特殊:Badtitle/NS100:NFSv4Howto:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
第15行: | 第15行: | ||
real directories are mounted with the <code><nowiki>--bind</nowiki></code> option. [http://www.citi.umich.edu/projects/nfsv4/linux/using-nfsv4.html Here] is some additional information | real directories are mounted with the <code><nowiki>--bind</nowiki></code> option. [http://www.citi.umich.edu/projects/nfsv4/linux/using-nfsv4.html Here] is some additional information | ||
regarding this fact. | regarding this fact. | ||
* | * Let's say we want to export our users' home directories in <code><nowiki>/home/users</nowiki></code>. First | ||
we create the export | we create the export filesystem: | ||
<pre><nowiki> | <pre><nowiki> | ||
# mkdir /export | # mkdir /export | ||
第51行: | 第51行: | ||
<pre><nowiki> | <pre><nowiki> | ||
# mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/users /home/users</nowiki></pre> | # mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/users /home/users</nowiki></pre> | ||
* To save us from retyping this after every reboot we add the following | |||
line to <code><nowiki>/etc/fstab</nowiki></code>: | |||
<pre><nowiki> | |||
nfs-server:/ /mnt nfs4 _netdev,auto 0 0</nowiki></pre> | |||
where the <code><nowiki>auto</nowiki></code> option mounts on startup and the <code><nowiki>_netdev</nowiki></code> option waits until network devices are loaded. | |||
* If you have a slow network connection and are not establishing mount at reboot, you can change the line in <code><nowiki>etc/fstab</nowiki></code>: | |||
<pre><nowiki> | |||
nfs-server:/ /mnt nfs4 noauto 0 0</nowiki></pre> | |||
and execute this mount after a short pause once all devices are loaded. Add the following lines to <code><nowiki>/etc/rc.local</nowiki></code> | |||
<pre><nowiki> | |||
# sleep 5 | |||
# mount /mnt</nowiki></pre> | |||
* If you experience Problems like this: | * If you experience Problems like this: | ||
<pre><nowiki> | <pre><nowiki> | ||
第62行: | 第74行: | ||
<pre><nowiki> | <pre><nowiki> | ||
# /etc/init.d/nfs-common restart</nowiki></pre> | # /etc/init.d/nfs-common restart</nowiki></pre> | ||
The "unknown Filesystem" Error | The "unknown Filesystem" Error will disappear as well. | ||
=== NFSv4 with Kerberos === | === NFSv4 with Kerberos === | ||
You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center) | You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center) | ||
before continuing. | before continuing. NFS4 and Kerberos work fine with Ubuntu 8.04; they do not seem to work with the (much) older Ubuntu 6.06, or at least I couldn't get Heimdal to work correctly. | ||
Please note, that we have three different entities: the Kerberos-server; the NFS-server and the NFS-client. Your Kerberos-server (or KDC) and NFS-server could be the same machine, but they could also very well be separate entities. We will use separate "prompts" to distinguish, i.e. if you see | |||
<pre><nowiki> | |||
KDC$ echo "hello" | |||
''des-cbc-crc'' | </nowiki></pre> | ||
... this means you need to type echo "hello" on the KDC. | |||
Please note that you can now (with Ubuntu 8.04 and later) use any encryption type you want, there is no more need to extract only ''des-cbc-crc'', as most sites suggest. See [http://mailman.mit.edu/pipermail/kerberos/2008-May/013698.html this mailinglist message]. | |||
===== MIT ===== | |||
* On the nfs-server and nfs-client you need at least the ''krb5-user'' | * On the nfs-server and nfs-client you need at least the ''krb5-user'' | ||
and optional ''libpam-krb5'' if you wish to authenticate against krb5. | and optional ''libpam-krb5'' if you wish to authenticate against krb5. | ||
第76行: | 第90行: | ||
# apt-get install krb5-user | # apt-get install krb5-user | ||
# apt-get install libpam-krb5 </nowiki></pre> | # apt-get install libpam-krb5 </nowiki></pre> | ||
* | ===== Heimdal ===== | ||
* On the nfs-server and nfs-client you need ''heimdal-clients'' | |||
