This needs to be written. It needs to be simple. Link:
* http://www.linux.org/docs/ldp/howto/NFS-HOWTO/server.html
* http://tldp.org/HOWTO/NFS-HOWTO/index.html
My attempt at satisfying the above.
I don't like the existing pages: ["NFSClientHowTo"] (only covers autofs, which I think should be a separate sub-topic), ["NFSServerHowTo"] (because it misses some very important parts) and EtcHostsAllowAndEtcHostsDeny (because it's overly complicated - it should be part of the server HowTo). They leave too much out for my taste. So, this is my take on it. I leave it to the community to decide which one they like better (comments welcome). If someone wants to combine them, this is fine too.
NFS Server Config
[mailto:matt@mattcaron.net Matthew Caron]
Important Note 1: NFS's user permissions scheme is based on UID. This means that the UID's of any users on the client must match those on the server in order for those users to have access. The typical ways of doing this are:
* Manual password file synchronization
* Use of NIS (see the ["SettingUpNISHowTo"] wiki page)
* Use of LDAP
It's also important to note that you have to be VERY careful on systems where the main user has root access - that user can change UID's on the system to allow themselved access to anyone's files. This page assumes that the administrative team is the only group with root access and that they are all trusted. Anything else represents a more advanced configuration, and will not be addressed here.
Important Note 2: As of February, 2004, NFS is broken in current Ubuntu 4.10 (Warty) kernels 2.6.8.1-5 (see [https://bugzilla.ubuntu.com/show_bug.cgi?id=6749 Bug 6749] for progress). I'm using linux-image-2.6.8.1-4-cpu and linux-restricted-modules-2.6.8.1-4-cpu (where cpu is my cpu version) and they seem to be working just fine.
UPDATE 3/23/05: The 2.6.8.1-5 kernel released on 3/17/05 (why they didn't roll the version, I have no idea) seems to fix this. I've been running it for a week without issue.
It's also recommended to read the security note at the bottom.
1. (Warty Only) Edit /etc/default/portmap and comment out the ARGS="-i 127.0.0.1" line. Note that this is already done if you're running the machine as an NIS server.
2. Add any client name and IP addresses to /etc/hosts. The server's IP should already be here. I do not mean 127.0.0.1, I mean the real IP available to the world. This ensures that NFS will still work even if DNS goes down. You could rely on DNS if you wanted, it's up to you.
3. Edit /etc/netgroup and add a line to classify your clients. (This step is not necessary, but is for convenience).
myclients (client1,,) (client2,,)
Obviously, more clients can be added. myclients can be anything you like; this is a netgroup name.
4. Run this command to rebuild the YP database:
sudo make -C /var/yp
5. Add the following line to /etc/hosts.allow:
portmap mountd nfsd statd lockd : list of IP addresses
Where the "list of IP addresses" string is, you need to make a list of IP addresses that consists of the server and all clients. These have to be IP addresses because of a limitation in portmap (it doesn't like hostnames). Note that if you have NIS set up, just add these to the same line.
6. Install the services:
sudo apt-get install portmap nfs-common nfs-kernel-server
7. Edit /etc/exports and add the shares:
/home @myclients(rw,sync) /usr/local @myclients(rw,sync)
The above shares /home and /usr/local too all the clients in myclients. Clients prefixed with an @ are netgroups. Individual clients may be specified as well, and different options may be used for each client. rw makes the share read/write, and sync requires the server to only reply to requests once any changes have been flushed to disk. This is the safest option (async is faster, but dangerous. It is strongly recommended that you read man exports. It's not very long and is very useful.
8. Export the shares:
sudo exportfs -ra
You'll want to do this command whenever you change /etc/exports
9. If you edited /etc/default/portmap, then you'll need to restart portmap:
sudo /etc/init.d/portmap restart
10. And you'll need to restart the kernel server:
sudo /etc/init.d/nfs-kernel-server restart
Security Note: Aside from the UID issues discussed above, one should be aware that an attacker could potentially masquerade as a machine that is allowed to map the share, which allows them to create arbitrary UID's to access your files. One potential solution to this is the same I employ for NIS - IPSec (see the ["IPSecHowTo"]). You can set up all your domain members to talk only to each other over IPSec, which will effectively authenticate that your client is who it says it is. How? Well, it encrypts traffic to the server with the server's key, and the server sends back all replies encrypted with the client's key. The traffic is decrypted with the respective keys. So, if the client doesn't have the keys that the client is supposed to have, it can't send or receive data. Provided the file containing the keys is reasonably secret (only readable by root), you can't get the keys unless you compromise the client. And, if you compromise the client, you can twiddle UID's anyway, so the attacker has got you.
NFS Client Config
[mailto:matt@mattcaron.net Matthew Caron]
1. Install portmap
sudo apt-get install portmap
It is probably a good idea to then add a portmap line to /etc/hosts.allow for security reasons:
portmap : NFS server IP address
Where "NFS server IP address" is the IP address of the server. This must be numeric! It's the way portmap works. I will revise this more permanently once Hoary is released
2. Add the server name to /etc/hosts. Once again, you don't strictly need to do this, but it's a good idea in case DNS goes down.
3. In /etc/fstab, add lines for shares such as:
servername:dir /mntpoint nfs rw,hard,intr 0 0
The rw mounts it read/write. Obviously, if the server is sharing it read only, the client won't be able to mount it as anything more than that. The hard mounts the share such that if the server becomes unavailable, the program will wait until it is available. The alternative is soft. intr allows you to interrupt/kill the process. Otherwise, it will ignore you. Documentation for these can be found in the Mount options for nfs section of man mount.
4. Make sure to make the mount points!!!
5. You can now mount the filesystems with mount /mountpoint, or just do a mount -a to mount everything that should be automounted.
Using NFS and IPSec
I you use NFS with IPSec, you may probably have a bug while rebooting/halting you computer. NFS shares are unmounted after IPSec is stopped, so you may have a long timeout resulting the error message Cannot MOUNTPROG RPC (tcp): RPC: Remote system error - Connection timed out. To avoid this, there is a little hack:
1. Create a the file /etc/init.d/umountnfs_hack:
sudo gedit /etc/init.d/umountnfs_hack
2. Copy the following lines and save the file:
# # Unmount NFS shares before stopping IPSec # . /lib/lsb/init-functions log_begin_msg "Unmounting NFS shares..." umount -a -t nfs,nfs4 log_end_msg $?
3. Allow execution:
sudo chmod +x /etc/init.d/umountnfs_hack
4. Add the execution of this script in runlevel 0 and 6 before IPSec:
sudo update-rc.d umountnfs_hack stop 19 0 . stop 19 6 .
That's all.
UPDATE 03/30/05:
[mailto:svmaris@madline.net Stephan van Maris]
Since portmap is not installed on Hoary by default (I'm not sure about Warty), it should be noted that mounting remote NFS shares without portmap running can take up to five minutes to complete. So be sure you 'apt-get install portmap' if you will be mounting NFS shares on a regular basis.