Procedure 3.1. Installing and configuring an NFSv4 server

Mapping userIDs

If the UIDs of the files on your NFS server are going to be shown correctly, you must configure the NFS server to map them using idmapd, which is configured in one of the steps below to use libnss. If getent passwd joeuser shows some output on the NFS server, then you 're all set. If not, make it work first. How to do that is outside of the scope of this document.

Something to serve

	Note
	In this step we create and mount a filesystem that we are going to serve over NFS. It isn't necessary to serve an entire FS, you can serve a directory just as well. If you already have something to serve, you can skip this step.

We are going to serve what is now mounted under /srv, but from a different mount point:

apprentice@nfs-server:~$df -h|grep srv /dev/mapper/nfs-server-lvsrv 2.4G 68M 2.2G 3% /srv

This little script makes the changes in my case:

apt-get install xfsprogs 
umount /srv/ 
mkfs.xfs -f /dev/mapper/nfs-server-lvsrv 
mkdir /lwphome 
sed -i 's%/srv%/lwphome%' /etc/fstab 
sed -i '/lwphome/ s%ext3%xfs%' /etc/fstab 
sed -i '/lwphome/ s%defaults%defaults,uquota,pquota%' /etc/fstab 
mount -a 
chmod 1777 /lwphome/

	Install xfsprogs
	Unmount the existing fs from the old mount point
	Put an XFS filesystem on the underlying block device
	Create a new mount point
	In `/etc/fstab`, replace the line /dev/mapper/machine.domain.com-lvsrv /srv ext3 defaults 0 2 with this one: /dev/mapper/machine.domain.com-lvsrv /lwphome xfs defaults,uquota,pquota 0 2
	Mount all filesystems, including the newly created one
	Put mode 1777 on the mounted FS, as for the first setup we want anyone to be able to write files there as far as the FS is ruling permissions...

If it ran correctly, we now have /lwphome mounted, like this: apprentice@nfs-server:~$ mount|grep lwphome /dev/mapper/nfs-server-lvsrv on /lwphome type xfs (rw,uquota,pquota) apprentice@nfs-server:~$

Preparing the NFS server as a Kerberos client
The NFS server will speak Kerberos to the Kerberos server. We use the same preseeding as on the Kerberos server, and install the Heimdal clients (but not the KDC of course):

apprentice@nfs-server:~$ cat <<EOF > debconf-kerberos-settings # Kerberos servers for your realm: krb5-config krb5-config/kerberos_servers string krbserver.mydomain.com # Default Kerberos version 5 realm: krb5-config krb5-config/default_realm string MYDOMAIN.COM # Local realm name: heimdal-kdc heimdal/realm string MYDOMAIN.COM # Administrative server for your Kerberos realm: krb5-config krb5-config/admin_server string krbserver.mydomain.com # Does DNS contain pointers to your realm's Kerberos Servers? krb5-config krb5-config/dns_for_default boolean false # Add locations of default Kerberos servers to /etc/krb5.conf? krb5-config krb5-config/add_servers boolean true EOF apprentice@nfs-server:~$ sudo debconf-set-selections < debconf-kerberos-settings apprentice@nfs-server:~$ sudo apt-get install -y heimdal-clients Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: krb5-config libasn1-8-heimdal libdb4.7 libgssapi2-heimdal libhdb9-heimdal libheimntlm0-heimdal libhesiod0 libhx509-4-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkrb5-25-heimdal libotp0-heimdal libroken18-heimdal libsl0-heimdal libwind0-heimdal Suggested packages: heimdal-docs heimdal-kcm The following NEW packages will be installed: heimdal-clients krb5-config libasn1-8-heimdal libdb4.7 libgssapi2-heimdal libhdb9-heimdal libheimntlm0-heimdal libhesiod0 libhx509-4-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkrb5-25-heimdal libotp0-heimdal libroken18-heimdal libsl0-heimdal libwind0-heimdal 0 upgraded, 17 newly installed, 0 to remove and 0 not upgraded. Need to get 2,168kB of archives. After this operation, 6,246kB of additional disk space will be used. Get:1 http://mirror.mydomain.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB] <snip> Setting up heimdal-clients (1.2.e1.dfsg.1-1ubuntu1) ... update-alternatives: using /usr/bin/krsh to provide /usr/bin/rsh (rsh) in auto mode. update-alternatives: using /usr/bin/krcp to provide /usr/bin/rcp (rcp) in auto mode. update-alternatives: using /usr/bin/kpagsh to provide /usr/bin/pagsh (pagsh) in auto mode. Processing triggers for libc-bin ... ldconfig deferred processing now taking place apprentice@nfs-server:~$
Installing the NFS packages

