Debian / Ubuntu Linux: Setup NFSv4 File Server
How do I install and configure NFS version 4 server under Debian or Ubuntu Linux server operating systems using host-based authentication?
You need to install the following packages in Debian / Ubuntu Linux server:
You need to install the following packages in Debian / Ubuntu Linux server:
- nfs-kernel-server: Linux kernel NFS version 3 and 4 server.
- portmap: RPC port mapper.
- nfs-common: NFS support files common to client and server. It also includes the following libraries:
- liblockfile1 - NFS-safe locking library, includes dotlockfile program.
- libnfsidmap2 - An nfs idmapping library.
Step #1: Install NFSv4 Server
Open a command-line terminal (select Applications > Accessories > Terminal), and then type the following commands. You can also login using ssh command. Switch to the root user by typing su - and entering the root password, when prompted. Enter the command apt-get update && apt-get upgrade to tell apt to refresh its package information by querying the configured repositories and then upgrade the whole system:
Type the following command to install NFSv4 server package, enter:
# apt-get update && apt-get upgradeType the following command to install NFSv4 server package, enter:
# apt-get install nfs-kernel-server portmap nfs-commonStep #2: Configure Portmap
Edit /etc/default/portmap, enter:
Make sure OPTIONS are set as follows, so that it can accept network connections from your LAN:
# vi /etc/default/portmapMake sure OPTIONS are set as follows, so that it can accept network connections from your LAN:
OPTIONS=""
Save and close the file. Edit /etc/hosts.allow and add list of hosts (IP address or subnet) that are allowed to access the system using portmap, enter:
In this example allow 192.168.1.0/24 to access the portmap:
# vi /etc/hosts.allowIn this example allow 192.168.1.0/24 to access the portmap:
portmap: 192.168.1.
Save and close the file. TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet and/or LAN based systems.
Step #3: Configure idmapd
The rpc.idmapd is the NFSv4 ID <-> name mapping daemon. It provides functionality to the NFSv4 kernel client and server, to which it communicates via upcalls, by translating user and group IDs to names, and vice versa. Edit /etc/default/nfs-common, enter:
Start the idmapd daemon as it needed for NFSv4:
# vi /etc/default/nfs-commonStart the idmapd daemon as it needed for NFSv4:
NEED_IDMAPD=YES
Save and close the file. The default /etc/idmapd.conf file as follows:
Sample outputs:
# cat /etc/idmapd.confSample outputs:
[General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = localdomain [Mapping] Nobody-User = nobody Nobody-Group = nogroup
I'm going to use the defaults. But, you can configure the mapping as per your setup. See idmapd.conf(5) man page for more info.
Step #4: Configure NFS
First, create a directory using the mkdir command, enter:
Edit /etc/exports file and set the the access control list for filesystems which is exported to NFS clients, enter:
Append the following configuration, enter:
# mkdir /exportsEdit /etc/exports file and set the the access control list for filesystems which is exported to NFS clients, enter:
# vi /etc/exportsAppend the following configuration, enter:
/exports 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,crossmnt,fsid=0)
Save and close the file. Where,
- /exports: /exports is directory and it is set as an explicit export root of yourpseudofilesystem. You can mount other volumes under
that using the mount command. See below for more information. - 192.168.1.0/255.255.255.0: You are exporting directories to all hosts on an IP sub network simultaneously called 192.168.1.0/24. Only clients in 192.168.1.0/24 are allowed to access our NFSv4 server.
- rw: Allow users to read and write requests on this NFS volume.
- no_root_squash: Turn off root squashing. This option is mainly useful for diskless clients.
- no_subtree_check: This option disables subtree checking, which has mild security implications. A home directory filesystem, which is normally exported at the root and may see lots of file renames, should be exported with subtree checking disabled.
- crossmnt: This option is similar to nohide but it makes it possible for clients to move from the filesystem marked with crossmnt to exported filesystems mounted on it. Thus when a child filesystem "B" is mounted on a parent "A", setting crossmnt on "A" has the same effect as setting "nohide" on B.
- fsid=0: NFS server needs to be able to identify each filesystem that it exports. For NFSv4 server, there is a distinguished filesystem which is the root of all exported filesystem. This is specified with fsid=root or fsid=0 both of which mean exactly the same thing.
A Note About /exports Pseudo File System
The /exports act as the root of the pseudo file system for the export. You need to mount all the required filesystems under this directory. For example, you can share /home, /sales, /usr directory under /exports as follows using the mkdir command:
You can now bind the directories using the mount command as follows:
Update /etc/fstab to automatically bind the file system, enter:
Update file as follows:
# cd /exports
# mkdir {home,sales,data,usr}You can now bind the directories using the mount command as follows:
# cd /exports
# mount --bind /home data
# mount --bind /usr home
# mount --bind /data data
# mount --bind /sales salesUpdate /etc/fstab to automatically bind the file system, enter:
# vi /etc/fstabUpdate file as follows:
/home /exports/data none bind /usr /exports/home none bind /data /exports/data none bind /sales /exports/sales none bind
Save and close the file. Make sure all services are running:
# /etc/init.d/portmap restart
# /etc/init.d/nfs-common restart
# /etc/init.d/nfs-kernel-server restartStep #5: Client Configuration
You need to install nfs-common and portmap packages on the client computer running Debian or Ubuntu Linux desktop:
Make sure those two services are running:
# apt-get install nfs-common portmapMake sure those two services are running:
# /etc/init.d/nfs-common start
# /etc/init.d/portmap startHow Do I See Exported Directories From The Client Computer?
Type the following commands:
Where, 192.168.1.10 is NFSv4 server IP address.
$ showmount -e 192.168.1.10
$ showmount -e server2Where, 192.168.1.10 is NFSv4 server IP address.
How Do I Mount the Directories From The Client Computer?
Type the following command, enter:
To mount the entire /exports, enter:
Only mount /exports/data, enter:
I suggest passing the following options to the mount command:
See mount.nfs4 man page for more information.
# mkdir /dataTo mount the entire /exports, enter:
# mount.nfs4 192.168.1.4:/ /dataOnly mount /exports/data, enter:
# mount.nfs4 192.168.1.4:/data /dataI suggest passing the following options to the mount command:
# mount.nfs4 192.168.1.10:/ /nfs -o soft,intr,rsize=8192,wsize=8192See mount.nfs4 man page for more information.
How Do I Mount Directories Automatically Using /etc/fstab File?
You can mount NFS file systems Using /etc/fstab, enter:
Append the entry, enter:
Save and close the file.
# vi /etc/fstabAppend the entry, enter:
192.168.1.10:/data /data nfs4 soft,intr,rsize=8192,wsize=8192Save and close the file.
Kerberos Based Authentication
If you do not wish to use host-based authentication, you can use Kerberos-based authentication instead. In the next part of the series I will talk about Kerberos-based authentication for NFSv4 client and server running under Debian operating systems.
No comments:
Post a Comment