and optional ''libpam-krb5'' if you wish to authenticate against krb5. | |||
<pre><nowiki> | <pre><nowiki> | ||
# apt-get install heimdal-clients | |||
# apt-get install libpam-krb5 </nowiki></pre> | |||
* You need the gss kernel modules on nfs-servers and nfs-clients. | * You need the gss kernel modules on nfs-servers and nfs-clients. | ||
<pre><nowiki> | <pre><nowiki> | ||
# modprobe rpcsec_gss_krb5 </nowiki></pre> | # modprobe rpcsec_gss_krb5 </nowiki></pre> | ||
Add ''rpcsec_gss_krb5'' to ''/etc/modules'' to have it loaded | Add ''rpcsec_gss_krb5'' to ''/etc/modules'' to have it loaded | ||
automatically. | automatically. (I'm pretty sure they're loaded automatically though). | ||
==== Create and distribute credentials ==== | ==== Create and distribute credentials ==== | ||
NFSv4 needs machine credentials for the server and every client, which wants | NFSv4 needs machine credentials for the server and every client, which wants | ||
第91行: | 第106行: | ||
Create the credentials for the nfs-server and all nfs-clients on the Kerberos KDC | Create the credentials for the nfs-server and all nfs-clients on the Kerberos KDC | ||
and distribute the extraced keys with scp to the destination | and distribute the extraced keys with scp to the destination | ||
You can make sure that only this entry has been created by executing "sudo klist -e -k /etc/krb5.keytab". | |||
===== Heimdal ===== | ===== Heimdal ===== | ||
Authenticate as your admin user. You can do this from any machine in your | |||
kerberos-domain, as long as your kadmind is running; then add principals for your server and client machines. Replace "nfs-server.domain" with the fully qualified domain name of the machines. For example, if your server is called "snoopy" and your domain is "office.example.com", you would add a principal named "nfs/snoopy.office.example.com" for the server. | |||
Note: kadmin must be run with -l (locally) on the KDC if there is no kadmind. | |||
Please be aware of https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/309738/ | |||
<pre><nowiki> | |||
$ kinit kadmin/admin | |||
$ kadmin add -r nfs/nfs-server.domain | |||
$ kadmin add -r nfs/nfs-client.domain | |||
</nowiki></pre> | |||
Now add these to the keytab-files on your NFS-server and client. Log in to your NFSserver (as root, because you will need to edit the /etc/krb5.keytab file) and initialize as Kerberos administrator. If your domain is fully kerberized, logging in as root will automatically give you the right access, in which case you don't need to use "kinit" anymore. | |||
<pre><nowiki> | |||
NFSserver# kinit kadmin/admin | |||
NFSserver# ktutil get nfs/nfs-server.domain | |||
</nowiki></pre> | |||
And add it to the client's keytab file: | |||
<pre><nowiki> | <pre><nowiki> | ||
# kinit kadmin/admin | NFSclient# kinit kadmin/admin | ||
NFSclient# ktutil get nfs/nfs-client.domain | |||
</nowiki></pre> | |||
# ktutil | |||
===== MIT ===== | ===== MIT ===== | ||
The information below is not correct. You don't need the "des-cbc-crc" anymore and copying the key with "scp" is probably not necessary. (Could anyone with MIT knowledge clear this up, please? Valentijn) | |||
<pre><nowiki> | <pre><nowiki> | ||
# kinit admin/admin | # kinit admin/admin | ||
第118行: | 第141行: | ||
# kdestroy </nowiki></pre> | # kdestroy </nowiki></pre> | ||
==== NFSv4 Server ==== | ==== NFSv4 Server with Kerberos ==== | ||
* Check your machine credentials in ''/etc/krb5.keytab'' | * Check your machine credentials in ''/etc/krb5.keytab''. Use "ktutil" (MIT) or "ktutil list" (Heimdal) | ||
<pre><nowiki> | MIT: <pre><nowiki> | ||
# ktutil | # ktutil | ||
ktutil: rkt /etc/krb5.keytab | ktutil: rkt /etc/krb5.keytab | ||
ktutil: list | ktutil: list | ||
slot KVNO Principal | slot KVNO Principal | ||
第128行: | 第151行: | ||
1 2 nfs/nfs-server.domain@DOMAIN | 1 2 nfs/nfs-server.domain@DOMAIN | ||
</nowiki></pre> | </nowiki></pre> | ||
