Difference between revisions of "NFS Utilities"
(→Bootscript) |
(→Server Configuration: Angle brackets in the exports configuration line cause syntax errors.) |
||
(26 intermediate revisions by 4 users not shown) | |||
Line 17: | Line 17: | ||
* [[libevent]] | * [[libevent]] | ||
* [[libnfsidmap]] | * [[libnfsidmap]] | ||
+ | * [[keyutils]] | ||
=== Optional for GSS (RPC Security) Support === | === Optional for GSS (RPC Security) Support === | ||
* [[Pkg-config]] | * [[Pkg-config]] | ||
− | * | + | * [[libgssapi]] |
+ | * [[librpcsecgss]] | ||
+ | * [[MIT krb5]] | ||
* [[SPKM-3]] for Additional SPKM-3 Support | * [[SPKM-3]] for Additional SPKM-3 Support | ||
Line 35: | Line 38: | ||
Install the package | Install the package | ||
− | make install | + | make install && |
+ | install -dv -m755 /var/lib/nfs/rpc_pipefs | ||
== Multilib == | == Multilib == | ||
'''''This package does not install any libraries so only one installation is needed.''''' | '''''This package does not install any libraries so only one installation is needed.''''' | ||
− | === | + | === 64Bit === |
Compile the package: | Compile the package: | ||
− | CC="gcc ${ | + | CC="gcc ${BUILD64}" PKG_CONFIG_PATH="${PKG_CONFIG_PATH64}" USE_ARCH=64 \ |
./configure --prefix=/usr --sysconfdir=/etc \ | ./configure --prefix=/usr --sysconfdir=/etc \ | ||
--disable-nfsv4 --disable-gss && | --disable-nfsv4 --disable-gss && | ||
make | make | ||
+ | |||
+ | {{note|If you choose to enable NFSv4, drop both --disable flags, and append --with-gssglue. | ||
+ | To work around some documented behaviour in libtool that will cause your build to subtly fail, prepend GSSGLUE_CFLAGS="-Wl,-lgssglue" to the start of your configure line.}} | ||
Install the package | Install the package | ||
− | make install | + | make install && |
+ | install -dv -m755 /var/lib/nfs/rpc_pipefs | ||
+ | |||
+ | = Configuring = | ||
− | + | Note if you install the nfs-server bootscript you dont need to install the nfs-client bootscript. | |
− | + | {{Note|This is a note about NFSv4 & Kerberos. | |
+ | |||
+ | Make sure that your clocks are in sync. If the time differers by more then 5 minutes, you will not authenticate even with the correct password / key. | ||
+ | |||
+ | You must also have a working DNS & Reverse DNS Zones. If your FQDN for your host resolves to 127.0.0.1 Kerberos will not work properly either.}} | ||
+ | |||
+ | If you're using nfs4 you should also have host/''<fqdn of client>''@''<REALMNAME.COM>'' in your /etc/krb5.keytab as well as nfs/''<fqdn of client>''@''<REALMNAME.COM>''. | ||
+ | |||
+ | == Client == | ||
− | + | === NFSv4 === | |
− | |||
− | |||
− | |||
− | + | Make sure that you have your Kerberos KDC setup then add a client key, then export it to a temporary keytab Each client gets its own keytab for nfs: | |
− | + | kadmin.local -q "addprinc -randkey ''<fqdn of client>''@''<REALMNAME.COM>''" | |
+ | kadmin.local -q "ktadd -e aes256-cts-hmac-sha1-96:normal -k temp.keytab nfs/''<fqdn of client>''@''<REALMNAME.COM>''" | ||
− | + | Now securely move '''''temp.keytab''''' to '''''/etc/krb5.keytab''''' on the client. Then make sure you change the permissions on the file on the target computer: | |
− | + | chmod 600 /etc/krb5.keytab | |
− | + | If you already have a krb5.keytab on the target computer you can merge the two together with the '''''ktutil''''' command. | |
− | |||
− | |||
− | |||
− | + | === Keyutils for NFSv4 === | |
− | + | Configure /etc/request-key.conf using: | |
− | + | cat >> /etc/request-key.conf << "EOF" | |
+ | create id_resolver * * /usr/sbin/nfsidmap -t 600 %k %d | ||
+ | EOF | ||
− | + | This will allow NFSv4's ID Mapping service to run. | |
=== Bootscript === | === Bootscript === | ||
Line 88: | Line 103: | ||
