Work in progress
This site is in the process of being reviewed and updated.
Prerequisites
- The client must be configured to use Kerberos.
- The system clock on your client must be within the clockskew configured on the KDC. We recommend you run NTPD to ensure clock synchronization.
- The /etc/services file must list the nfs service as running on port 2049.
nfs 2049/tcp nfsd # Network File System nfs 2049/udp nfsd # Network File System
Verify name resolution
Verify that name resolution is setup properly, either with DNS or with /etc/hosts.
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 10.0.0.1 nfs1.example.com nfs1 10.0.0.2 client.example.com client
Client Config Files
Config File |
Description |
|---|---|
/etc/idmapd.conf |
Used on the client and server. |
/etc/gssapi_mech.conf |
Used on the client and server. |
/etc/fstab |
Used only on the client. |
/etc/auto.master |
Used only on the client. |
Install NFS
[DIRxSRVx10:root@client ~]# yum install nfs-utils
Configure TCP Wrappers (/etc/hosts.allow) to protect the Portmapper:
portmap : 127. : ALLOW portmap : ALL : DENY
Make sure /etc/gssapi_mech.conf exists. It should be installed by default.
# library initialization function # ================================ ========================== # The MIT K5 gssapi library, use special function for initialization. /usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init
Configure /etc/idmapd.conf
The client configuration should match the server configuration:
[DIRxSRVx10:General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = example.com [DIRxSRVx10:Mapping] Nobody-User = nobody Nobody-Group = nobody [DIRxSRVx10:Translation] Method = nsswitch
Configure services for automatic startup and shutdown
Service |
Description |
|---|---|
portmap |
Used on the client and server. |
rpcidmapd |
Used on the client and server. |
nfs |
Used only on the server. |
rpcsvcgssd |
Used only on the server, for RPCSEC_GSS. |
rpcgssd |
Used only on the client, for RPCSEC_GSS. |
Use 'chkconfig' to make sure that all of the NFS-related services start and stop automatically.
[DIRxSRVx10:root@client ~]# chkconfig nfslock off [DIRxSRVx10:root@client ~]# chkconfig nfs off [DIRxSRVx10:root@client ~]# chkconfig rpcsvcgssd off [DIRxSRVx10:root@client ~]# [DIRxSRVx10:root@client ~]# chkconfig rpcgssd on [DIRxSRVx10:root@client ~]# chkconfig portmap on [DIRxSRVx10:root@client ~]# chkconfig rpcidmapd on
Make sure all the right daemons are restarted or stopped, as appropriate.
[DIRxSRVx10:root@client ~]# service nfslock stop [DIRxSRVx10:root@client ~]# service nfs stop [DIRxSRVx10:root@client ~]# service rpcsvcgssd stop [DIRxSRVx10:root@client ~]# [DIRxSRVx10:root@client ~]# service rpcgssd restart [DIRxSRVx10:root@client ~]# service portmap restart [DIRxSRVx10:root@client ~]# service rpcidmapd restart
A note on UIDs and GIDs
Your users will need identical usernames, UIDs, groupnames, and GIDs on both the client and server. We recommend that you follow the Trail for backing users in Apache Directory. If you are simply using local file configuration, then you will need to ensure that the usernames, UIDs, groupnames, and GIDs are identical on both your client and server.
Monitoring the Client
Each NFSv4 client opens one connection on TCP port 2049. You can use the following command during testing.
[DIRxSRVx10:root@client ~]# netstat -tn