Heimdal: <pre><nowiki> | |||
# ktutil list | |||
FILE:/etc/krb5.keytab: | |||
Vno Type Principal | |||
6 des-cbc-md5 nfs/[email protected] | |||
6 des-cbc-md4 nfs/[email protected] | |||
6 des-cbc-crc nfs/[email protected] | |||
6 aes256-cts-hmac-sha1-96 nfs/[email protected] | |||
6 des3-cbc-sha1 nfs/[email protected] | |||
6 arcfour-hmac-md5 nfs/[email protected] | |||
</nowiki></pre> etcetera (I removed the krb4 entries as you probably won't use them anyway). | |||
MIT extra information: | |||
<pre><nowiki> | <pre><nowiki> | ||
# sudo klist -e -k /etc/krb5.keytab | # sudo klist -e -k /etc/krb5.keytab | ||
Keytab name: FILE:/etc/krb5.keytab | Keytab name: FILE:/etc/krb5.keytab | ||
KVNO Principal | KVNO Principal | ||
---- -------------------------------------------------------------------------- | ---- -------------------------------------------------------------------------- | ||
1 nfs/nfs-server.domain@DOMAIN (DES cbc mode with CRC-32) | 1 nfs/nfs-server.domain@DOMAIN (DES cbc mode with CRC-32) | ||
</nowiki></pre> | </nowiki></pre> | ||
* In <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code> we set: | * In <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code> we set: | ||
<pre><nowiki> | <pre><nowiki> | ||
第164行: | 第198行: | ||
<pre><nowiki> | <pre><nowiki> | ||
# exportfs -v </nowiki></pre> | # exportfs -v </nowiki></pre> | ||
==== NFSv4 Client ==== | ==== NFSv4 Client with Kerberos ==== | ||
* Check your machine credentials in ''/etc/krb5.keytab'' | * Check your machine credentials in ''/etc/krb5.keytab'' | ||
<pre><nowiki> | MIT: <pre><nowiki> | ||
# ktutil | # ktutil | ||
ktutil: rkt /etc/krb5.keytab | ktutil: rkt /etc/krb5.keytab | ||
ktutil: list | ktutil: list | ||
slot KVNO Principal | slot KVNO Principal | ||
---- ---- --------------------------------------------------------------------- | ---- ---- --------------------------------------------------------------------- | ||
1 2 nfs/nfs-client.domain@DOMAIN | 1 2 nfs/nfs-client.domain@DOMAIN | ||
</nowiki></pre> | |||
Heimdal: <pre><nowiki> | |||
# ktutil list | |||
FILE:/etc/krb5.keytab: | |||
Vno Type Principal | |||
6 des-cbc-md5 nfs/[email protected] | |||
6 des-cbc-md4 nfs/[email protected] | |||
6 des-cbc-crc nfs/[email protected] | |||
6 aes256-cts-hmac-sha1-96 nfs/[email protected] | |||
6 des3-cbc-sha1 nfs/[email protected] | |||
6 arcfour-hmac-md5 nfs/[email protected] | |||
</nowiki></pre> | </nowiki></pre> | ||
* In <code><nowiki>/etc/default/nfs-common</nowiki></code> we set: | * In <code><nowiki>/etc/default/nfs-common</nowiki></code> we set: | ||
第180行: | 第227行: | ||
* We can ''secure'' mount the complete export tree with: | * We can ''secure'' mount the complete export tree with: | ||
<pre><nowiki> | <pre><nowiki> | ||
# mount -t nfs4 -o sec=krb5 | # mount -t nfs4 -o sec=krb5 nfs-server:/ /mnt</nowiki></pre> | ||
* We can also ''secure'' mount an exported ''subtree'' with: | * We can also ''secure'' mount an exported ''subtree'' with: | ||
<pre><nowiki> | <pre><nowiki> | ||
# mount -t nfs4 -o sec=krb5 | # mount -t nfs4 -o sec=krb5 nfs-server:/users /home/users</nowiki></pre> | ||
=== Troubleshooting === | === Troubleshooting === | ||
First, take care of proper logging - by default almost nothing is logged. | First, take care of proper logging - by default almost nothing is logged. | ||
e.g. to enable 3rd level verbose logging for rpc.gssd, append the following to <code><nowiki>/etc/default/nfs-common</nowiki></code>: | e.g. to enable 3rd level verbose logging for rpc.gssd, append the following to <code><nowiki>/etc/default/nfs-common</nowiki></code>: | ||
<pre><nowiki> | <pre><nowiki> | ||
RPCGSSDOPTS="-vvv | RPCGSSDOPTS="-vvv" | ||
</nowiki></pre> | </nowiki></pre> | ||
After restarting nfs-common (<code><nowiki>/etc/init.d/nfs-common restart</nowiki></code>) check that the daemon has received new arguments: | After restarting nfs-common (<code><nowiki>/etc/init.d/nfs-common restart</nowiki></code>) check that the daemon has received new arguments: | ||
