Nfsv4 configuration

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
m (Corrected a few typos.)
(Rmoved duplicate sections. Added proper sub-sections. Moved Common NFS4 Misunderstandings to the Troubleshooting page.)
Line 41: Line 41:
  rpc.idmapd
  rpc.idmapd
-
== Common NFS4 misunderstandings ==
+
== Exporting directories ==
 +
Export your server directory (in this case, to anyone, using any authentication flavor), by adding the following lines to /etc/exports
-
These notes were written after I completed the task of deploying kerberized NFS4 for a heterogeneous LAN of openSUSE, Ubuntu and Windows clients under a Samba 4 AD. It exists in the hope that by sharing our experiences, we can take NFS4 out of the realms of purely high end corporate installations, collect sensible, plain English information and maintain it centrally
+
/export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
 +
/export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
 +
/export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
-
'''Misunderstanding:''' NFS4 must be exported from an fsid=0 pseudo root directory. e.g. I am exporting the /home directory to the clients. The /etc/exports file could be either of these examples.
+
and then running
-
e.g. 1. Not the way to do it unless you have old distros.
+
exportfs -r
-
/home is bind mounted to chmod'ed 1777 /exports
+
(Note that if your server is connected to the internet the first line will give everyone in the world read and write access to /export and (with a little work) to anything on the same disk partition as /export! See the exports man page for more information.)
-
/etc/exports
+
To access this export from a client:
-
/export  gss/krb5(rw,fsid=0,insecure,no_subtree_check,crossmnt)
+
Create a mountpoint on your client:
-
/export/home gss/krb5(rw,insecure,no_subtree_check)
+
mkdir /mnt/nfs4/
-
/export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check,crossmnt)
+
and mount the server:
-
/export/home gss/krb5i(rw,insecure,no_subtree_check)
+
mount -t nfs4 yourserver:/export /mnt/nfs4/
-
/export  gss/krb5(rw,fsid=0,insecure,no_subtree_check,crossmnt)
+
or, to mount with kerberos,
-
/export/home gss/krb5(rw,insecure,no_subtree_check)
+
mount -t nfs4 -o sec=krb5 yourserver:/export /mnt/nfs4/
-
/export  *(rw,fsid=0,insecure,no_subtree_check)
+
Play around with the mounted filesystem:
-
/export *(rw,nohide,insecure,no_subtree_check)
+
cd /mnt/nfs4/
 +
echo "Hello World!" >FOO
 +
cat FOO
 +
  getfacl FOO
-
e.g. 2. The modern way. Simply use the familiar nfs3 export method which gives the same choice of security in one go.
+
etc.
-
/etc/exports
+
To mount a filesystem using krb5, provide the "-osec=krb5" option to mount. To export a filesystem using krb5, export it to the special client named "gss/krb5". Replace "krb5" by "krb5i" or "krb5p" for integrity or for privacy, respectively. The -osec= options should also work for NFSv3 exports and mounts.
-
/home *(rw,sec=none:sys:krb5:krb5i:krb5p,no_subtree_check)
+
-
Please see the comment above which begins: The linux implementation allows you. . .
+
Exporting and mounting can be automated using /etc/fstab and /etc/exports; see the man pages fstab(5) and exports(5).
-
'''Misunderstanding:''' You must use the nohide option for the bind mount to be visible on the client.
+
Technical note: NFSv4 no longer has a separate "mount" protocol. Instead of exporting a number of distinct exports, an NFSv4 client sees the NFSv4 server's exports as existing inside a single filesystem, called the nfsv4 "pseudofilesystem".
-
You can use crossmnt on the pseudoroot or nohide on the bind mount. Or neiter and use the conventional nfs3 method as described above.
+
The linux implementation allows you to designate a real filesystem as the pseudofilesystem, identifying that export with the fsid=0 option; we no longer recommend this. Instead, on any recent linux distribution, just list exports in /etc/exports exactly as you would for NFSv2 or NFSv3.
-
'''Misunderstanding:''' NFS4 can only use weak DES cryptography
+
== RPC Processes ==
-
e.g. you have been told that NFS4 can only use weak DES cryptography and so you need the line:
+
-
 
