n - Supports client and server authentication.\n - Requires [RPCSEC_GSS Authentication](https://docs.kernel.org/filesystems/nfs/rpc-server-gss.html) which is implemented using [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) and [Kerberos](https://web.mit.edu/kerberos/krb5-latest/doc/), both available in [Managed Service for Microsoft Active Directory](/managed-microsoft-ad/docs/overview).\n - Supports LDAP and Kerberos for authentication (`krb5`), message integrity checks (`krb5i`), and in-transit data encryption (`krb5p`).\n - Offers NFSv4.1 file ACL support for the client and server.\n\nEach protocol is best suited to specific use cases. The following table compares\nthe specifications of each protocol:\n\nBenefits of NFSv3\n-----------------\n\nThe NFSv3 protocol offers quick setup for standard POSIX access.\n\n### NFSv3 limitations\n\nThe following is a list of NFSv3 limitations:\n\n- Lacks client and server authentication and encryption.\n- Lacks client failure handling.\n\nBenefits of NFSv4.1\n-------------------\n\nThe NFSv4.1 protocol uses the [RPCSEC_GSS Authentication](https://docs.kernel.org/filesystems/nfs/rpc-server-gss.html)\nmethod, which is implemented using [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)\nand [Kerberos](https://web.mit.edu/kerberos/krb5-latest/doc/) to provide client\nand server authentication, message integrity checks, and in-transit data\nencryption.\n\nThese security capabilities make the NFSv4.1 protocol compatible with modern\nnetwork security compliance requirements:\n\n- Uses a single server port, `2049`, for all communication, helping simplify\n firewall configurations.\n\n- Supports NFSv4.1 file access control lists (ACLs).\n\n - Each ACL supports up to 50 access control entries (ACEs) per file or directory. This includes inheritance records.\n- Unlimited groups support when using Managed Microsoft AD integration.\n\n- Supports better client failure handling with lease-based advisory locking.\n\n - The client must verify continued connection with the server. If the client doesn't renew the lease, the server releases the lock and the file becomes available to any other client requesting access through a lock lease. In NFSv3, if a client is deleted while under lock, the file can't be accessed by another client, such as a new GKE node.\n- Supports stateful recovery.\n\n - Unlike NFSv3, NFSv4.1 is a TCP- and connection-based stateful protocol. The state of the client and server in the previous session can be resumed after recovery.\n\n### Managed Service for Microsoft Active Directory\n\nWhile [Managed Service for Microsoft Active Directory (Managed Microsoft AD)](/security/products/managed-microsoft-ad/docs/overview)\nis not a strict requirement, it is the only Google Cloud-managed solution to\nsupport both LDAP and Kerberos, both of which are requirements for the\nFilestore NFSv4.1 protocol.\n\nAdministrators are strongly encouraged to use\n[Managed Service for Microsoft Active Directory (Managed Microsoft AD)](/security/products/managed-microsoft-ad/docs/overview)\nto implement and manage LDAP and Kerberos.\n\nAs a Google Cloud-managed solution, Managed Microsoft AD provides the\nfollowing benefits:\n\n- Offers multiregion deployment, supporting up to five regions on the same domain.\n\n - Reduces latency by ensuring users and their respective login servers are in closer proximity.\n- Supports [POSIX RFC 2307](https://www.rfc-editor.org/rfc/rfc2307.txt) and\n [RFC 2307bis](https://datatracker.ietf.org/doc/html/draft-howard-rfc2307bis-01),\n requirements for NFSv4.1 implementation.\n\n- Automates unique identifier (UID) and globally unique identifier (GUID) user\n mapping.\n\n- Users and groups can be created in or migrated to Managed Microsoft AD.\n\n- Administrators can create a domain trust with the current on-premises,\n self-managed, Active Directory (AD) and LDAP domain. With this option,\n migration is not necessary.\n\n- Provides an SLA.\n\n### Access control and additional behaviors\n\n- Filestore NFSv4.1 ACEs are managed on Linux using the following\n commands:\n\n - [**`nfs4_setfacl`**](https://linux.die.net/man/1/nfs4_setfacl): Create or edit ACEs on a file or directory.\n - [**`nfs4_getfacl`**](https://linux.die.net/man/1/nfs4_getfacl): List the ACEs on a file or directory.