个人工具
登录
查看“UbuntuHelp:NFSv4Howto”的源代码 - Ubuntu中文
UbuntuHelp
讨论
查看源代码
历史
搜索
导航
首页
最近更改
随机页面
页面分类
帮助
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息
查看“UbuntuHelp:NFSv4Howto”的源代码
来自Ubuntu中文
←
UbuntuHelp:NFSv4Howto
跳转至:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您所请求的操作仅限于该用户组的用户使用:
用户
您可以查看与复制此页面的源代码。
{{From|https://help.ubuntu.com/community/NFSv4Howto}} {{Languages|UbuntuHelp:NFSv4Howto}} === Installation === The required packages are different depending on if the system is a client or a server. In this Howto, the server is the host that has the files you want to share and the client is the host that will be mounting the NFS share. * NFSv4 client <pre><nowiki> # apt-get install nfs-common </nowiki></pre> * NFSv4 server <pre><nowiki> # apt-get install nfs-kernel-server </nowiki></pre> After you finish installing nfs-kernel-server, you might see failure to start nfs-kernel-server due to missing entries in /etc/exports. Remember to restart the service when you finish configuring. === NFSv4 without Kerberos === ==== NFSv4 Server ==== NFSv4 exports exist in a single ''pseudo filesystem'', where the real directories are mounted with the <code><nowiki>--bind</nowiki></code> option. [http://www.citi.umich.edu/projects/nfsv4/linux/using-nfsv4.html Here] is some additional information regarding this fact. * Lets say we want to export our user homedirs in <code><nowiki>/home/users</nowiki></code>. First we create the export filesytem: <pre><nowiki># mkdir /export # mkdir /export/users </nowiki></pre> and mount the real users directory with: <pre><nowiki> # mount --bind /home/users /export/users</nowiki></pre> To save us from retyping this after every reboot we add the following line to <code><nowiki>/etc/fstab</nowiki></code> <pre><nowiki> /home/users /export/users none bind 0 0</nowiki></pre> * In <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code> we set: <pre><nowiki> NEED_SVCGSSD=no </nowiki></pre> because we do not activate NFSv4 security this time. * In <code><nowiki>/etc/default/nfs-common</nowiki></code> we set: <pre><nowiki> NEED_IDMAPD=yes NEED_GSSD=no </nowiki></pre> * To export our directories to a local network 192.198.1.0/24 we add the following two lines to <code><nowiki>/etc/exports</nowiki></code> <pre><nowiki> /export 192.168.1.0/24(ro,fsid=0,insecure,no_subtree_check,async) /export/users 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async) </nowiki></pre> * Restart the service <pre><nowiki> # /etc/init.d/nfs-kernel-server restart</nowiki></pre> ==== NFSv4 Client ==== * On the client we can mount the complete export tree with one command: <pre><nowiki> # mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/ /mnt</nowiki></pre> * We can also mount an exported ''subtree'' with: <pre><nowiki> # mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/users /home/users</nowiki></pre> * If you experience Problems like this: <pre><nowiki> Warning: rpc.idmapd appears not to be running. All uids will be mapped to the nobody uid. mount: unknown filesystem type 'nfs4'</nowiki></pre> then you need to set in <code><nowiki>/etc/default/nfs-common</nowiki></code>: <pre><nowiki> NEED_IDMAPD=yes</nowiki></pre> and restart nfs-common <pre><nowiki> # /etc/init.d/nfs-common restart</nowiki></pre> The "unknown Filesystem" Error is ambiguous and will disappear as well. === NFSv4 with Kerberos === You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center) before continuing. On the nfs-server and nfs-clients you must use MIT krb5 for now. When extracting the key to a keytab file and when configuring krb5 in ''/etc/krb5.conf'' it is neccessary to specify ''des-cbc-crc'' because only this type of encryption is supported by the kernel at the moment. * On the nfs-server and nfs-client you need at least the ''krb5-user'' and optinal ''libpam-krb5'' if you wish to authenticate against krb5. <pre><nowiki># apt-get install krb5-user # apt-get install libpam-krb5 </nowiki></pre> * Specifiy ''des-cbc-crc'' in ''/etc/krb5.conf'' on nfs-servers and nfs-clients. <pre><nowiki>[libdefaults] default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc </nowiki></pre> * You need the gss kernel modules on nfs-servers and nfs-clients. <pre><nowiki> # modprobe rpcsec_gss_krb5 </nowiki></pre> Add ''rpcsec_gss_krb5'' to ''/etc/modules'' to have it loaded automatically. ==== Create and distribute credentials ==== NFSv4 needs machine credentials for the server and every client, which wants to use the NFSv4 security