+
-
[libdefaults]
+
-
 
+
-
allow_weak_crypto = true
+
-
 
+
-
added to /etc/krb5.conf
+
-
 
+
-
Not needed. Tested using arcfour-hmac-md5 with  kernels 3.1.9-1.4-desktop with nfs-client-1.2.5-4.3.1 (openSUSE 12.1) and 3.0.0-16-default (Ubuntu 11.10)
+
-
 
+
-
'''Misunderstanding:''' The NFS4 needs only the nfs/fqdn@REALM principal in it's keytab.
+
-
 
+
-
One article suggested to include only the nfs principal. We could not mount with krb5 locally for testing unless we had at least the machine principal in the keytab too. Yeah, think about it.
+
-
 
+
-
'''Misundersanding:''' The client must have a nfs/client.domain principal
+
-
 
+
-
From man rpc.gssd(8):
+
-
 
+
-
''Previous versions of rpc.gssd used only "nfs/*" keys found within the keytab. To be more consistent with other implementations, we now look for specific keytab entries. The search order for keytabs to be used for "machine credentials''
+
-
 
+
-
Here is the list of those credentials:
+
-
 
+
-
<HOSTNAME>$@<REALM>
+
-
 
+
-
root/<hostname>@<REALM>
+
-
 
+
-
nfs/<hostname>@<REALM>
+
-
 
+
-
host/<hostname>@<REALM>
+
-
 
+
-
root/<anyname>@<REALM>
+
-
 
+
-
nfs/<anyname>@<REALM>
+
-
 
+
-
host/<anyname>@<REALM>
+
-
 
+
-
'''A real life example'''
+
-
 
+
-
hh3.hh3.site is the nfs server and  HH6$@HH3.SITE is the machine principal for the client.
+
-
On the client, we issue a:
+
-
 
+
-
mount -t nfs4 hh3:/foo /bar -o sec=krb5
+
-
 
+
-
Here is the log on the KDC:
+
-
 
+
-
Kerberos: ENC-TS Pre-authentication succeeded -- HH6$@HH3.SITE using arcfour-hmac-md5
+
-
 
+
-
Kerberos: AS-REQ authtime: 2012-02-06T19:44:47 starttime: unset endtime: 2012-02-07T05:44:47 renew till: 2012-02-07T19:44:47
+
-
 
+
-
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-
+
-
sha1, arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4, using arcfour-hmac-md5/arcfour-hmac-md5
+
-
 
+
-
Kerberos: Requested flags: renewable-ok
+
-
 
+
-
Kerberos: TGS-REQ HH6$@HH3.SITE from ipv4:192.168.1.10:45421 for nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable]
+
-
 
+
-
Kerberos: TGS-REQ authtime: 2012-02-06T19:44:47 starttime: 2012-02-06T19:44:47 endtime: 2012-02-07T05:44:47 renew till: 20
+
-
 
+
-
The nfs server has identified itself, here are the keys in its keytab:
+
-
 
+
-
klist -ke /etc/krb5.keytab
+
-
Keytab name: WRFILE:/etc/krb5.keytab
+
-
KVNO Principal
+
-
---- ---------
+
-
  1 nfs/hh3.hh3.site@HH3.SITE (arcfour-hmac) 
+
-
  1 HH3$@hh3.site (arcfour-hmac)
+
-
'''rpc processes'''
 
1. openSUSE after starting the nfs server
1. openSUSE after starting the nfs server
Line 181: Line 119:
root      5294  0.0  0.0  3816  428 ?        Ss  09:31  0:00 rpc.gssd
root      5294  0.0  0.0  3816  428 ?        Ss  09:31  0:00 rpc.gssd
-
'''nfs Installation details
+
== NFS Installation details ==
-
1. openSUSE'''
+
 
 +
=== openSUSE ===
Packages:
Packages:
zypper in nfs-kernel-server nfs-client nfsidmap limal-nfs-server
zypper in nfs-kernel-server nfs-client nfsidmap limal-nfs-server
Line 213: Line 152:
NFSD_OPTIONS=""
NFSD_OPTIONS=""
-
'''2. Ubuntu'''
+
=== Ubuntu ===
Packages:
Packages:
Line 248: Line 187:
-
Needed on both client and server on both openSUSE and Ubuntu:
+
=== Needed on both client and server on both openSUSE and Ubuntu ===
/etc/idmapd.conf
/etc/idmapd.conf
Line 266: Line 205:
Nobody-Group = nogroup
Nobody-Group = nogroup
-
 