make install-nfs-client | make install-nfs-client | ||
+ | |||
+ | Create the default configuration file with the following command: | ||
+ | |||
+ | cat > /etc/sysconfig/nfs-client << "EOF" | ||
+ | # Begin /etc/sysconfig/nfs-client | ||
+ | |||
+ | # Change the following line to NFS4=yes if you wish to use nfs4. | ||
+ | NFS4=no | ||
+ | |||
+ | # End /etc/sysconfig/nfs-client | ||
+ | EOF | ||
=== /etc/fstab === | === /etc/fstab === | ||
Line 97: | Line 123: | ||
'''<server-name>''' in the above example is an ip address or a hostname. | '''<server-name>''' in the above example is an ip address or a hostname. | ||
+ | |||
+ | Example equivilent NFSv4 entries with the '''/home''' mount using Krb5 for security: | ||
+ | |||
+ | <server-name>:/home /home nfs4 rw,_netdev,sec=krb5,hard,intr 0 0 | ||
+ | <server-name>:/usr /usr nfs4 ro,_netdev,sec=sys,hard,intr 0 0 | ||
== Server == | == Server == | ||
− | === | + | === NFSv4 === |
+ | |||
+ | Make sure that you have your Kerberos KDC setup then add a client key, then export it to a temporary keytab: | ||
+ | |||
+ | kadmin.local -q "addprinc -randkey ''<fqdn of client>''@''<REALMNAME.COM>''" | ||
+ | kadmin.local -q "ktadd -e aes256-cts-hmac-sha1-96:normal -k temp.keytab nfs/''<fqdn of client>''@''<REALMNAME.COM>''" | ||
+ | |||
+ | Now securely move '''''temp.keytab''''' to '''''/etc/krb5.keytab''''' on the client. Then make sure you change the permissions on the file on the target computer: | ||
− | + | chmod 600 /etc/krb5.keytab | |
− | + | If you already have a krb5.keytab on the target computer you can merge the two together with the '''''ktutil''''' command. | |
=== Bootscript === | === Bootscript === | ||
Line 112: | Line 150: | ||
make install-nfs-server | make install-nfs-server | ||
− | + | Create the default configuration file with the following command: | |
cat > /etc/sysconfig/nfs-server << "EOF" | cat > /etc/sysconfig/nfs-server << "EOF" | ||
+ | # Begin /etc/sysconfig/nfs-server | ||
+ | |||
+ | # Change the following line to NFS4=yes if you wish to use nfs4. | ||
+ | NFS4=no | ||
+ | |||
PORT="2049" | PORT="2049" | ||
PROCESSES="8" | PROCESSES="8" | ||
QUOTAS="no" | QUOTAS="no" | ||
KILLDELAY="10" | KILLDELAY="10" | ||
+ | |||
+ | # End /etc/sysconfig/nfs-server | ||
EOF | EOF | ||
+ | |||
+ | === Server Configuration === | ||
+ | |||
+ | '''/etc/exports''' contains the exported directories on NFS servers. The "NFS HowTo", http://nfs.sourceforge.net/nfs-howto/. contains information on how to configure the servers and clients. For example, for sharing the '''/home''' directory over the local network, the following line may be added: | ||
+ | |||
+ | /home 192.168.0.0/255.255.255.0(rw,subtree_check,anonuid=99,anongid=99) | ||
+ | |||
+ | [[Category:Servers]] |
Latest revision as of 14:45, 9 July 2013
Download Source: | http://www.kernel.org/pub/linux/utils/nfs/nfs-utils-1.2.8.tar.bz2 |
---|
Contents
Introduction to NFS Utilities
The NFS Utilities package contains the userspace server and client tools necessary to use the kernel's NFS abilities. NFS is a protocol that allows sharing file systems over the network.
Project Homepage: Unknown
Dependencies
Required
Optional for NFSv4 Support
Optional for GSS (RPC Security) Support
- Pkg-config
- libgssapi
- librpcsecgss
- MIT krb5
- SPKM-3 for Additional SPKM-3 Support
Creating the nobody/nogroup User/Group
groupadd -g 65533 nogroup && groupadd -g 65534 nobody && useradd -c "Nobody" -d /dev/null \ -u 65534 -g nobody -s /bin/false nobody
Non-Multilib
Compile the package:
./configure --prefix=/usr --sysconfdir=/etc \ --disable-nfsv4 --disable-gss && make
Install the package
make install && install -dv -m755 /var/lib/nfs/rpc_pipefs
Multilib
This package does not install any libraries so only one installation is needed.
