NFSv4 Server Setup

Prerequisites

1. Apache Directory must be configured and running as a KDC.
2. Apache Directory must contain user and service principals. In particular for NFS, you must have an NFS service principal with a principal name of the form nfs/nfs1.example.com@EXAMPLE.COM.
3. The NFS service principal's key must be exported and placed in the /etc/krb5.keytab file on the NFS server.
4. The server must be configured to use Kerberos.
5. The system clock on your server must be within the clockskew configured on the KDC. We recommend you run NTPD to ensure clock synchronization.
6. The /etc/services file must list the nfs service as running on port 2049.

   nfs             2049/tcp        nfsd            # Network File System
   nfs             2049/udp        nfsd            # Network File System
   

Verify name resolution

Verify that name resolution is setup properly, either with DNS or with /etc/hosts.

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain   localhost
10.0.0.1        nfs1.example.com        nfs1
10.0.0.2        client.example.com      client

Server Config Files

Install NFS

[DIRxSRVx10:root@nfs1 ~]# yum install nfs-utils

Configure TCP Wrappers (/etc/hosts.allow) to protect the Portmapper:

portmap : 127. : ALLOW
portmap : ALL : DENY

Configure /etc/sysconfig/nfs

# This entry should be "yes" if you are using RPCSEC_GSS_KRB5 (auth=krb5,krb5i, or krb5p)
SECURE_NFS="yes"
# This entry sets the number of NFS server processes.  8 is the default
RPCNFSDCOUNT=8

Make sure /etc/gssapi_mech.conf exists. It should be installed by default.

# library                               initialization function
# ================================      ==========================
# The MIT K5 gssapi library, use special function for initialization.
/usr/lib/libgssapi_krb5.so     mechglue_internal_krb5_init

Configure /etc/idmapd.conf

The id mapper daemon is required on both client and server. It maps NFSv4 username@domain user strings back and forth into numeric UIDs and GIDs when necessary. The client and server must have matching domains in this configuration file:

[DIRxSRVx10:General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com

[DIRxSRVx10:Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[DIRxSRVx10:Translation]
Method = nsswitch

Configure services for automatic startup and shutdown

Use 'chkconfig' to make sure that all of the NFS-related services start and stop automatically.

[DIRxSRVx10:root@nfs1 ~]# chkconfig rpcgssd off
[DIRxSRVx10:root@nfs1 ~]# 
[DIRxSRVx10:root@nfs1 ~]# chkconfig rpcsvcgssd on
[DIRxSRVx10:root@nfs1 ~]# chkconfig portmap on
[DIRxSRVx10:root@nfs1 ~]# chkconfig rpcidmapd on
[DIRxSRVx10:root@nfs1 ~]# chkconfig nfslock on
[DIRxSRVx10:root@nfs1 ~]# chkconfig nfs on

Make sure all the right daemons are restarted or stopped, as appropriate.

[DIRxSRVx10:root@nfs1 ~]# service rpcgssd stop
[DIRxSRVx10:root@nfs1 ~]# 
[DIRxSRVx10:root@nfs1 ~]# service rpcsvcgssd restart
[DIRxSRVx10:root@nfs1 ~]# service portmap restart
[DIRxSRVx10:root@nfs1 ~]# service rpcidmapd restart
[DIRxSRVx10:root@nfs1 ~]# service nfslock restart
[DIRxSRVx10:root@nfs1 ~]# service nfs restart

A note on UIDs and GIDs

Your users will need identical usernames, UIDs, groupnames, and GIDs on both the client and server. We recommend that you follow the Trail for backing users in Apache Directory. If you are simply using local file configuration, then you will need to ensure that the usernames, UIDs, groupnames, and GIDs are identical on both your client and server.

Monitoring the Server

The 'nfsstat' command can be used with the 'watch' command for a real-time view of activity.

[DIRxSRVx10:root@nfs1 ~]# watch nfsstat -r -o net

The following two commands can tell you what NFS-related services are running.

[DIRxSRVx10:root@nfs1 ~]# rpcinfo -p
[DIRxSRVx10:root@nfs1 ~]# netstat -tunap