+
== Debugging ==
-
'''Debugging'''
+
Run rpc.idmapd -fvvv and rpc.gssd -fvvv in separate terminals. They will tell you in no uncertain  
Run rpc.idmapd -fvvv and rpc.gssd -fvvv in separate terminals. They will tell you in no uncertain  
Line 274: Line 212:
http://3.bp.blogspot.com/-PLpbJDP1vCQ/TygMlNU6k8I/AAAAAAAAAGE/lVXsw6iGrS0/s1600/krb5-ubuntu3.png
http://3.bp.blogspot.com/-PLpbJDP1vCQ/TygMlNU6k8I/AAAAAAAAAGE/lVXsw6iGrS0/s1600/krb5-ubuntu3.png
-
'''Collaborate?'''
+
== A Real Life Example ==
-
It would be great if we could gather together our experiences on NFS4 installation and centralise
+
hh3.hh3.site is the nfs server and HH6$@HH3.SITE is the machine principal for the client.
-
them here. Particularly helpful would be distribution specific contributions with working examples
+
On the client, we issue a:
 +
mount -t nfs4 hh3:/foo /bar -o sec=krb5
-
 
+
Here is the log on the KDC:
-
'''References'''
+
-
 
+
-
1. The hard to find home page of this wiki:
+
-
 
+
-
http://wiki.linux-nfs.org/wiki/index.php
+
-
 
+
-
2. man rpc.gssd(8). If you don't have it installed, there's a copy here:
+
-
 
+
-
http://linux.die.net/man/8/rpc.gssd
+
-
 
+
-
3. A practical guide with screenshots using modest hardware. openSUSE
+
-
 
+
-
http://linuxcostablanca.blogspot.com/p/samba-4.html
+
-
 
+
-
4. The same with Ubuntu specific diffences
+
-
 
+
-
http://linuxcostablanca.blogspot.com/2012/01/samba-4-ubuntu.html
+
-
 
+
-
5. The latest unoficial version of this wiki page
+
-
 
+
-
http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html
+
-
 
+
-
==
+
-
Some common nfs4 misunderstandings ==
+
-
 
+
-
Here are some distribution specific guidelines which have been tested on openSUSE and Ubuntu. They attempt to clarify the installation of secure NFS4 on a Linux systems.
+
-
 
+
-
Source: Steve Sheriff, steve.lcb@gmail.com
+
-
 
+
-
Please note that I am not a Linux expert and that I do not usually use English in my day to day life.
+
-
 
+
-
These notes were written after I faced the task of installing secure NFS4 for a heterogeneous LAN of openSUSE, Ubuntu and Windows clients under a Samba 4 Active Directory PDC. This was tested and reproduced on budget hardware. The largest cost for any single component of the LAN was the licence to activate Windows 7 Professional, needed to join Microsoft clients to AD.
+
-
 
+
-
I have written this in an attempt to encourage all of us who find ourselves in similar administrative roles, to maintain a centralised deposit of correct information, written in plain English, on modern Linux distributions. I also hope that it will serve to dispel many of the myths I read during the installation and save the countless forays I made into uncharted territory.
+
-
 
+
-
'''Myth:''' NFS4 must be exported from an fsid=0 pseudo root directory. e.g. I am exporting the /home directory to the clients. The /etc/exports file could be either of these examples.
+
-
 
+
-
e.g. 1. How not to do it
+
-
/home is bind mounted to chmod'ed 1777 /exports
+
-
/etc/exports
+
-
/export  gss/krb5(rw,fsid=0,insecure,no_subtree_check,crossmnt)
+
-
/export/home gss/krb5(rw,insecure,no_subtree_check)
+
-
/export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check,crossmnt)
+
-
/export/home gss/krb5i(rw,insecure,no_subtree_check)
+
-
/export  gss/krb5(rw,fsid=0,insecure,no_subtree_check,crossmnt)
+
-
/export/home gss/krb5(rw,insecure,no_subtree_check)
+
-
/export  *(rw,fsid=0,insecure,no_subtree_check)
+
-
/export  *(rw,nohide,insecure,no_subtree_check)
+
-
 
