特殊:Badtitle/NS100:NFSv4Howto:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
第122行: | 第122行: | ||
1 2 nfs/nfs-server.domain@DOMAIN | 1 2 nfs/nfs-server.domain@DOMAIN | ||
</nowiki></pre> | </nowiki></pre> | ||
or even better: | |||
<pre><nowiki># sudo klist -e -k /etc/krb5.keytab | |||
Keytab name: FILE:/etc/krb5.keytab | |||
KVNO Principal | |||
---- -------------------------------------------------------------------------- | |||
1 nfs/nfs-server.domain@DOMAIN (DES cbc mode with CRC-32) | |||
</nowiki></pre> | |||
and make sure there is only ONE entry for your nfs server with the options <code><nowiki>DES cbc mode with CRC-32</nowiki></code> as seen above. It will not work if there is another entry for Triple DES or other encryption algorithms. | |||
* In <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code> we set: | * In <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code> we set: | ||
<pre><nowiki> | <pre><nowiki> |
2008年5月9日 (五) 19:14的版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/NFSv4Howto }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/af | • {{#if: UbuntuHelp:NFSv4Howto|Afrikaans| [[::NFSv4Howto/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ar | • {{#if: UbuntuHelp:NFSv4Howto|العربية| [[::NFSv4Howto/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/az | • {{#if: UbuntuHelp:NFSv4Howto|azərbaycanca| [[::NFSv4Howto/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/bcc | • {{#if: UbuntuHelp:NFSv4Howto|جهلسری بلوچی| [[::NFSv4Howto/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/bg | • {{#if: UbuntuHelp:NFSv4Howto|български| [[::NFSv4Howto/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/br | • {{#if: UbuntuHelp:NFSv4Howto|brezhoneg| [[::NFSv4Howto/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ca | • {{#if: UbuntuHelp:NFSv4Howto|català| [[::NFSv4Howto/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/cs | • {{#if: UbuntuHelp:NFSv4Howto|čeština| [[::NFSv4Howto/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/de | • {{#if: UbuntuHelp:NFSv4Howto|Deutsch| [[::NFSv4Howto/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/el | • {{#if: UbuntuHelp:NFSv4Howto|Ελληνικά| [[::NFSv4Howto/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/es | • {{#if: UbuntuHelp:NFSv4Howto|español| [[::NFSv4Howto/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/fa | • {{#if: UbuntuHelp:NFSv4Howto|فارسی| [[::NFSv4Howto/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/fi | • {{#if: UbuntuHelp:NFSv4Howto|suomi| [[::NFSv4Howto/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/fr | • {{#if: UbuntuHelp:NFSv4Howto|français| [[::NFSv4Howto/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/gu | • {{#if: UbuntuHelp:NFSv4Howto|ગુજરાતી| [[::NFSv4Howto/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/he | • {{#if: UbuntuHelp:NFSv4Howto|עברית| [[::NFSv4Howto/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/hu | • {{#if: UbuntuHelp:NFSv4Howto|magyar| [[::NFSv4Howto/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/id | • {{#if: UbuntuHelp:NFSv4Howto|Bahasa Indonesia| [[::NFSv4Howto/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/it | • {{#if: UbuntuHelp:NFSv4Howto|italiano| [[::NFSv4Howto/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ja | • {{#if: UbuntuHelp:NFSv4Howto|日本語| [[::NFSv4Howto/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ko | • {{#if: UbuntuHelp:NFSv4Howto|한국어| [[::NFSv4Howto/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ksh | • {{#if: UbuntuHelp:NFSv4Howto|Ripoarisch| [[::NFSv4Howto/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/mr | • {{#if: UbuntuHelp:NFSv4Howto|मराठी| [[::NFSv4Howto/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ms | • {{#if: UbuntuHelp:NFSv4Howto|Bahasa Melayu| [[::NFSv4Howto/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/nl | • {{#if: UbuntuHelp:NFSv4Howto|Nederlands| [[::NFSv4Howto/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/no | • {{#if: UbuntuHelp:NFSv4Howto|norsk| [[::NFSv4Howto/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/oc | • {{#if: UbuntuHelp:NFSv4Howto|occitan| [[::NFSv4Howto/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/pl | • {{#if: UbuntuHelp:NFSv4Howto|polski| [[::NFSv4Howto/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/pt | • {{#if: UbuntuHelp:NFSv4Howto|português| [[::NFSv4Howto/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ro | • {{#if: UbuntuHelp:NFSv4Howto|română| [[::NFSv4Howto/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/ru | • {{#if: UbuntuHelp:NFSv4Howto|русский| [[::NFSv4Howto/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/si | • {{#if: UbuntuHelp:NFSv4Howto|සිංහල| [[::NFSv4Howto/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/sq | • {{#if: UbuntuHelp:NFSv4Howto|shqip| [[::NFSv4Howto/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/sr | • {{#if: UbuntuHelp:NFSv4Howto|српски / srpski| [[::NFSv4Howto/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/sv | • {{#if: UbuntuHelp:NFSv4Howto|svenska| [[::NFSv4Howto/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/th | • {{#if: UbuntuHelp:NFSv4Howto|ไทย| [[::NFSv4Howto/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/tr | • {{#if: UbuntuHelp:NFSv4Howto|Türkçe| [[::NFSv4Howto/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/vi | • {{#if: UbuntuHelp:NFSv4Howto|Tiếng Việt| [[::NFSv4Howto/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/yue | • {{#if: UbuntuHelp:NFSv4Howto|粵語| [[::NFSv4Howto/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/zh | • {{#if: UbuntuHelp:NFSv4Howto|中文| [[::NFSv4Howto/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/zh-hans | • {{#if: UbuntuHelp:NFSv4Howto|中文(简体)| [[::NFSv4Howto/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:NFSv4Howto | UbuntuHelp:NFSv4Howto | {{#if: | :}}NFSv4Howto}}/zh-hant | • {{#if: UbuntuHelp:NFSv4Howto|中文(繁體)| [[::NFSv4Howto/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:NFSv4Howto|:NFSv4Howto|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :NFSv4Howto/zh | | {{#ifexist: NFSv4Howto/zh | | {{#ifeq: {{#titleparts:NFSv4Howto|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:NFSv4Howto|1|-1|}} | zh | | }}
Installation
The required packages are different depending on if the system is a client or a server. In this Howto, the server is the host that has the files you want to share and the client is the host that will be mounting the NFS share.
- NFSv4 client
# apt-get install nfs-common
- NFSv4 server
# apt-get install nfs-kernel-server
After you finish installing nfs-kernel-server, you might see failure to start nfs-kernel-server due to missing entries in /etc/exports. Remember to restart the service when you finish configuring.
NFSv4 without Kerberos
NFSv4 Server
NFSv4 exports exist in a single pseudo filesystem, where the
real directories are mounted with the --bind
option. Here is some additional information
regarding this fact.
- Lets say we want to export our user homedirs in
/home/users
. First
we create the export filesytem:
# mkdir /export # mkdir /export/users
and mount the real users directory with:
# mount --bind /home/users /export/users
To save us from retyping this after every reboot we add the following
line to /etc/fstab
/home/users /export/users none bind 0 0
- In
/etc/default/nfs-kernel-server
we set:
NEED_SVCGSSD=no
because we do not activate NFSv4 security this time.
- In
/etc/default/nfs-common
we set:
NEED_IDMAPD=yes NEED_GSSD=no
- To export our directories to a local network 192.198.1.0/24
we add the following two lines to /etc/exports
/export 192.168.1.0/24(ro,fsid=0,insecure,no_subtree_check,async) /export/users 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async)
- Restart the service
# /etc/init.d/nfs-kernel-server restart
NFSv4 Client
- On the client we can mount the complete export tree with one command:
# mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/ /mnt
- We can also mount an exported subtree with:
# mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/users /home/users
- If you experience Problems like this:
Warning: rpc.idmapd appears not to be running. All uids will be mapped to the nobody uid. mount: unknown filesystem type 'nfs4'
then you need to set in /etc/default/nfs-common
:
NEED_IDMAPD=yes
and restart nfs-common
# /etc/init.d/nfs-common restart
The "unknown Filesystem" Error is ambiguous and will disappear as well.
NFSv4 with Kerberos
You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center) before continuing. On the nfs-server and nfs-clients you must use MIT krb5 for now. When extracting the key to a keytab file and when configuring krb5 in /etc/krb5.conf it is neccessary to specify des-cbc-crc because only this type of encryption is supported by the kernel at the moment.
- On the nfs-server and nfs-client you need at least the krb5-user
and optional libpam-krb5 if you wish to authenticate against krb5.
# apt-get install krb5-user # apt-get install libpam-krb5
- Specifiy des-cbc-crc in /etc/krb5.conf on nfs-servers and nfs-clients.