<pre><nowiki> | <pre><nowiki> | ||
ps xuwa | grep grep rpc.gssd | ps xuwa | grep grep rpc.gssd | ||
第201行: | 第248行: | ||
For the server, you can e.g. raise rpc.svcgssd log level in <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code>: | For the server, you can e.g. raise rpc.svcgssd log level in <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code>: | ||
<pre><nowiki> | <pre><nowiki> | ||
RPCSVCGSSDOPTS="-vvv | RPCSVCGSSDOPTS="-vvv" | ||
</nowiki></pre> | </nowiki></pre> | ||
Browse the <code><nowiki>/etc/init.d/nfs-*</nowiki></code> init scripts to see other variables that you can set in <code><nowiki>/etc/defaults</nowiki></code>. | Browse the <code><nowiki>/etc/init.d/nfs-*</nowiki></code> init scripts to see other variables that you can set in <code><nowiki>/etc/defaults</nowiki></code>. | ||
第214行: | 第261行: | ||
* [http://www.citi.umich.edu/projects/nfsv4/linux Umich CITI intructions] | * [http://www.citi.umich.edu/projects/nfsv4/linux Umich CITI intructions] | ||
* [http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html Learning NFSv4 with Fedora Core 2] | * [http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html Learning NFSv4 with Fedora Core 2] | ||
[[category: | [[category:CategoryCleanup]] [[category:CategoryNetworking]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2009年5月12日 (二) 18:12的版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/NFSv4Howto }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/af | • {{#if: UbuntuHelp:NFSv4Howto|Afrikaans| [[::NFSv4Howto/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ar | • {{#if: UbuntuHelp:NFSv4Howto|العربية| [[::NFSv4Howto/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/az | • {{#if: UbuntuHelp:NFSv4Howto|azərbaycanca| [[::NFSv4Howto/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/bcc | • {{#if: UbuntuHelp:NFSv4Howto|جهلسری بلوچی| [[::NFSv4Howto/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/bg | • {{#if: UbuntuHelp:NFSv4Howto|български| [[::NFSv4Howto/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/br | • {{#if: UbuntuHelp:NFSv4Howto|brezhoneg| [[::NFSv4Howto/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ca | • {{#if: UbuntuHelp:NFSv4Howto|català| [[::NFSv4Howto/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/cs | • {{#if: UbuntuHelp:NFSv4Howto|čeština| [[::NFSv4Howto/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/de | • {{#if: UbuntuHelp:NFSv4Howto|Deutsch| [[::NFSv4Howto/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/el | • {{#if: UbuntuHelp:NFSv4Howto|Ελληνικά| [[::NFSv4Howto/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/es | • {{#if: UbuntuHelp:NFSv4Howto|español| [[::NFSv4Howto/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/fa | • {{#if: UbuntuHelp:NFSv4Howto|فارسی| [[::NFSv4Howto/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/fi | • {{#if: UbuntuHelp:NFSv4Howto|suomi| [[::NFSv4Howto/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/fr | • {{#if: UbuntuHelp:NFSv4Howto|français| [[::NFSv4Howto/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/gu | • {{#if: UbuntuHelp:NFSv4Howto|ગુજરાતી| [[::NFSv4Howto/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/he | • {{#if: UbuntuHelp:NFSv4Howto|עברית| [[::NFSv4Howto/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/hu | • {{#if: UbuntuHelp:NFSv4Howto|magyar| [[::NFSv4Howto/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/id | • {{#if: UbuntuHelp:NFSv4Howto|Bahasa Indonesia| [[::NFSv4Howto/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/it | • {{#if: UbuntuHelp:NFSv4Howto|italiano| [[::NFSv4Howto/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ja | • {{#if: UbuntuHelp:NFSv4Howto|日本語| [[::NFSv4Howto/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ko | • {{#if: UbuntuHelp:NFSv4Howto|한국어| [[::NFSv4Howto/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ksh | • {{#if: UbuntuHelp:NFSv4Howto|Ripoarisch| [[::NFSv4Howto/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/mr | • {{#if: UbuntuHelp:NFSv4Howto|मराठी| [[::NFSv4Howto/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ms | • {{#if: UbuntuHelp:NFSv4Howto|Bahasa Melayu| [[::NFSv4Howto/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/nl | • {{#if: UbuntuHelp:NFSv4Howto|Nederlands| [[::NFSv4Howto/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/no | • {{#if: UbuntuHelp:NFSv4Howto|norsk| [[::NFSv4Howto/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/oc | • {{#if: UbuntuHelp:NFSv4Howto|occitan| [[::NFSv4Howto/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/pl | • {{#if: UbuntuHelp:NFSv4Howto|polski| [[::NFSv4Howto/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/pt | • {{#if: UbuntuHelp:NFSv4Howto|português| [[::NFSv4Howto/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ro | • {{#if: UbuntuHelp:NFSv4Howto|română| [[::NFSv4Howto/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ru | • {{#if: UbuntuHelp:NFSv4Howto|русский| [[::NFSv4Howto/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/si | • {{#if: UbuntuHelp:NFSv4Howto|සිංහල| [[::NFSv4Howto/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/sq | • {{#if: UbuntuHelp:NFSv4Howto|shqip| [[::NFSv4Howto/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/sr | • {{#if: UbuntuHelp:NFSv4Howto|српски / srpski| [[::NFSv4Howto/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/sv | • {{#if: UbuntuHelp:NFSv4Howto|svenska| [[::NFSv4Howto/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/th | • {{#if: UbuntuHelp:NFSv4Howto|ไทย| [[::NFSv4Howto/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/tr | • {{#if: UbuntuHelp:NFSv4Howto|Türkçe| [[::NFSv4Howto/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/vi | • {{#if: UbuntuHelp:NFSv4Howto|Tiếng Việt| [[::NFSv4Howto/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/yue | • {{#if: UbuntuHelp:NFSv4Howto|粵語| [[::NFSv4Howto/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/zh | • {{#if: UbuntuHelp:NFSv4Howto|中文| [[::NFSv4Howto/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/zh-hans | • {{#if: UbuntuHelp:NFSv4Howto|中文(简体)| [[::NFSv4Howto/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/zh-hant | • {{#if: UbuntuHelp:NFSv4Howto|中文(繁體)| [[::NFSv4Howto/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:NFSv4Howto|:NFSv4Howto|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :NFSv4Howto/zh | | {{#ifexist: NFSv4Howto/zh | | {{#ifeq: {{#titleparts:NFSv4Howto|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:NFSv4Howto|1|-1|}} | zh | | }}
Installation
The required packages are different depending on if the system is a client or a server. In this Howto, the server is the host that has the files you want to share and the client is the host that will be mounting the NFS share.
- NFSv4 client
# apt-get install nfs-common
- NFSv4 server
# apt-get install nfs-kernel-server
After you finish installing nfs-kernel-server, you might see failure to start nfs-kernel-server due to missing entries in /etc/exports. Remember to restart the service when you finish configuring.
NFSv4 without Kerberos
NFSv4 Server
NFSv4 exports exist in a single pseudo filesystem, where the
real directories are mounted with the --bind
option. Here is some additional information
regarding this fact.
- Let's say we want to export our users' home directories in
/home/users
. First
we create the export filesystem:
# mkdir /export # mkdir /export/users
and mount the real users directory with:
# mount --bind /home/users /export/users
To save us from retyping this after every reboot we add the following
line to /etc/fstab
/home/users /export/users none bind 0 0
- In
/etc/default/nfs-kernel-server
we set:
NEED_SVCGSSD=no
because we are not activating NFSv4 security this time.