+
-
e.g. 2 . Simply use the familiar nfs3 export method.
+
-
/etc/exports
+
-
/home *(rw,sec=none:sys:krb5:krb5i:krb5p,no_subtree_check)
+
-
 
+
-
Choice of 5 flavours for mounting on the client.
+
-
 
+
-
Please see the comment above: 'The linux implementation allows you. . .'
+
-
+
-
'''Myth:''' you must use the nohide option for the bind mount to be visible on the client.
+
-
You can use crossmnt on the pseudoroot or nohide on the bind mount. Or neither and use simply the conventional nfs3 syntex for /etc/exports.
+
-
 
+
-
'''Myth:''' NFS4 can only use weak DES cryptography
+
-
e.g. you have been told that NFS4 can only use weak DES cryptography and so you need the line:
+
-
[libdefaults]
+
-
allow_weak_crypto = true
+
-
added to /etc/krb5.conf
+
-
Not needed. Tested using arcfour-hmac-md5 with kernels 3.1.9-1.4-desktop (openSUSE 12.1) and 3.0.0-15-default** (Ubuntu 11.10) **need to check the uname -r output on Ubuntu. Am writing his on  openSUSE
+
-
 
+
-
'''Myth:''' NFS4 needs only the nfs/fqdn@REALM principal in it's keytab
+
-
No. It needs the machine principal too. rpc.gssd will not allow you to make a test mount on the server (e.g. to test by mounting to /mnt) unless the machine principal is there along with the nfs principal in the keytab.
+
-
'''
+
-
Myth:''' The client must have a nfs/client.domain principal in its
+
-
No. It doesn't need to have one.
+
-
From man rpc.gssd(8)
+
-
''Previous versions of rpc.gssd used only "nfs/*" keys found within the keytab. To be more consistent with other implementations, we now look for specific keytab entries. The search order for keytabs to be used for "machine credentials" is now:''
+
-
 
+
-
<HOSTNAME>$@<REALM>
+
-
 
+
-
root/<hostname>@<REALM>
+
-
 
+
-
nfs/<hostname>@<REALM>
+
-
 
+
-
host/<hostname>@<REALM>
+
-
 
+
-
root/<anyname>@<REALM>
+
-
 
+
-
nfs/<anyname>@<REALM>
+
-
 
+
-
host/<anyname>@<REALM>
+
-
 
+
-
A real life example. hh3.hh3.site is my server and  HH6$@HH3.SITE is the machine principal for the client.
+
-
On the client, issue a: mount -t nfs4 hh3:/foo /bar -o sec=krb5
+
Kerberos: ENC-TS Pre-authentication succeeded -- HH6$@HH3.SITE using arcfour-hmac-md5
Kerberos: ENC-TS Pre-authentication succeeded -- HH6$@HH3.SITE using arcfour-hmac-md5
Line 377: Line 225:
Kerberos: AS-REQ authtime: 2012-02-06T19:44:47 starttime: unset endtime: 2012-02-07T05:44:47 renew till: 2012-02-07T19:44:47
Kerberos: AS-REQ authtime: 2012-02-06T19:44:47 starttime: unset endtime: 2012-02-07T05:44:47 renew till: 2012-02-07T19:44:47
-
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4, using arcfour-hmac-md5/arcfour-hmac-md5
+
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-
 +
sha1, arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4, using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: Requested flags: renewable-ok
Line 385: Line 234:
Kerberos: TGS-REQ authtime: 2012-02-06T19:44:47 starttime: 2012-02-06T19:44:47 endtime: 2012-02-07T05:44:47 renew till: 20
Kerberos: TGS-REQ authtime: 2012-02-06T19:44:47 starttime: 2012-02-06T19:44:47 endtime: 2012-02-07T05:44:47 renew till: 20
-
But remember from above, that the nfs server must be able to identify itself. In this example,
+
The nfs server has identified itself, here are the keys in its keytab:
klist -ke /etc/krb5.keytab
klist -ke /etc/krb5.keytab
-
 
Keytab name: WRFILE:/etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
-
 
KVNO Principal
KVNO Principal
---- ---------
---- ---------
Line 396: Line 243:
   1 HH3$@hh3.site (arcfour-hmac)
   1 HH3$@hh3.site (arcfour-hmac)
-
'''rpc processes'''
+
== Troubleshooting ==
-
1. openSUSE after starting the nfs server
+
-
ps aux | grep rpc
+
http://wiki.linux-nfs.org/wiki/index.php?title=Troubleshooting
-
root      1231  0.0  0.1  2356  764 ?        Ss  08:20  0:00 /sbin/rpcbind
+
== References ==
-
 
+
-
root      3737  0.0  0.0      0    0 ?        S<  08:28  0:00 [rpciod]
+
-
 
+
-
root      5215  0.0  0.2  3684  1208 ?        Ss  09:26  0:00 /usr/sbin/rpc.svcgssd
+
-
 
+
-
root      5223  0.0  0.0  2416  344 ?        Ss  09:26  0:00 /usr/sbin/rpc.idmapd
+
-
 
+
-
root      5227  0.0  0.1  2976  748 ?        Ss  09:26  0:00 /usr/sbin/rpc.mountd --no-nfs-version 2 --no-nfs-version 3
+
-
(note the lack of gssd)
+
-
 
+
-
2. On both openSUSE (after calling rpc.gssd) and Ubuntu with all the necessary processes for successfully exporting the directory with -o sec=krb5<flavour>
+
-
 
+
-
ps aux | grep rpc
+
-
root      1231  0.0  0.1  2356  764 ?        Ss  08:20  0:00 /sbin/rpcbind
+
-
 
+
-
root      3737  0.0  0.0      0    0 ?        S<  08:28  0:00 [rpciod]
+
-
 
+
-
root      5215  0.0  0.2  3684  1208 ?        Ss  09:26  0:00 /usr/sbin/rpc.svcgssd
+
-
 
+
-
root      5223  0.0  0.0  2416  344 ?        Ss  09:26  0:00 /usr/sbin/rpc.idmapd
+
-
 
+
-
root      5227  0.0  0.1  2976  748 ?        Ss  09:26  0:00 /usr/sbin/rpc.mountd --no-nfs-
+
-
version 2 --no-nfs-version 3
+
-
 
+
-
root      5294  0.0  0.0  3816  428 ?        Ss  09:31  0:00 rpc.gssd
+
-
 
+
-
'''Installation details
+
-
1. openSUSE'''
+
-
Packages:
+
-
zypper in nfs-kernel-server nfs-client nfsidmap limal-nfs-server
+
-
 
