How to Build an Ubuntu 11.10 SBS (Small Business Server)

Part 5: NFS

This section will help you configure NFS; using Kerberos to secure it.

The first step is to install the following NFS packages:

sudo apt-get install nfs-kernel-server nfs-common

NFSv4 uses a pseudo filesystem by mounting the real directories you want to export under an export folder using the -bind mount option. We need to create this folder system as follows:

sudo mkdir /export
sudo mkdir /export/home

In order to mount /home under /export/home each time the system boots, we need to modify /etc/fstab by adding the following line to the bottom of the file:

/home    /export/home   none    bind  0  0

This will take care of mounting the directories next time he server reboots, but for now we can manually mount it using:

sudo mount /export/home

Next we’re going to tell NFS what it should export by configuring the /etc/exports file like so:

/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)

Now we have to tell NFS to use Kerberos first by setting the following options in /etc/default/nfs-common:

NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes

Then by setting the following options in /etc/default/nfs-kernel-server:

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=

/etc/idmapd.conf needs to configured with the correct domain name for user/group name mappings:

[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

Next we need to create Kerberos principals for the NFS server.

sudo kadmin.local -q "addprinc -randkey nfs/neo.danbishop.org"
sudo kadmin.local -q "ktadd nfs/neo.danbishop.org"

sudo kadmin.local is used here as you need sudo privileges to write to /etc/krb5.keytab.

Finally, a small change is needed to enable weak encryption (the only type currently supported by NFS in Ubuntu) in Kerberos. This is done by editing /etc/krb5.conf and adding the following to the [libdefaults] section:

allow_weak_crypto = true