- In
/etc/default/nfs-common
we set:
NEED_IDMAPD=yes NEED_GSSD=no
- To export our directories to a local network 192.198.1.0/24
we add the following two lines to /etc/exports
/export 192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async) /export/users 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async)
- Restart the service
# /etc/init.d/nfs-kernel-server restart
NFSv4 Client
- On the client we can mount the complete export tree with one command:
# mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/ /mnt
- We can also mount an exported subtree with:
# mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/users /home/users
- To save us from retyping this after every reboot we add the following
line to /etc/fstab
:
nfs-server:/ /mnt nfs4 _netdev,auto 0 0
where the auto
option mounts on startup and the _netdev
option waits until network devices are loaded.
- If you have a slow network connection and are not establishing mount at reboot, you can change the line in
etc/fstab
:
nfs-server:/ /mnt nfs4 noauto 0 0
and execute this mount after a short pause once all devices are loaded. Add the following lines to /etc/rc.local
# sleep 5 # mount /mnt
- If you experience Problems like this:
Warning: rpc.idmapd appears not to be running. All uids will be mapped to the nobody uid. mount: unknown filesystem type 'nfs4'
then you need to set in /etc/default/nfs-common
:
NEED_IDMAPD=yes
and restart nfs-common
# /etc/init.d/nfs-common restart
The "unknown Filesystem" Error will disappear as well.
NFSv4 with Kerberos
You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center) before continuing. NFS4 and Kerberos work fine with Ubuntu 8.04; they do not seem to work with the (much) older Ubuntu 6.06, or at least I couldn't get Heimdal to work correctly. Please note, that we have three different entities: the Kerberos-server; the NFS-server and the NFS-client. Your Kerberos-server (or KDC) and NFS-server could be the same machine, but they could also very well be separate entities. We will use separate "prompts" to distinguish, i.e. if you see
KDC$ echo "hello"
... this means you need to type echo "hello" on the KDC. Please note that you can now (with Ubuntu 8.04 and later) use any encryption type you want, there is no more need to extract only des-cbc-crc, as most sites suggest. See this mailinglist message.
MIT
- On the nfs-server and nfs-client you need at least the krb5-user
and optional libpam-krb5 if you wish to authenticate against krb5.
# apt-get install krb5-user # apt-get install libpam-krb5
Heimdal
- On the nfs-server and nfs-client you need heimdal-clients
and optional libpam-krb5 if you wish to authenticate against krb5.
# apt-get install heimdal-clients # apt-get install libpam-krb5
- You need the gss kernel modules on nfs-servers and nfs-clients.
# modprobe rpcsec_gss_krb5
Add rpcsec_gss_krb5 to /etc/modules to have it loaded automatically. (I'm pretty sure they're loaded automatically though).
Create and distribute credentials
NFSv4 needs machine credentials for the server and every client, which wants to use the NFSv4 security features. Create the credentials for the nfs-server and all nfs-clients on the Kerberos KDC and distribute the extraced keys with scp to the destination You can make sure that only this entry has been created by executing "sudo klist -e -k /etc/krb5.keytab".
Heimdal
Authenticate as your admin user. You can do this from any machine in your kerberos-domain, as long as your kadmind is running; then add principals for your server and client machines. Replace "nfs-server.domain" with the fully qualified domain name of the machines. For example, if your server is called "snoopy" and your domain is "office.example.com", you would add a principal named "nfs/snoopy.office.example.com" for the server. Note: kadmin must be run with -l (locally) on the KDC if there is no kadmind. Please be aware of https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/309738/
$ kinit kadmin/admin $ kadmin add -r nfs/nfs-server.domain $ kadmin add -r nfs/nfs-client.domain
Now add these to the keytab-files on your NFS-server and client. Log in to your NFSserver (as root, because you will need to edit the /etc/krb5.keytab file) and initialize as Kerberos administrator. If your domain is fully kerberized, logging in as root will automatically give you the right access, in which case you don't need to use "kinit" anymore.
