- Part 1: DHCP and DNS
- References
- Part 2: NTP
- References
- Part 3: OpenLDAP
- LDAP Indices
- LDAP Authentication on the Server
- References
- Part 4: Kerberos
- Part 5: NFS
- Part 6: Account Management
- Management Scripts Configuration
- Managing Users
- References
- Part 7: Connecting Ubuntu Clients
- Configuring NFS
- AutoFS
- Part 8: Connecting Microsoft Windows Clients
- Server Configuration
- Connecting Windows 7 Clients
- Comments (9)
Part 5: NFS
This section will help you configure NFS; using Kerberos to secure it.
The first step is to install the following NFS packages:
sudo apt-get install nfs-kernel-server nfs-common
NFSv4 uses a pseudo filesystem by mounting the real directories you want to export under an export folder using the -bind mount option. We need to create this folder system as follows:
sudo mkdir /export
sudo mkdir /export/home
In order to mount /home under /export/home each time the system boots, we need to modify /etc/fstab by adding the following line to the bottom of the file:
/home /export/home none bind 0 0
This will take care of mounting the directories next time he server reboots, but for now we can manually mount it using:
sudo mount /export/home
Next we’re going to tell NFS what it should export by configuring the /etc/exports file like so:
/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
Now we have to tell NFS to use Kerberos first by setting the following options in /etc/default/nfs-common:
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes
Then by setting the following options in /etc/default/nfs-kernel-server:
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=
/etc/idmapd.conf needs to configured with the correct domain name for user/group name mappings:
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
Next we need to create Kerberos principals for the NFS server.
sudo kadmin.local -q "addprinc -randkey nfs/neo.danbishop.org"
sudo kadmin.local -q "ktadd nfs/neo.danbishop.org"
sudo kadmin.local is used here as you need sudo privileges to write to /etc/krb5.keytab.
Finally, a small change is needed to enable weak encryption (the only type currently supported by NFS in Ubuntu) in Kerberos. This is done by editing /etc/krb5.conf and adding the following to the [libdefaults] section:
allow_weak_crypto = true