apprentice@nfs-server:~$ sudo apt-get install -y nfs-kernel-server Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: nfs-kernel-server 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 162kB of archives. After this operation, 319kB of additional disk space will be used. Get:1 http://mirror.mydomain.com lenny/main nfs-kernel-server 1:1.1.2-6lenny1 [162kB] Fetched 162kB in 0s (13.9MB/s) Selecting previously deselected package nfs-kernel-server. (Reading database ... 23720 files and directories currently installed.) Unpacking nfs-kernel-server (from .../nfs-kernel-server_1%3a1.1.2-6lenny1_amd64.deb) ... Processing triggers for man-db ... Setting up nfs-kernel-server (1:1.1.2-6lenny1) ... Creating config file /etc/exports with new version Creating config file /etc/default/nfs-kernel-server with new version Starting NFS common utilities: statd. Exporting directories for NFS kernel daemon.... Starting NFS kernel daemon: nfsd mountd. apprentice@nfs-server:~$

Creating a Kerberos principal for the NFS service

Kerberos is a protocol for mutual authentication. So the NFS user should authenticate herself to the NFS service, but the NFS service should also authenticate itself to the user. The NFS service therefore needs to have a principal, which is named “nfs/nfs-server@REALM” by convention and by NFS server code. (Actually, there is a short list <ToDo: find url of docs > of principals the NFS server tries to get credentials for, any of which my be used.)

apprentice@nfs-server:~$ sudo kadmin -p apprentice/admin@MYDOMAIN.COM kadmin> add -r nfs/nfs-server.mydomain.com@MYDOMAIN.COM apprentice/admin@MYDOMAIN.COM's Password: Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes []: kadmin> ext_keytab -k /etc/krb5.keytab nfs/nfs-server.mydomain.com@MYDOMAIN.COM kadmin> quit apprentice@nfs-server:~$

We run kadmin as root, because the ordinary user doesn't have permission to write /etc/krb5.keytab.

	Note
	If you didn't succeed in getting the `kadmind` to work on the Kerberos server, you can run kadmin -l on the Kerberos server instead, write to a different keytab, and copy that to the nfs server.

Configuring the NFS service

In /etc/default/nfs-common, we put:

#<snip>
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=no

STATDOPTS=

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

... in /etc/default/nfs-kernel-server, we have:

# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS
RPCMOUNTDOPTS=

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD=yes

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS=-vvv

... and in /etc/exports, we share /lwphome (you want to specify you own IP range here, if any):

/lwphome           192.168.0.0/16(rw,sync,root_squash,subtree_check,sec=krb5p,fsid=0)

... and we edit /etc/krb5.conf to work around bugs 575895 and 512110, gssd:

[libdefaults]
<snip>
#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# 
allow_weak_crypto = true

# The following libdefaults parameters are only for Heimdal Kerberos.
<snip>

And in /etc/idmapd.conf:

[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = rug.nl
Local-Realms = TEST.MYDOMAIN.COM

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]

Method = nsswitch

Restarting the NFS services

user@nfs-server:~$ sudo /etc/init.d/nfs-kernel-server restart Stopping NFS kernel daemon: mountd svcgssd nfsd. Unexporting directories for NFS kernel daemon.... Exporting directories for NFS kernel daemon.... Starting NFS kernel daemon: nfsd svcgssd mountd. user@nfs-server:~$ sudo /etc/init.d/nfs-common restart Stopping NFS common utilities: gssd idmapd. Starting NFS common utilities: idmapd gssd. user@nfs-server:~$

Chapter 3. NFS

Installing the server