Table of Contents
Procedure 3.1. Installing and configuring an NFSv4 server
Mapping userIDs
If the UIDs of the files on your NFS server are going to be shown correctly, you must configure the NFS server to map them using idmapd
, which is configured in one of the steps below to use libnss
.
If getent passwd joeuser shows some output on the NFS server, then you 're all set.
If not, make it work first.
How to do that is outside of the scope of this document.
Something to serve
Note | |
---|---|
In this step we create and mount a filesystem that we are going to serve over NFS. It isn't necessary to serve an entire FS, you can serve a directory just as well. If you already have something to serve, you can skip this step. |
We are going to serve what is now mounted under /srv
, but from a different mount point:
apprentice@nfs-server:~$df -h|grep srv
/dev/mapper/nfs-server-lvsrv
2.4G 68M 2.2G 3% /srv
This little script makes the changes in my case:
apt-get install xfsprogs
umount /srv/
mkfs.xfs -f /dev/mapper/nfs-server-lvsrv
mkdir /lwphome
sed -i 's%/srv%/lwphome%' /etc/fstab
sed -i '/lwphome/ s%ext3%xfs%' /etc/fstab
sed -i '/lwphome/ s%defaults%defaults,uquota,pquota%' /etc/fstab
mount -a
chmod 1777 /lwphome/
Install xfsprogs | |
Unmount the existing fs from the old mount point | |
Put an XFS filesystem on the underlying block device | |
Create a new mount point | |
In /dev/mapper/machine.domain.com-lvsrv /srv ext3 defaults 0 2 with this one: /dev/mapper/machine.domain.com-lvsrv /lwphome xfs defaults,uquota,pquota 0 2
| |
Mount all filesystems, including the newly created one | |
Put mode 1777 on the mounted FS, as for the first setup we want anyone to be able to write files there as far as the FS is ruling permissions... |
If it ran correctly, we now have /lwphome mounted, like this:
apprentice@nfs-server:~$ mount|grep lwphome
/dev/mapper/nfs-server-lvsrv on /lwphome type xfs (rw,uquota,pquota)
apprentice@nfs-server:~$
Preparing the NFS server as a Kerberos client
The NFS server will speak Kerberos to the Kerberos server. We use the same preseeding as on the Kerberos server, and install the Heimdal clients (but not the KDC of course):
apprentice@nfs-server:~$ cat <<EOF > debconf-kerberos-settings
# Kerberos servers for your realm:
krb5-config krb5-config/kerberos_servers string krbserver.mydomain.com
# Default Kerberos version 5 realm:
krb5-config krb5-config/default_realm string MYDOMAIN.COM:
# Local realm name:
heimdal-kdc heimdal/realm string MYDOMAIN.COM
# Administrative server for your Kerberos realm:
krb5-config krb5-config/admin_server string krbserver.mydomain.com
# Does DNS contain pointers to your realm's Kerberos Servers?
krb5-config krb5-config/dns_for_default boolean false
# Add locations of default Kerberos servers to /etc/krb5.conf?
krb5-config krb5-config/add_servers boolean true
EOF
apprentice@nfs-server:~$ sudo debconf-set-selections < debconf-kerberos-settings
apprentice@nfs-server:~$ sudo apt-get install -y heimdal-clients
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
krb5-config libasn1-8-heimdal libdb4.7 libgssapi2-heimdal libhdb9-heimdal libheimntlm0-heimdal libhesiod0 libhx509-4-heimdal libkadm5clnt7-heimdal
libkadm5srv8-heimdal libkafs0-heimdal libkrb5-25-heimdal libotp0-heimdal libroken18-heimdal libsl0-heimdal libwind0-heimdal
Suggested packages:
heimdal-docs heimdal-kcm
The following NEW packages will be installed:
heimdal-clients krb5-config libasn1-8-heimdal libdb4.7 libgssapi2-heimdal libhdb9-heimdal libheimntlm0-heimdal libhesiod0 libhx509-4-heimdal libkadm5clnt7-heimdal
libkadm5srv8-heimdal libkafs0-heimdal libkrb5-25-heimdal libotp0-heimdal libroken18-heimdal libsl0-heimdal libwind0-heimdal
0 upgraded, 17 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,168kB of archives.
After this operation, 6,246kB of additional disk space will be used.
