help.ubuntu.com/ NFSv4 without Kerberos

home network setup

        --- /etc/default/nfs-kernel-server we set:
        NEED_SVCGSSD=no # no is default
        
        sudo mkdir /export
        sudo mkdir /export/home
        sudo mkdir /export/media-craig
        sudo mkdir /export/r1
        sudo mkdir /export/data
        
        sudo mount --bind /home /export/home 
        sudo mount --bind /media/craig /export/media-craig 
        sudo mount --bind /r1 /export/r1 
        sudo mount --bind /data /export/data 
        
        To save us from retyping this after every reboot we add the following line to /etc/fstab:
        --- /etc/fstab
        /home           /export/home          none    bind  0  0 
        /media/craig    /export/media-craig   none    bind  0  0 
        /r1             /export/r1            none    bind  0  0 
        /data           /export/data          none    bind  0  0 
        
        --- /etc/exports
        /export                 192.168.0.0/24(rw,fsid=0,no_subtree_check,sync)
        /export/home            192.168.0.0/24(rw,nohide,insecure,no_subtree_check,sync)
        /export/media-craig     192.168.0.0/24(rw,nohide,insecure,no_subtree_check,sync)
        /export/r1              192.168.0.0/24(rw,nohide,insecure,no_subtree_check,sync)
        /export/data            192.168.0.0/24(rw,nohide,insecure,no_subtree_check,sync)
        

Debian

debian.org 11.4. NFS File Server

NFS (Network File System) is a protocol allowing remote access to a filesystem through the network. All Unix systems can work with this protocol; when Windows systems are involved, Samba must be used instead.

NFS is a very useful tool but, historically, it has suffered from many limitations, most of which have been addressed with version 4 of the protocol. The downside is that the latest version of NFS is harder to configure when you want to make use of basic security features such as authentication and encryption since it relies on Kerberos for those parts. And without those, the NFS protocol must be restricted to a trusted local network since data goes over the network unencrypted (a sniffer can intercept it) and access rights are granted based on the client’s IP address (which can be spoofed).

11.4.2. NFS Server

The NFS server is part of the Linux kernel; in kernels provided by Debian it is built as a kernel module. If the NFS server is to be run automatically on boot, the nfs-kernel-server package should be installed; it contains the relevant start-up scripts.

The NFS server configuration file, /etc/exports, lists the directories that are made available over the network (exported). For each NFS share, only the given list of machines is granted access. More fine-grained access control can be obtained with a few options. The syntax for this file is quite simple:

        /directory/to/share machine1(option1,option2,...) machine2(...) ...
        

Note that with NFSv4, all exported directories must be part of a single hierarchy and that the root directory of that hierarchy must be exported and identified with the option fsid=0 or fsid=root.

Each machine can be identified either by its DNS name or its IP address. Whole sets of machines can also be specified using either a syntax such as *.falcot.com or an IP address range such as 192.168.0.0/255.255.255.0 or 192.168.0.0/24.

Directories are made available as read-only by default (or with the ro option). The rw option allows read-write access. NFS clients typically connect from a port restricted to root (in other words, below 1024); this restriction can be lifted by the insecure option (the secure option is implicit, but it can be made explicit if needed for clarity).

By default, the server only answers an NFS query when the current disk operation is complete (sync option); this can be disabled with the async option. Asynchronous writes increase performance a bit, but they decrease reliability since there is a data loss risk in case of the server crashing between the acknowledgment of the write and the actual write on disk. Since the default value changed recently (as compared to the historical value of NFS), an explicit setting is recommended.

In order to not give root access to the filesystem to any NFS client, all queries appearing to come from a root user are considered by the server as coming from the nobody user. This behavior corresponds to the root_squash option, and is enabled by default. The no_root_squash option, which disables this behavior, is risky and should only be used in controlled environments. The anonuid=uid and anongid=gid options allow specifying another fake user to be used instead of UID/GID 65534 (which corresponds to user nobody and group nogroup).

With NFSv4, you can add a sec option to indicate the security level that you want: sec=sys is the default with no special security features, sec=krb5 enables authentication only, sec=krb5i adds integrity protection, and sec=krb5p is the most complete level which includes privacy protection (with data encryption). For this to work you need a working Kerberos setup (that service is not covered by this book).

Other options are available; they are documented in the exports(5) manual page.

CAUTION First installation

The /etc/init.d/nfs-kernel-server boot script only starts the server if the /etc/exports lists one or more valid NFS shares. On initial configuration, once this file has been edited to contain valid entries, the NFS server must therefore be started with the following command:

        service nfs-kernel-server start
        

debianadmin.com Network File System (NFS) Server and Client Configuration in Debian

Installing NFS in Debian

a Debian NFS server needs

        apt-get install nfs-kernel-server nfs-common portmap
        

help.ubuntu.com/community NFSv4Howto

help.ubuntu.com NFSv4Howto#NFSv4_without_Kerberos

NFSv4 Server

NFSv4 exports exist in a single pseudo filesystem, where the real directories are mounted with the –bind option. Here is some additional information regarding this fact.

Let’s say we want to export our users’ home directories in /home/users. First we create the export filesystem:

        sudo mkdir /export
        sudo mkdir /export/users 
        

and mount the real users directory with:

        sudo mount --bind /home/users /export/users 
        

To save us from retyping this after every reboot we add the following line to /etc/fstab:

        /home/users    /export/users   none    bind  0  0 
        

In /etc/default/nfs-kernel-server we set:

        NEED_SVCGSSD=no # no is default
        

because we are not activating NFSv4 security this time.

To export our directories to a local network 192.168.1.0/24 we add the following two lines to /etc/exports

        /export       192.168.1.0/24(rw,fsid=0,no_subtree_check,sync)
        /export/users 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync)
        

Be aware of the following points:

1. there is no space between the IP address and the options
2. you can list more IP addresses and options; they are space separated as in:
3. /export/users 192.168.1.1(rw,no_subtree_check) 192.168.1.2(rw,no_root_squash)
4. using the insecure option allows clients such as Mac OS X to connect on ports above 1024. This option is not otherwise "insecure".
5. Setting the crossmnt option on the main psuedo mountpoint has the same effect as setting nohide on the sub-exports: It allows the client to map the sub-exports within the psuedo filesystem. These two options are mutually exclusive.
6. Note that when locking down which clients can map an export by setting the IP address, you can either specify an address range (as shown above) using a subnet mask, or you can list a single IP address followed by the options. Using a subnet mask for single client's full IP address is **not** required. Just use something like 192.168.1.123(rw). There are a couple options for specifying the subnet mask. One style is 255.255.255.0. The other style is /24 as shown. Both styles should work. The subnet mask marks which part of IP address must be evaluated.
Restart the service

        sudo service nfs-kernel-server restart
        

On ubuntu 11.04 or later you may also need to start or restart the idmapd with:

        sudo service idmapd restart
        

wiki.archlinux.org Arch NFS

wiki.archlinux.org NFS#Installation

Both client and server only require the installation of the nfs-utils package. It is highly recommended to use a time synchronization daemon to keep client/server clocks in sync. Without accurate clocks on all nodes, NFS can introduce unwanted delays.

wiki.archlinux.org NFS#Server Configuration

wiki.archlinux.org NFS#Client configuration

wiki.archlinux.org systemd-timesyncd

Start/enable systemd-timesyncd.service which is available with systemd. A simple SNTP daemon that only implements a client side, focusing only on querying time from one remote server. It should be more than appropriate for most installations. systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. It implements an SNTP client. In contrast to NTP implementations such as chrony or the NTP reference server this only implements a client side, and does not bother with the full NTP complexity, focusing only on querying time from one remote server and synchronizing the local clock to it. Unless you intend to serve NTP to networked clients or want to connect to local hardware clocks this simple NTP client should be more than appropriate for most installations. The daemon runs with minimal privileges, and has been hooked up with networkd to only operate when network connectivity is available. The daemon saves the current clock to disk every time a new NTP sync has been acquired, and uses this to possibly correct the system clock early at bootup, in order to accommodate for systems that lack an RTC such as the Raspberry Pi and embedded devices, and make sure that time monotonically progresses on these systems, even if it is not always correct. To make use of this daemon a new system user and group "systemd-timesync" needs to be created on installation of systemd.