64Bit
Compile the package:
CC="gcc ${BUILD64}" PKG_CONFIG_PATH="${PKG_CONFIG_PATH64}" USE_ARCH=64 \ ./configure --prefix=/usr --sysconfdir=/etc \ --disable-nfsv4 --disable-gss && make
Install the package
make install && install -dv -m755 /var/lib/nfs/rpc_pipefs
Configuring
Note if you install the nfs-server bootscript you dont need to install the nfs-client bootscript.
Make sure that your clocks are in sync. If the time differers by more then 5 minutes, you will not authenticate even with the correct password / key.
You must also have a working DNS & Reverse DNS Zones. If your FQDN for your host resolves to 127.0.0.1 Kerberos will not work properly either.If you're using nfs4 you should also have host/<fqdn of client>@<REALMNAME.COM> in your /etc/krb5.keytab as well as nfs/<fqdn of client>@<REALMNAME.COM>.
Client
NFSv4
Make sure that you have your Kerberos KDC setup then add a client key, then export it to a temporary keytab Each client gets its own keytab for nfs:
kadmin.local -q "addprinc -randkey <fqdn of client>@<REALMNAME.COM>" kadmin.local -q "ktadd -e aes256-cts-hmac-sha1-96:normal -k temp.keytab nfs/<fqdn of client>@<REALMNAME.COM>"
Now securely move temp.keytab to /etc/krb5.keytab on the client. Then make sure you change the permissions on the file on the target computer:
chmod 600 /etc/krb5.keytab
If you already have a krb5.keytab on the target computer you can merge the two together with the ktutil command.
Keyutils for NFSv4
Configure /etc/request-key.conf using:
cat >> /etc/request-key.conf << "EOF" create id_resolver * * /usr/sbin/nfsidmap -t 600 %k %d EOF
This will allow NFSv4's ID Mapping service to run.
Bootscript
Install the init script from the bootscripts package:
make install-nfs-client
Create the default configuration file with the following command:
cat > /etc/sysconfig/nfs-client << "EOF" # Begin /etc/sysconfig/nfs-client # Change the following line to NFS4=yes if you wish to use nfs4. NFS4=no # End /etc/sysconfig/nfs-client EOF
/etc/fstab
Below are 2 example entries in /etc/fstab for a nfs mounted /home and /usr.
<server-name>:/home /home nfs rw,_netdev,rsize=8192,wsize=8192 0 0 <server-name>:/usr /usr nfs ro,_netdev,rsize=8192 0 0
<server-name> in the above example is an ip address or a hostname.
Example equivilent NFSv4 entries with the /home mount using Krb5 for security:
<server-name>:/home /home nfs4 rw,_netdev,sec=krb5,hard,intr 0 0 <server-name>:/usr /usr nfs4 ro,_netdev,sec=sys,hard,intr 0 0
Server
NFSv4
Make sure that you have your Kerberos KDC setup then add a client key, then export it to a temporary keytab:
kadmin.local -q "addprinc -randkey <fqdn of client>@<REALMNAME.COM>" kadmin.local -q "ktadd -e aes256-cts-hmac-sha1-96:normal -k temp.keytab nfs/<fqdn of client>@<REALMNAME.COM>"
Now securely move temp.keytab to /etc/krb5.keytab on the client. Then make sure you change the permissions on the file on the target computer:
chmod 600 /etc/krb5.keytab
If you already have a krb5.keytab on the target computer you can merge the two together with the ktutil command.
Bootscript
Install the init script from the bootscripts package:
make install-nfs-server
Create the default configuration file with the following command:
cat > /etc/sysconfig/nfs-server << "EOF" # Begin /etc/sysconfig/nfs-server # Change the following line to NFS4=yes if you wish to use nfs4. NFS4=no PORT="2049" PROCESSES="8" QUOTAS="no" KILLDELAY="10" # End /etc/sysconfig/nfs-server EOF
Server Configuration
/etc/exports contains the exported directories on NFS servers. The "NFS HowTo", http://nfs.sourceforge.net/nfs-howto/. contains information on how to configure the servers and clients. For example, for sharing the /home directory over the local network, the following line may be added:
/home 192.168.0.0/255.255.255.0(rw,subtree_check,anonuid=99,anongid=99)