NFSv4Howto
|
Size: 6103
Comment: added comment to Installation section that NFSv4 is in dapper
|
Size: 6064
Comment: cleanup menu and correct install instructions
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| [[TableOfContents]] | ||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;">'''Contents'''[[BR]][[TableOfContents(3)]]|| |
| Line 4: | Line 4: |
attachment:IconsPage/IconWarning3.png Ubuntu Dapper has support for NFSv4. You can install the packages described below without modifying your sources.list. (added 4 Jun 06) NFSv4 is not included in Ubuntu or Debian at this time. You have to get your packages from ''unofficial'' sources. Follow the instructions in ["NFSv4"] and edit your {{{sources.list}}} accordingly. To install the packages enter: |
The required packages are different depending on if the system is a client or a server. In this Howto, the server is the host that has the files you want to share and the client is the host the will be mounting the NFS share. |
ContentsBRTableOfContents(3) |
Installation
The required packages are different depending on if the system is a client or a server. In this Howto, the server is the host that has the files you want to share and the client is the host the will be mounting the NFS share.
- NFSv4 client
# apt-get install nfs-common
- NFSv4 server
# apt-get install nfs-kernel-server
NFSv4 without Kerberos
NFSv4 Server
NFSv4 exports exist in a single pseudo filesystem, where the real directories are mounted with the --bind option.
Lets say we want to export our user homedirs in /home/users. First we create the export filesytem: {{{# mkdir /export
# mkdir /export/users }}}
- and mount the real users directory with:
# mount --bind /home/users /export/users
To save us from retyping this after every reboot we add the followingline to /etc/fstab
/home/users /export/users none bind 0 0
In /etc/default/nfs-kernel-server we set:
NEED_SVCGSSD=no
because we do not activate NFSv4 security this time.In /etc/default/nfs-common we set:
NEED_IDMAPD=yes NEED_GSSD=no
- To export our directories to a local network 192.198.1.0/24
we add the following two lines to /etc/exports
/export 192.168.1.0/24(ro,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users 192.168.1.0/24(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534)
NFSv4 Client
- On the client we can mount the complete export tree with one command:
# mount -t nfsv4 -o proto=tcp,port=2049 nfs-server:/ /mnt
We can also mount an exported subtree with:
# mount -t nfsv4 -o proto=tcp,port=2049 nfs-server:/users /home/users
NFSv4 with Kerberos
You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center) before continuing. On the nfs-server and nfs-clients you must use MIT krb5 for now.
When extracting the key to a keytab file and when configuring krb5 in /etc/krb5.conf it is neccessary to specify des-cbc-crc because only this type of encryption is supported by the kernel at the moment.
On the nfs-server and nfs-client you need at least the krb5-user and optinal libpam-krb5 if you wish to authenticate against krb5. {{{# apt-get install krb5-user
# apt-get install libpam-krb5 }}}
Specifiy des-cbc-crc in /etc/krb5.conf on nfs-servers and nfs-clients. {{{[libdefaults]
- default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc }}}
- You need the gss kernel modules on nfs-servers and nfs-clients.
# modprobe rpcsec_gss_krb5
Add rpcsec_gss_krb5 to /etc/modules to have it loaded automatically.
Create and distribute credentials
NFSv4 needs machine credentials for the server and every client, which wants to use the NFSv4 security features.
Create the credentials for the nfs-server and all nfs-clients on the Kerberos KDC and distribute the extraced keys with scp to the destination
Heimdal
{{{# kinit kadmin/admin
# kadmin add -r nfs/nfs-server.domain # ktutil -k /root/keytab.nfs-server get -e des-cbc-crc nfs/nfs-server.domain # scp -p /root/keytab.nfs-server nfs-server:/etc/krb5.keytab
# kadmin add -r nfs/nfs-client.domain # ktutil -k /root/keytab.nfs-client get -e des-cbc-crc nfs/nfs-server.domain # scp -p /root/keytab.nfs-client nfs-client:/etc/krb5.keytab
# kdestroy }}}
NFSv4 Server
Check your machine credentials in /etc/krb5.keytab {{{# ktutil
ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal
- 1 2 nfs/nfs-server.domain@DOMAIN
}}}
In /etc/default/nfs-kernel-server we set:
NEED_SVCGSSD=yes
In /etc/default/nfs-common we set:
NEED_IDMAPD=yes
- To export our directories from the example above to a local network 192.198.1.0/24 and addt
we add the following two lines to /etc/exports
/export 192.168.1.0/24(ro,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export gss/krb5(ro,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users 192.168.1.0/24(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users gss/krb5(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534)
Please note that you can specify allowed hosts only in the any authentication flavor. gss/krb5 flavours are accessible from anywhere, if do not use an additional firewall rules.
To export only with secure authentication flavors do not include a host(...) line in /etc/exports
To display your exports enter:
# exportfs -v
NFSv4 Client
Check your machine credentials in /etc/krb5.keytab {{{# ktutil
ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal
- 1 2 nfs/nfs-client.domain@DOMAIN
}}}
In /etc/default/nfs-common we set:
NEED_IDMAPD=yes NEED_GSSD=yes
We can secure mount the complete export tree with:
# mount -t nfsv4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/ /mnt
We can also secure mount an exported subtree with:
# mount -t nfsv4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/users /home/users
Links
[http://www.citi.umich.edu/projects/nfsv4/linux Umich CITI intructions]
[http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html Learning NFSv4 with Fedora Core 2]
NFSv4Howto (last edited 2008-08-06 16:27:51 by localhost)