Get:1 http://mirror.mydomain.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB]
<snip>
Setting up heimdal-clients (1.2.e1.dfsg.1-1ubuntu1) ...
update-alternatives: using /usr/bin/krsh to provide /usr/bin/rsh (rsh) in auto mode.
update-alternatives: using /usr/bin/krcp to provide /usr/bin/rcp (rcp) in auto mode.
update-alternatives: using /usr/bin/kpagsh to provide /usr/bin/pagsh (pagsh) in auto mode.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
apprentice@nfs-server:~$
Installing the NFS packages
apprentice@nfs-server:~$ sudo apt-get install -y nfs-kernel-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
nfs-kernel-server
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 162kB of archives.
After this operation, 319kB of additional disk space will be used.
Get:1 http://mirror.mydomain.com lenny/main nfs-kernel-server 1:1.1.2-6lenny1 [162kB]
Fetched 162kB in 0s (13.9MB/s)
Selecting previously deselected package nfs-kernel-server.
(Reading database ... 23720 files and directories currently installed.)
Unpacking nfs-kernel-server (from .../nfs-kernel-server_1%3a1.1.2-6lenny1_amd64.deb) ...
Processing triggers for man-db ...
Setting up nfs-kernel-server (1:1.1.2-6lenny1) ...
Creating config file /etc/exports with new version
Creating config file /etc/default/nfs-kernel-server with new version
Starting NFS common utilities: statd.
Exporting directories for NFS kernel daemon....
Starting NFS kernel daemon: nfsd mountd.
apprentice@nfs-server:~$
Creating a Kerberos principal for the NFS service
Kerberos is a protocol for mutual authentication.
So the NFS user should authenticate herself to the NFS service, but the NFS service should also authenticate itself to the user.
The NFS service therefore needs to have a principal
, which is named “nfs/nfs-server
@REALM
” by convention and by NFS server code.
(Actually, there is a short list <ToDo: find url of docs > of principals the NFS server tries to get credentials for, any of which my be used.)
apprentice@nfs-server:~$ sudo kadmin -p apprentice/admin@MYDOMAIN.COM
kadmin> add -r nfs/nfs-server.mydomain.com@MYDOMAIN.COM
apprentice/admin@MYDOMAIN.COM's Password:
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext_keytab -k /etc/krb5.keytab nfs/nfs-server.mydomain.com@MYDOMAIN.COM
kadmin> quit
apprentice@nfs-server:~$
Note | |
---|---|
If you didn't succeed in getting the |
Configuring the NFS service
In /etc/default/nfs-common
, we put:
#<snip> # Do you want to start the statd daemon? It is not needed for NFSv4. NEED_STATD=no STATDOPTS= # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
... in /etc/default/nfs-kernel-server
, we have:
# Number of servers to start up RPCNFSDCOUNT=8 # Runtime priority of server (see nice(1)) RPCNFSDPRIORITY=0 # Options for rpc.mountd. # If you have a port-based firewall, you might want to set up # a fixed port here using the --port option. For more information, # see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS RPCMOUNTDOPTS= # Do you want to start the svcgssd daemon? It is only required for Kerberos # exports. Valid alternatives are "yes" and "no"; the default is "no". NEED_SVCGSSD=yes # Options for rpc.svcgssd. RPCSVCGSSDOPTS=-vvv
... and in /etc/exports
, we share /lwphome
(you want to specify you own IP range here, if any):
/lwphome 192.168.0.0/16(rw,sync,root_squash,subtree_check,sec=krb5p,fsid=0)
... and we edit /etc/krb5.conf
to work around bugs 575895 and 512110, gssd
:
[libdefaults] <snip> # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # allow_weak_crypto = true # The following libdefaults parameters are only for Heimdal Kerberos. <snip>
And in /etc/idmapd.conf
:
[General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = rug.nl Local-Realms = TEST.MYDOMAIN.COM [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method = nsswitch
Restarting the NFS services
user@nfs-server:~$ sudo /etc/init.d/nfs-kernel-server restart
Stopping NFS kernel daemon: mountd svcgssd nfsd.
Unexporting directories for NFS kernel daemon....
Exporting directories for NFS kernel daemon....
Starting NFS kernel daemon: nfsd svcgssd mountd.
user@nfs-server:~$ sudo /etc/init.d/nfs-common restart
Stopping NFS common utilities: gssd idmapd.
Starting NFS common utilities: idmapd gssd.
user@nfs-server:~$