Work in progress
This site is in the process of being reviewed and updated.
Prerequisites
- Apache Directory must be configured and running as a KDC.
- Apache Directory must contain user and service principals. In particular for NFS, you must have an NFS service principal with a principal name of the form nfs/nfs1.example.com@EXAMPLE.COM.
- The NFS service principal's key must be exported and placed in the /etc/krb5.keytab file on the NFS server.
- The server must be configured to use Kerberos.
- The system clock on your server must be within the clockskew configured on the KDC. We recommend you run NTPD to ensure clock synchronization.
- The /etc/services file must list the nfs service as running on port 2049.
nfs 2049/tcp nfsd # Network File System nfs 2049/udp nfsd # Network File System
Verify name resolution
Verify that name resolution is setup properly, either with DNS or with /etc/hosts.
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 10.0.0.1 nfs1.example.com nfs1 10.0.0.2 client.example.com client
Server Config Files
Config File |
Description |
---|---|
/etc/idmapd.conf |
Used on the client and server. |
/etc/gssapi_mech.conf |
Used on the client and server. |
/etc/exports |
Used only on the server. |
/etc/sysconfig/nfs |
Used only on the server. |
Install NFS
[DIRxSRVx10:root@nfs1 ~]# yum install nfs-utils
Configure TCP Wrappers (/etc/hosts.allow) to protect the Portmapper:
portmap : 127. : ALLOW portmap : ALL : DENY
Configure /etc/sysconfig/nfs
# This entry should be "yes" if you are using RPCSEC_GSS_KRB5 (auth=krb5,krb5i, or krb5p) SECURE_NFS="yes" # This entry sets the number of NFS server processes. 8 is the default RPCNFSDCOUNT=8
Make sure /etc/gssapi_mech.conf exists. It should be installed by default.
# library initialization function # ================================ ========================== # The MIT K5 gssapi library, use special function for initialization. /usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init
Configure /etc/idmapd.conf
The id mapper daemon is required on both client and server. It maps NFSv4 username@domain user strings back and forth into numeric UIDs and GIDs when necessary. The client and server must have matching domains in this configuration file:
[DIRxSRVx10:General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = example.com [DIRxSRVx10:Mapping] Nobody-User = nobody Nobody-Group = nobody [DIRxSRVx10:Translation] Method = nsswitch
Configure services for automatic startup and shutdown
Service |
Description |
---|---|
portmap |
Used on the client and server. |
rpcidmapd |
Used on the client and server. |
nfs |
Used only on the server. |
rpcsvcgssd |
Used only on the server, for RPCSEC_GSS. |
rpcgssd |
Used only on the client, for RPCSEC_GSS. |
Use 'chkconfig' to make sure that all of the NFS-related services start and stop automatically.
[DIRxSRVx10:root@nfs1 ~]# chkconfig rpcgssd off [DIRxSRVx10:root@nfs1 ~]# [DIRxSRVx10:root@nfs1 ~]# chkconfig rpcsvcgssd on [DIRxSRVx10:root@nfs1 ~]# chkconfig portmap on [DIRxSRVx10:root@nfs1 ~]# chkconfig rpcidmapd on [DIRxSRVx10:root@nfs1 ~]# chkconfig nfslock on [DIRxSRVx10:root@nfs1 ~]# chkconfig nfs on
Make sure all the right daemons are restarted or stopped, as appropriate.
[DIRxSRVx10:root@nfs1 ~]# service rpcgssd stop [DIRxSRVx10:root@nfs1 ~]# [DIRxSRVx10:root@nfs1 ~]# service rpcsvcgssd restart [DIRxSRVx10:root@nfs1 ~]# service portmap restart [DIRxSRVx10:root@nfs1 ~]# service rpcidmapd restart [DIRxSRVx10:root@nfs1 ~]# service nfslock restart [DIRxSRVx10:root@nfs1 ~]# service nfs restart
A note on UIDs and GIDs
Your users will need identical usernames, UIDs, groupnames, and GIDs on both the client and server. We recommend that you follow the Trail for backing users in Apache Directory. If you are simply using local file configuration, then you will need to ensure that the usernames, UIDs, groupnames, and GIDs are identical on both your client and server.
Monitoring the Server
The 'nfsstat' command can be used with the 'watch' command for a real-time view of activity.
[DIRxSRVx10:root@nfs1 ~]# watch nfsstat -r -o net
The following two commands can tell you what NFS-related services are running.
[DIRxSRVx10:root@nfs1 ~]# rpcinfo -p [DIRxSRVx10:root@nfs1 ~]# netstat -tunap