+
-
Configuration (Or use the excellent Yast NFS-Server Module)
+
-
 
+
-
/etc/sysconfig/nfs
+
-
 
+
-
USE_KERNEL_NFSD_NUMBER="4"
+
-
 
+
-
MOUNTD_PORT=""
+
-
 
+
-
NFS_SECURITY_GSS="yes"
+
-
 
+
-
NFS3_SERVER_SUPPORT="no"
+
-
 
+
-
NFS4_SUPPORT="yes"
+
-
 
+
-
SM_NOTIFY_OPTIONS=""
+
-
 
+
-
NFS_START_SERVICES="yes"
+
-
 
+
-
STATD_OPTIONS=""
+
-
 
+
-
NFSV4LEASETIME=""
+
-
 
+
-
RPC_PIPEFS_DIR=""
+
-
 
+
-
SVCGSSD_OPTIONS=""
+
-
 
+
-
NFSD_OPTIONS=""
+
-
 
+
-
 
+
-
 
+
-
'''2. Ubuntu'''
+
-
 
+
-
Packages:
+
-
 
+
-
apt-get install nfs-common nfs-kernel-server
+
-
 
+
-
 
+
-
 
+
-
Configuration
+
-
 
+
-
/etc/default/nfs-common
+
-
 
+
-
NEED_STATD=
+
-
 
+
-
STATDOPTS=
+
-
 
+
-
NEED_IDMAPD=yes
+
-
 
+
-
NEED_GSSD=yes
+
-
 
+
-
 
+
-
 
+
-
/etc/default/nfs-kernel-server
+
-
 
+
-
RPCNFSDCOUNT=8
+
-
 
+
-
RPCNFSDPRIORITY=0
+
-
 
+
-
RPCMOUNTDOPTS=--manage-gids
+
-
 
+
-
NEED_SVCGSSD=yes
+
-
 
+
-
RPCSVCGSSDOPTS=
+
-
 
+
-
RPCNFSDOPTS=
+
-
 
+
-
 
+
-
 
+
-
Needed on both client and server on both openSUSE and Ubuntu:
+
-
 
+
-
/etc/idmapd.conf
+
-
 
+
-
[General]
+
-
 
+
-
Verbosity = 0
+
-
 
+
-
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
+
-
 
+
-
Domain = hh3.site
+
-
 
+
-
[Mapping]
+
-
 
+
-
Nobody-User = nobody
+
-
 
+
-
Nobody-Group = nogroup
+
-
 
+
-
 
+
-
 
+
-
'''Debugging'''
+
-
 
+
-
Run rpc.idmapd -fvvv and rpc.gssd -fvvv in separate terminals. They will tell you in no uncertain
+
-
terms when you've got it wrong.
+
-
 
+
-
 
+
-
 
+
-
'''rfc'''
+
-
 
+
-
It would be helpful if we could gather together our experiences on NFS4 installation and centralise
+
-
them here. Particularly helpful would be distribution specific contributions with working examples.
+
-
My suggestion would be one page per distribution.
+
-
 
+
-
 
+
-
'''
+
-
References:'''
+
1. This wiki:
1. This wiki:
Line 550: Line 261:
  http://linuxcostablanca.blogspot.com/p/samba-4.html
  http://linuxcostablanca.blogspot.com/p/samba-4.html
-
4. The same as (3) but with Ubuntu specific diffences
+
4. The same as (3) but with Ubuntu specific differences
  http://linuxcostablanca.blogspot.com/2012/01/samba-4-ubuntu.html
  http://linuxcostablanca.blogspot.com/2012/01/samba-4-ubuntu.html
Line 557: Line 268:
  http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html
  http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html
-
 
-
== Exporting directories ==
 
-
 
-
Export your server directory (in this case, to anyone, using any authentication flavor), by adding the following lines to /etc/exports
 
-
 
-
/export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
 
-
/export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
 
-
/export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
 
-
 
-
and then running
 
-
 
-
exportfs -r
 
-
 
-
(Note that if your server is connected to the internet the first line will give everyone in the world read and write access to /export and (with a little work) to anything on the same disk partition as /export! See the exports man page for more information.)
 
-
 
-
To access this export from a client:
 
-
 
-
Create a mountpoint on your client:
 
-
 
-
mkdir /mnt/nfs4/
 
-
 
-
and mount the server:
 
-
 
-
mount -t nfs4 yourserver:/export /mnt/nfs4/
 
-
 
-
or, to mount with kerberos,
 
-
 
-
mount -t nfs4 -o sec=krb5 yourserver:/export /mnt/nfs4/
 
-
 
-
Play around with the mounted filesystem:
 
-
 
-
cd /mnt/nfs4/
 
-
echo "Hello World!" >FOO
 
-
cat FOO
 
-
getfacl FOO
 
-
 
-
etc.
 
-
 
-
To mount a filesystem using krb5, provide the "-osec=krb5" option to mount. To export a filesystem using krb5, export it to the special client named "gss/krb5". Replace "krb5" by "krb5i" or "krb5p" for integrity or for privacy, respectively. The -osec= options should also work for NFSv3 exports and mounts.
 
-
 
-
Exporting and mounting can be automated using /etc/fstab and /etc/exports; see the man pages fstab(5) and exports(5).
 
-
 
-
Tecnical note: NFSv4 no longer has a separate "mount" protocol. Instead of exporting a number of distinct exports, an NFSv4 client sees the NFSv4 server's exports as existing inside a single filesystem, called the nfsv4 "pseudofilesystem".
 
-
 
-
The linux implementation allows you to designate a real filesystem as the pseudofilesystem, identifying that export with the fsid=0 option; we no longer recommend this.  Instead, on any recent linux distribution, just list exports in /etc/exports exactly as you would for NFSv2 or NFSv3.
 

Revision as of 16:10, 8 June 2017

from CITI documentation.

Contents

NFSv4 configuration

Base configuration

This section may be skipped on most recent distribution. If so, go here

You should have already built and installed the kernel and user utilities and setup krb5.

The following steps need only be done once. It maybe skipped most recent distribution.