features. Create the credentials for the nfs-server and all nfs-clients on the Kerberos KDC and distribute the extraced keys with scp to the destination ===== Heimdal ===== <pre><nowiki># kinit kadmin/admin # kadmin add -r nfs/nfs-server.domain # ktutil -k ~/keytab.nfs-server get -e des-cbc-crc nfs/nfs-server.domain # scp -p ~/keytab.nfs-server nfs-server:/etc/krb5.keytab # kadmin add -r nfs/nfs-client.domain # ktutil -k ~/keytab.nfs-client get -e des-cbc-crc nfs/nfs-client.domain # scp -p ~/keytab.nfs-client nfs-client:/etc/krb5.keytab # kdestroy </nowiki></pre> ===== MIT ===== <pre><nowiki># kinit admin/admin # kadmin -q "addprinc -randkey nfs/nfs-server.domain" # kadmin -q "ktadd -e des-cbc-crc:normal -k ~/keytab.nfs-server nfs/nfs-server.domain" # scp -p ~/keytab.nfs-server nfs-server.domain:/etc/krb5.keytab # kadmin -q "addprinc -randkey nfs/nfs-client.domain" # kadmin -q "ktadd -e des-cbc-crc:normal -k ~/keytab.nfs-client nfs/nfs-client.domain" # scp -p ~/keytab.nfs-client nfs-client.domain:/etc/krb5.keytab # kdestroy </nowiki></pre> ==== NFSv4 Server ==== * Check your machine credentials in ''/etc/krb5.keytab'' <pre><nowiki># ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/nfs-server.domain@DOMAIN </nowiki></pre> * In <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code> we set: <pre><nowiki> NEED_SVCGSSD=yes </nowiki></pre> * In <code><nowiki>/etc/default/nfs-common</nowiki></code> we set: <pre><nowiki> NEED_IDMAPD=yes </nowiki></pre> * To export our directories from the example above to a local network 192.198.1.0/24 and addt we add the following two lines to <code><nowiki>/etc/exports</nowiki></code> <pre><nowiki> /export 192.168.1.0/24(ro,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export gss/krb5(ro,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users 192.168.1.0/24(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users gss/krb5(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) </nowiki></pre> Please note that you can specify allowed hosts only in the ''any authentication'' flavor. gss/krb5 flavours are accessible from anywhere, if do not use an additional firewall rules. To export only with secure authentication flavors do not include a ''host(...)'' line in ''/etc/exports'' To display your exports enter: <pre><nowiki> # exportfs -v </nowiki></pre> ==== NFSv4 Client ==== * Check your machine credentials in ''/etc/krb5.keytab'' <pre><nowiki># ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/nfs-client.domain@DOMAIN </nowiki></pre> * In <code><nowiki>/etc/default/nfs-common</nowiki></code> we set: <pre><nowiki> NEED_IDMAPD=yes NEED_GSSD=yes </nowiki></pre> * We can ''secure'' mount the complete export tree with: <pre><nowiki> # mount -t nfs4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/ /mnt</nowiki></pre> * We can also ''secure'' mount an exported ''subtree'' with: <pre><nowiki> # mount -t nfs4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/users /home/users</nowiki></pre> === Troubleshooting === First, take care of proper logging - by default almost nothing is logged. e.g. to enable 3rd level verbose logging for rpc.gssd, append the following to {{/etc/default/nfs-common}}: <pre><nowiki> RPCGSSDOPTS=-vvv </nowiki></pre> After restarting nfs-common (<code><nowiki>/etc/init.d/nfs-common restart</nowiki></code>) check that the daemon has received new arguments: <pre><nowiki> ps xuwa | grep grep rpc.gssd root 9857 0.0 0.4 2496 1220 ? Ss 02:17 0:00 /usr/sbin/rpc.gssd -vvv </nowiki></pre> Then look for its log output in damon.log: <pre><nowiki> tail -f /var/log/daemon.log </nowiki></pre> For the server, you can e.g. raise rpc.svcgssd log level in <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code>: <pre><nowiki> RPCSVCGSSDOPTS=-vvv </nowiki></pre> Browse the <code><nowiki>/etc/init.d/nfs-*</nowiki></code> init scripts to see other variables that you can set in <code><nowiki>/etc/defaults</nowiki></code>. If using Kerberos, enable logging in <code><nowiki>/etc/krb5.conf</nowiki></code>: <pre><nowiki> [logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON </nowiki></pre> === Links === * [http://www.citi.umich.edu/projects/nfsv4/linux Umich CITI intructions] * [http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html Learning NFSv4 with Fedora Core 2] [[category:CategoryDocumentation]] [[category:CategoryCleanup]] [[category:UbuntuHelp]]
该页面使用的模板:
模板:From
(
查看源代码
)
模板:Languages
(
查看源代码
)(受保护)
模板:Languages/Lang
(
查看源代码
)(受保护)
返回至
UbuntuHelp:NFSv4Howto
。