\n- Each ACL supports up to 50 ACEs. Six entries are reserved for autogenerated\n ACEs created by client `chmod` operations. These ACEs can be modified after\n creation.\n\n The autogenerated ACE records representing the mode bits are listed in the\n following order of priority:\n - `DENY and ALLOW ACEs` for the `OWNER@`\n - `DENY and ALLOW ACEs` for the `GROUP@`\n - `DENY and ALLOW ACEs` for `EVERYONE@`\n\n If such ACEs are already present, they will be re-used and modified\n according to the new applied mode bits.\n- Filestore NFSv4.1 supports checking the required access only in\n POSIX mode `RWX` (read, write, and execute). It won't differentiate between\n `write append` and `write` operations that modify the content or `SETATTR`\n specification. The `nfs4_setfacl` utility also accepts `RWX` as a shortcut and\n automatically turns on all the appropriate flags.\n\n- The `nfs4_getfacl` doesn't do any translation of the principal on its own. The\n `nfs4_getfacl` utility will show the numeric `UID` and `GUID` for the\n principals. As a result, the special principals of `OWNER@`, `GROUP@`, and\n `EVERYONE@` will be shown.\n\n- Regardless of whether using Managed Microsoft AD, when working with\n `AUTH-SYS` and the `nfs4_setfacl` utility, administrators must specify the\n numeric `UID` and `GUID`, not user names. This utility isn't able to\n translate names to these values. If not provided correctly, the\n Filestore instance will default to the `nobody` ID.\n\n- When specifying write permissions for a file, or even files affected by\n an inherited ACE, the ACE must include both the `w` (write) and `a` (append)\n flags.\n\n- When checking permissions for `SETATTR`, the returned response is similar to\n `POSIX` in the following way:\n\n - The superuser or `ROOT` user can do anything.\n - Only the file owner can set the mode bits, ACLs, and time stamps to a specific time and group, such as one of the `GUID`s it belongs to.\n - Users other than the file owner may view the attributes, including the ACL.\n- A single ACE encompasses both effective and inherit-only permissions. Contrary\n to other NFSv4.1 implementations, Filestore won't automatically\n replicate inherited ACES for the purpose of distinguishing between effective\n and inherit-only ACEs.\n\n### NFSv4.1 limitations\n\nThe following is a list of NFSv4.1 limitations:\n\n- The NFSv4.1 protocol can't be combined with the following features:\n\n - [Filestore GKE CSI driver](/filestore/docs/filestore-for-gke#csi-driver)\n - [Filestore multishares for GKE](/filestore/docs/multishares)\n- The NFSv4.1 protocol doesn't support `AUDIT and ALARM ACEs`. Filestore\n doesn't support data access auditing.\n\n- Once configured, don't delete Managed Microsoft AD and network peering.\n Doing so causes the Filestore share to be inaccessible while mounted\n on a client, making your data inaccessible. Google Cloud is not\n liable for outages caused by administrator or user actions.\n\n- When using any of the authenticated Kerberos security settings, users can\n expect some operations latency. Latency rates vary by the service tier and\n security setting specified. Latency increases with each increasing security\n level.\n\n- Data access auditing is not supported.\n\n- The Filestore NFSv4.1 solution uses [RPCSEC_GSS Authentication](https://docs.kernel.org/filesystems/nfs/rpc-server-gss.html), which is implemented using [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) and [Kerberos](https://web.mit.edu/kerberos/krb5-latest/doc/), both available in [Managed Microsoft AD](/security/products/managed-microsoft-ad/docs/overview). Filestore NFSv4.1 can also be used without any authentication mechanisms, similarly to NFSv3.\n Other authentication mechanisms are not supported.\n\n- If you want a Filestore instance to join Managed Microsoft AD\n through a Shared VPC, you must use `gcloud` or the Filestore\n API. You can't join the instance to Managed Microsoft AD using the\n Google Cloud console.\n\n- The Managed Microsoft AD domain name must not exceed 56 characters.\n\n- To create an enterprise instance, you must run operations\n directly through the Filestore API. For more information, see\n [Service tiers](/filestore/docs/service-tiers#legacy-tiers).\n\n- When restoring a backup, the new instance must use the same protocol as the\n source instance.\n\nWhat's next\n-----------\n\n- [Configure the NFSv4.1 protocol](/filestore/docs/configure-nfsv4)"]]