Add the following lines to /etc/fstab to mount the rpc_pipefs and nfsd filesystems automatically: 

rpc_pipefs	/var/lib/nfs/rpc_pipefs	rpc_pipefs	defaults	0	0
nfsd	/proc/fs/nfsd	nfsd	defaults	0	0

and create the mountpoint for rpc_pipefs, and mount both filesystems:

  • mkdir /var/lib/nfs/rpc_pipefs
  • mount rpc_pipefs
  • mount nfsd

Modify the fstab line for filesystem you plan to export on the server to add the "acl" option to the mount options.

Create a directory to export on the server:

  • mkdir /export
  • chmod a+rwxt /export

The following steps need to be performed on every boot; this should really be done by init scripts. The necessary init scripts already exist in recent Fedora distributions. See also debian/nfs-common.init and debian/nfs-kernel-server.init in the patched nfs-utils tarball for example init scripts.

On your server, run rpc.mountd, rpc.svcgssd, rpc.idmapd, and rpc.nfsd: 

rpc.mountd
rpc.idmapd
rpc.svcgssd   -> this is obsolete as of nfs-utils version 1.0.8-1
rpc.nfsd 8
      1. Feb 2012: I've added some updates on this in the below

On the client, run rpc.gssd and rpc.idmapd: 

rpc.gssd -m
rpc.idmapd

Exporting directories

Export your server directory (in this case, to anyone, using any authentication flavor), by adding the following lines to /etc/exports 

/export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)

and then running 

exportfs -r

(Note that if your server is connected to the internet the first line will give everyone in the world read and write access to /export and (with a little work) to anything on the same disk partition as /export! See the exports man page for more information.)

To access this export from a client:

Create a mountpoint on your client: 

mkdir /mnt/nfs4/

and mount the server: 

mount -t nfs4 yourserver:/export /mnt/nfs4/

or, to mount with kerberos, 

mount -t nfs4 -o sec=krb5 yourserver:/export /mnt/nfs4/

Play around with the mounted filesystem: 

cd /mnt/nfs4/
echo "Hello World!" >FOO
cat FOO
getfacl FOO

etc.

To mount a filesystem using krb5, provide the "-osec=krb5" option to mount. To export a filesystem using krb5, export it to the special client named "gss/krb5". Replace "krb5" by "krb5i" or "krb5p" for integrity or for privacy, respectively. The -osec= options should also work for NFSv3 exports and mounts.

Exporting and mounting can be automated using /etc/fstab and /etc/exports; see the man pages fstab(5) and exports(5).

Technical note: NFSv4 no longer has a separate "mount" protocol. Instead of exporting a number of distinct exports, an NFSv4 client sees the NFSv4 server's exports as existing inside a single filesystem, called the nfsv4 "pseudofilesystem".

The linux implementation allows you to designate a real filesystem as the pseudofilesystem, identifying that export with the fsid=0 option; we no longer recommend this. Instead, on any recent linux distribution, just list exports in /etc/exports exactly as you would for NFSv2 or NFSv3.

RPC Processes

1. openSUSE after starting the nfs server

ps aux | grep rpc

root 1231 0.0 0.1 2356 764 ? Ss 08:20 0:00 /sbin/rpcbind

root 3737 0.0 0.0 0 0 ? S< 08:28 0:00 [rpciod]

root 5215 0.0 0.2 3684 1208 ? Ss 09:26 0:00 /usr/sbin/rpc.svcgssd

root 5223 0.0 0.0 2416 344 ? Ss 09:26 0:00 /usr/sbin/rpc.idmapd

root 5227 0.0 0.1 2976 748 ? Ss 09:26 0:00 /usr/sbin/rpc.mountd --no-nfs-version 2 --no-nfs-version 3 (note the lack of gssd)