NFSserver# kinit kadmin/admin NFSserver# ktutil get nfs/nfs-server.domain
And add it to the client's keytab file:
NFSclient# kinit kadmin/admin NFSclient# ktutil get nfs/nfs-client.domain
MIT
The information below is not correct. You don't need the "des-cbc-crc" anymore and copying the key with "scp" is probably not necessary. (Could anyone with MIT knowledge clear this up, please? Valentijn)
# kinit admin/admin # kadmin -q "addprinc -randkey nfs/nfs-server.domain" # kadmin -q "ktadd -e des-cbc-crc:normal -k /root/keytab.nfs-server nfs/nfs-server.domain" # scp -p /root/keytab.nfs-server nfs-server.domain:/etc/krb5.keytab # kadmin -q "addprinc -randkey nfs/nfs-client.domain" # kadmin -q "ktadd -e des-cbc-crc:normal -k /root/keytab.nfs-client nfs/nfs-client.domain" # scp -p /root/keytab.nfs-client nfs-client.domain:/etc/krb5.keytab # kdestroy
NFSv4 Server with Kerberos
- Check your machine credentials in /etc/krb5.keytab. Use "ktutil" (MIT) or "ktutil list" (Heimdal)
MIT:
# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/nfs-server.domain@DOMAIN
Heimdal:
# ktutil list FILE:/etc/krb5.keytab: Vno Type Principal 6 des-cbc-md5 nfs/[email protected] 6 des-cbc-md4 nfs/[email protected] 6 des-cbc-crc nfs/[email protected] 6 aes256-cts-hmac-sha1-96 nfs/[email protected] 6 des3-cbc-sha1 nfs/[email protected] 6 arcfour-hmac-md5 nfs/[email protected]
etcetera (I removed the krb4 entries as you probably won't use them anyway).
MIT extra information:
# sudo klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 nfs/nfs-server.domain@DOMAIN (DES cbc mode with CRC-32)
- In
/etc/default/nfs-kernel-server
we set:
NEED_SVCGSSD=yes
- In
/etc/default/nfs-common
we set:
NEED_IDMAPD=yes
- To export our directories from the example above to a
local network 192.198.1.0/24 and addt
we add the following two lines to /etc/exports
/export 192.168.1.0/24(rw,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export gss/krb5(rw,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users 192.168.1.0/24(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users gss/krb5(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534)
Please note that you can specify allowed hosts only in the any authentication flavor. gss/krb5 flavours are accessible from anywhere, if do not use an additional firewall rules. To export only with secure authentication flavors do not include a host(...) line in /etc/exports To display your exports enter:
# exportfs -v
NFSv4 Client with Kerberos
- Check your machine credentials in /etc/krb5.keytab
MIT:
# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/nfs-client.domain@DOMAIN
Heimdal:
# ktutil list FILE:/etc/krb5.keytab: Vno Type Principal 6 des-cbc-md5 nfs/[email protected] 6 des-cbc-md4 nfs/[email protected] 6 des-cbc-crc nfs/[email protected] 6 aes256-cts-hmac-sha1-96 nfs/[email protected] 6 des3-cbc-sha1 nfs/[email protected] 6 arcfour-hmac-md5 nfs/[email protected]
- In
/etc/default/nfs-common
we set:
NEED_IDMAPD=yes NEED_GSSD=yes
- We can secure mount the complete export tree with:
# mount -t nfs4 -o sec=krb5 nfs-server:/ /mnt
- We can also secure mount an exported subtree with:
# mount -t nfs4 -o sec=krb5 nfs-server:/users /home/users
Troubleshooting
First, take care of proper logging - by default almost nothing is logged.
e.g. to enable 3rd level verbose logging for rpc.gssd, append the following to /etc/default/nfs-common
:
RPCGSSDOPTS="-vvv"
After restarting nfs-common (/etc/init.d/nfs-common restart
) check that the daemon has received new arguments:
ps xuwa | grep grep rpc.gssd root 9857 0.0 0.4 2496 1220 ? Ss 02:17 0:00 /usr/sbin/rpc.gssd -vvv
Then look for its log output in damon.log:
tail -f /var/log/daemon.log
For the server, you can e.g. raise rpc.svcgssd log level in /etc/default/nfs-kernel-server
:
RPCSVCGSSDOPTS="-vvv"
Browse the /etc/init.d/nfs-*
init scripts to see other variables that you can set in /etc/defaults
.
If using Kerberos, enable logging in /etc/krb5.conf
:
[logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON