1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
NFSv4 in Debian
===============
NFSv4 support in Debian is rather new, and not fully supported yet. If you want
to experiment, make sure you have:
- a recent 2.6 kernel on both client and server; newer is better. You might
even want to use CITI's patch set from
http://www.citi.umich.edu/projects/nfsv4/linux/ on the server, and/or Trond
Myklebust's patch set from http://client.linux-nfs.org/ .
- a recent enough version of nfs-utils on both client and server (you probably
have on at least one of them, since you're reading this file!).
- enabled idmapd on both sides (see /etc/default/nfs-common).
- The following lines in /etc/services on the client (if not, you will receive
the message "broken /etc/services" when starting rpc.gssd; this will usually
only happen if you upgrade netbase without letting it replace /etc/services
with the new version):
nfs 2049/tcp # Network File System
nfs 2049/udp # Network File System
The export structure might be a bit confusing if you're already familiar with
NFSv2 or NFSv3. The biggest difference is that you will need to export an
explicit root of your pseudofilesystem, like this /etc/exports fragment:
/nfs4 hostname(rw,sync,fsid=0,crossmnt)
(It doesn't need to be named "nfs4".) Then you can mount other volumes under
that, like:
/nfs4/music hostname(rw,sync)
/nfs4/movies hostname(rw,sync)
Then your client can mount shares like this:
mount -t nfs4 server:/music /mnt/music
Since you might not have everything under one root, you might want /nfs4/* on
the server to be bind mounts, ie.:
mount --bind /srv/music /nfs4/music
or in /etc/fstab:
/srv/music /nfs4/music none bind 0 0
Note that this special export structure might be handled transparently by
rpc.mountd at some time in the future, in which case you will probably get the
traditional (NFSv3-style) behaviour if and only if you have no share with
fsid=0.
If you do not wish to use host-based authentication, you can specify "gss/krb5"
instead of a hostname to get Kerberos-based authentication instead. For this,
you will need an "nfs/hostname@REALM" entry in /etc/krb5.keytab, as well as
rpc.gssd running on both client and rpc.svcgssd on the server (enable them
manually in /etc/default/nfs-common and /etc/default/nfs-kernel-server if the
autodetection fails). On the client, you will need to add "-o sec=krb5" to
the mount call.
If you use "gss/krb5i" (and correspondingly "-o sec=krb5i" on the client), you
will also get integrity (ie. authentication), and with "gss/krb5p", you'll also
get privacy (ie. encryption). Make sure your kernel supports this; not all
kernels do.
If you receive messages on the server complaining about "client ID already in
use" when mounting from more than one client, check that you have at least
mount version 2.12r-14. Also, connecting from behind different NATs could cause
this kind of issue currently, as two or more clients would believe they had the
same IP.
-- Steinar H. Gunderson <sesse@debian.org>, Wed, 11 Oct 2006 15:18:03 +0200
|