2. On both openSUSE (after calling rpc.gssd) and Ubuntu with all the necessary processes for successfully exporting the directory with -o sec=krb5<flavour>

ps aux | grep rpc

root 1231 0.0 0.1 2356 764 ? Ss 08:20 0:00 /sbin/rpcbind

root 3737 0.0 0.0 0 0 ? S< 08:28 0:00 [rpciod]

root 5215 0.0 0.2 3684 1208 ? Ss 09:26 0:00 /usr/sbin/rpc.svcgssd

root 5223 0.0 0.0 2416 344 ? Ss 09:26 0:00 /usr/sbin/rpc.idmapd

root 5227 0.0 0.1 2976 748 ? Ss 09:26 0:00 /usr/sbin/rpc.mountd --no-nfs-version 2 --no-nfs-version 3

root 5294 0.0 0.0 3816 428 ? Ss 09:31 0:00 rpc.gssd

NFS Installation details

openSUSE

Packages: zypper in nfs-kernel-server nfs-client nfsidmap limal-nfs-server

Configuration (Or use the excellent Yast NFS-Server Module) /etc/sysconfig/nfs

USE_KERNEL_NFSD_NUMBER="4"

MOUNTD_PORT=""

NFS_SECURITY_GSS="yes"

NFS3_SERVER_SUPPORT="no"

NFS4_SUPPORT="yes"

SM_NOTIFY_OPTIONS=""

NFS_START_SERVICES="yes"

STATD_OPTIONS=""

NFSV4LEASETIME=""

RPC_PIPEFS_DIR=""

SVCGSSD_OPTIONS=""

NFSD_OPTIONS=""

Ubuntu

Packages:

apt-get install nfs-common nfs-kernel-server (you may also need to do a: modprobe nfs before starting the nfs server)

Configuration

/etc/default/nfs-common

NEED_STATD=

STATDOPTS=

NEED_IDMAPD=yes

NEED_GSSD=yes


/etc/default/nfs-kernel-server

RPCNFSDCOUNT=8

RPCNFSDPRIORITY=0

RPCMOUNTDOPTS=--manage-gids

NEED_SVCGSSD=yes

RPCSVCGSSDOPTS=

RPCNFSDOPTS=


Needed on both client and server on both openSUSE and Ubuntu

/etc/idmapd.conf

[General]

Verbosity = 0

Pipefs-Directory = /var/lib/nfs/rpc_pipefs

Domain = hh3.site //or whatever your domain is

[Mapping]

Nobody-User = nobody

Nobody-Group = nogroup

Debugging

Run rpc.idmapd -fvvv and rpc.gssd -fvvv in separate terminals. They will tell you in no uncertain terms when you've got it wrong. Please see this screenshot:

http://3.bp.blogspot.com/-PLpbJDP1vCQ/TygMlNU6k8I/AAAAAAAAAGE/lVXsw6iGrS0/s1600/krb5-ubuntu3.png

A Real Life Example

hh3.hh3.site is the nfs server and HH6$@HH3.SITE is the machine principal for the client. On the client, we issue a:

mount -t nfs4 hh3:/foo /bar -o sec=krb5

Here is the log on the KDC:

Kerberos: ENC-TS Pre-authentication succeeded -- HH6$@HH3.SITE using arcfour-hmac-md5

Kerberos: AS-REQ authtime: 2012-02-06T19:44:47 starttime: unset endtime: 2012-02-07T05:44:47 renew till: 2012-02-07T19:44:47

Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc- sha1, arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4, using arcfour-hmac-md5/arcfour-hmac-md5

Kerberos: Requested flags: renewable-ok

Kerberos: TGS-REQ HH6$@HH3.SITE from ipv4:192.168.1.10:45421 for nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable]

Kerberos: TGS-REQ authtime: 2012-02-06T19:44:47 starttime: 2012-02-06T19:44:47 endtime: 2012-02-07T05:44:47 renew till: 20

The nfs server has identified itself, here are the keys in its keytab:

klist -ke /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal

--------- 
  1 nfs/hh3.hh3.site@HH3.SITE (arcfour-hmac)  
  1 HH3$@hh3.site (arcfour-hmac)

Troubleshooting

http://wiki.linux-nfs.org/wiki/index.php?title=Troubleshooting

References

1. This wiki: 

http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration

2. man rpc.gssd(8) 

http://linux.die.net/man/8/rpc.gssd

3. A hands on practical using modest hardware. Includes screenshots. openSUSE specific. 

http://linuxcostablanca.blogspot.com/p/samba-4.html

4. The same as (3) but with Ubuntu specific differences 

http://linuxcostablanca.blogspot.com/2012/01/samba-4-ubuntu.html

5. The latest unofficial version of this wiki page. Any new findings, I'll post there. 

http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html
Retrieved from "http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration"
Personal tools