[libdefaults] default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc
- You need the gss kernel modules on nfs-servers and nfs-clients.
# modprobe rpcsec_gss_krb5
Add rpcsec_gss_krb5 to /etc/modules to have it loaded automatically.
Create and distribute credentials
NFSv4 needs machine credentials for the server and every client, which wants to use the NFSv4 security features. Create the credentials for the nfs-server and all nfs-clients on the Kerberos KDC and distribute the extraced keys with scp to the destination You have to make sure that you use the "-e des-cbc-crc" as it will not work if there are more entries in the keytab than one for exactly this encryption algorithm. You can make sure that only this entry has been created by executing "sudo klist -e -k /etc/krb5.keytab".
Heimdal
# kinit kadmin/admin # kadmin add -r nfs/nfs-server.domain # ktutil -k ~/keytab.nfs-server get -e des-cbc-crc nfs/nfs-server.domain # scp -p ~/keytab.nfs-server nfs-server:/etc/krb5.keytab # kadmin add -r nfs/nfs-client.domain # ktutil -k ~/keytab.nfs-client get -e des-cbc-crc nfs/nfs-client.domain # scp -p ~/keytab.nfs-client nfs-client:/etc/krb5.keytab # kdestroy
MIT
# kinit admin/admin # kadmin -q "addprinc -randkey nfs/nfs-server.domain" # kadmin -q "ktadd -e des-cbc-crc:normal -k /root/keytab.nfs-server nfs/nfs-server.domain" # scp -p /root/keytab.nfs-server nfs-server.domain:/etc/krb5.keytab # kadmin -q "addprinc -randkey nfs/nfs-client.domain" # kadmin -q "ktadd -e des-cbc-crc:normal -k /root/keytab.nfs-client nfs/nfs-client.domain" # scp -p /root/keytab.nfs-client nfs-client.domain:/etc/krb5.keytab # kdestroy
NFSv4 Server
- Check your machine credentials in /etc/krb5.keytab
# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/nfs-server.domain@DOMAIN
or even better:
# sudo klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 nfs/nfs-server.domain@DOMAIN (DES cbc mode with CRC-32)
and make sure there is only ONE entry for your nfs server with the options DES cbc mode with CRC-32
as seen above. It will not work if there is another entry for Triple DES or other encryption algorithms.
- In
/etc/default/nfs-kernel-server
we set:
NEED_SVCGSSD=yes
- In
/etc/default/nfs-common
we set:
NEED_IDMAPD=yes
- To export our directories from the example above to a
local network 192.198.1.0/24 and addt
we add the following two lines to /etc/exports
/export 192.168.1.0/24(ro,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export gss/krb5(ro,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users 192.168.1.0/24(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users gss/krb5(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534)
Please note that you can specify allowed hosts only in the any authentication flavor. gss/krb5 flavours are accessible from anywhere, if do not use an additional firewall rules. To export only with secure authentication flavors do not include a host(...) line in /etc/exports To display your exports enter:
# exportfs -v
NFSv4 Client
- Check your machine credentials in /etc/krb5.keytab
# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/nfs-client.domain@DOMAIN
- In
/etc/default/nfs-common
we set:
NEED_IDMAPD=yes NEED_GSSD=yes
- We can secure mount the complete export tree with:
# mount -t nfs4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/ /mnt
- We can also secure mount an exported subtree with:
# mount -t nfs4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/users /home/users
Troubleshooting
First, take care of proper logging - by default almost nothing is logged. e.g. to enable 3rd level verbose logging for rpc.gssd, append the following to 模板:/etc/default/nfs-common:
RPCGSSDOPTS="-vvv -rrr"
After restarting nfs-common (/etc/init.d/nfs-common restart
) check that the daemon has received new arguments:
ps xuwa | grep grep rpc.gssd root 9857 0.0 0.4 2496 1220 ? Ss 02:17 0:00 /usr/sbin/rpc.gssd -vvv
Then look for its log output in damon.log:
tail -f /var/log/daemon.log
For the server, you can e.g. raise rpc.svcgssd log level in /etc/default/nfs-kernel-server
:
RPCSVCGSSDOPTS="-vvv -rrr"
Browse the /etc/init.d/nfs-*
init scripts to see other variables that you can set in /etc/defaults
.
If using Kerberos, enable logging in /etc/krb5.conf
:
[logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON