个人工具
119.28.94.63
该IP地址的讨论
登录
查看“UbuntuHelp:NFSv4Howto”的源代码 - Ubuntu中文
UbuntuHelp
讨论
查看源代码
历史
搜索
导航
首页
最近更改
随机页面
页面分类
帮助
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息
查看“UbuntuHelp:NFSv4Howto”的源代码
来自Ubuntu中文
←
UbuntuHelp:NFSv4Howto
跳转至:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您所请求的操作仅限于该用户组的用户使用:
用户
您可以查看与复制此页面的源代码。
{{From|https://help.ubuntu.com/community/NFSv4Howto}} {{Languages|UbuntuHelp:NFSv4Howto}} === Installation === The required packages are different depending on if the system is a client or a server. In this Howto, the server is the host that has the files you want to share and the client is the host that will be mounting the NFS share. * NFSv4 client <pre><nowiki> # apt-get install nfs-common </nowiki></pre> * NFSv4 server <pre><nowiki> # apt-get install nfs-kernel-server </nowiki></pre> After you finish installing nfs-kernel-server, you might see failure to start nfs-kernel-server due to missing entries in /etc/exports. Remember to restart the service when you finish configuring. === NFSv4 without Kerberos === ==== NFSv4 Server ==== NFSv4 exports exist in a single ''pseudo filesystem'', where the real directories are mounted with the <code><nowiki>--bind</nowiki></code> option. [http://www.citi.umich.edu/projects/nfsv4/linux/using-nfsv4.html Here] is some additional information regarding this fact. * Lets say we want to export our user homedirs in <code><nowiki>/home/users</nowiki></code>. First we create the export filesytem: <pre><nowiki> # mkdir /export # mkdir /export/users </nowiki></pre> and mount the real users directory with: <pre><nowiki> # mount --bind /home/users /export/users</nowiki></pre> To save us from retyping this after every reboot we add the following line to <code><nowiki>/etc/fstab</nowiki></code> <pre><nowiki> /home/users /export/users none bind 0 0</nowiki></pre> * In <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code> we set: <pre><nowiki> NEED_SVCGSSD=no </nowiki></pre> because we are not activating NFSv4 security this time. * In <code><nowiki>/etc/default/nfs-common</nowiki></code> we set: <pre><nowiki> NEED_IDMAPD=yes NEED_GSSD=no </nowiki></pre> * To export our directories to a local network 192.198.1.0/24 we add the following two lines to <code><nowiki>/etc/exports</nowiki></code> <pre><nowiki> /export 192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async) /export/users 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async) </nowiki></pre> * Restart the service <pre><nowiki> # /etc/init.d/nfs-kernel-server restart</nowiki></pre> ==== NFSv4 Client ==== * On the client we can mount the complete export tree with one command: <pre><nowiki> # mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/ /mnt</nowiki></pre> * We can also mount an exported ''subtree'' with: <pre><nowiki> # mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/users /home/users</nowiki></pre> * If you experience Problems like this: <pre><nowiki> Warning: rpc.idmapd appears not to be running. All uids will be mapped to the nobody uid. mount: unknown filesystem type 'nfs4'</nowiki></pre> then you need to set in <code><nowiki>/etc/default/nfs-common</nowiki></code>: <pre><nowiki> NEED_IDMAPD=yes</nowiki></pre> and restart nfs-common <pre><nowiki> # /etc/init.d/nfs-common restart</nowiki></pre> The "unknown Filesystem" Error is ambiguous and will disappear as well. === NFSv4 with Kerberos === You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center) before continuing. On the nfs-server and nfs-clients you must use MIT krb5 for now. When extracting the key to a keytab file and when configuring krb5 in ''/etc/krb5.conf'' it is neccessary to specify ''des-cbc-crc'' because only this type of encryption is supported by the kernel at the moment. * On the nfs-server and nfs-client you need at least the ''krb5-user'' and optional ''libpam-krb5'' if you wish to authenticate against krb5. <pre><nowiki> # apt-get install krb5-user # apt-get install libpam-krb5 </nowiki></pre> * Specifiy ''des-cbc-crc'' in ''/etc/krb5.conf'' on nfs-servers and nfs-clients. <pre><nowiki> [libdefaults] default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc </nowiki></pre> * You need the gss kernel modules on nfs-servers and nfs-clients. <pre><nowiki> # modprobe rpcsec_gss_krb5 </nowiki></pre> Add ''rpcsec_gss_krb5'' to ''/etc/modules'' to have it loaded automatically. ==== Create and distribute credentials ==== NFSv4 needs machine credentials for the server and every client, which wants to use the NFSv4 security features. Create the credentials for the nfs-server and all nfs-clients on the Kerberos KDC and distribute the extraced keys with scp to the destination You have to make sure that you use the "-e des-cbc-crc" as it will not work if there are more entries in the keytab than one for exactly this encryption algorithm. You can make sure that only this entry has been created by executing "sudo klist -e -k /etc/krb5.keytab". ===== Heimdal ===== <pre><nowiki> # kinit kadmin/admin # kadmin add -r nfs/nfs-server.domain # ktutil -k ~/keytab.nfs-server get -e des-cbc-crc nfs/nfs-server.domain # scp -p ~/keytab.nfs-server nfs-server:/etc/krb5.keytab # kadmin add -r nfs/nfs-client.domain # ktutil -k ~/keytab.nfs-client get -e des-cbc-crc nfs/nfs-client.domain # scp -p ~/keytab.nfs-client nfs-client:/etc/krb5.keytab # kdestroy </nowiki></pre> ===== MIT ===== <pre><nowiki> # kinit admin/admin # kadmin -q "addprinc -randkey nfs/nfs-server.domain" # kadmin -q "ktadd -e des-cbc-crc:normal -k /root/keytab.nfs-server nfs/nfs-server.domain" # scp -p /root/keytab.nfs-server nfs-server.domain:/etc/krb5.keytab # kadmin -q "addprinc -randkey nfs/nfs-client.domain" # kadmin -q "ktadd -e des-cbc-crc:normal -k /root/keytab.nfs-client nfs/nfs-client.domain" # scp -p /root/keytab.nfs-client nfs-client.domain:/etc/krb5.keytab # kdestroy </nowiki></pre> ==== NFSv4 Server ==== * Check your machine credentials in ''/etc/krb5.keytab'' <pre><nowiki> # ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/nfs-server.domain@DOMAIN </nowiki></pre> or even better: <pre><nowiki> # sudo klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 nfs/nfs-server.domain@DOMAIN (DES cbc mode with CRC-32) </nowiki></pre> and make sure there is only ONE entry for your nfs server with the options <code><nowiki>DES cbc mode with CRC-32</nowiki></code> as seen above. It will not work if there is another entry for Triple DES or other encryption algorithms. * In <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code> we set: <pre><nowiki> NEED_SVCGSSD=yes </nowiki></pre> * In <code><nowiki>/etc/default/nfs-common</nowiki></code> we set: <pre><nowiki> NEED_IDMAPD=yes </nowiki></pre> * To export our directories from the example above to a local network 192.198.1.0/24 and addt we add the following two lines to <code><nowiki>/etc/exports</nowiki></code> <pre><nowiki> /export 192.168.1.0/24(rw,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export gss/krb5(rw,fsid=0,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users 192.168.1.0/24(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) /export/users gss/krb5(rw,nohide,insecure, \ no_subtree_check,async,anonuid=65534,anongid=65534) </nowiki></pre> Please note that you can specify allowed hosts only in the ''any authentication'' flavor. gss/krb5 flavours are accessible from anywhere, if do not use an additional firewall rules. To export only with secure authentication flavors do not include a ''host(...)'' line in ''/etc/exports'' To display your exports enter: <pre><nowiki> # exportfs -v </nowiki></pre> ==== NFSv4 Client ==== * Check your machine credentials in ''/etc/krb5.keytab'' <pre><nowiki> # ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/nfs-client.domain@DOMAIN </nowiki></pre> * In <code><nowiki>/etc/default/nfs-common</nowiki></code> we set: <pre><nowiki> NEED_IDMAPD=yes NEED_GSSD=yes </nowiki></pre> * We can ''secure'' mount the complete export tree with: <pre><nowiki> # mount -t nfs4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/ /mnt</nowiki></pre> * We can also ''secure'' mount an exported ''subtree'' with: <pre><nowiki> # mount -t nfs4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/users /home/users</nowiki></pre> === Troubleshooting === First, take care of proper logging - by default almost nothing is logged. e.g. to enable 3rd level verbose logging for rpc.gssd, append the following to <code><nowiki>/etc/default/nfs-common</nowiki></code>: <pre><nowiki> RPCGSSDOPTS="-vvv -rrr" </nowiki></pre> After restarting nfs-common (<code><nowiki>/etc/init.d/nfs-common restart</nowiki></code>) check that the daemon has received new arguments: <pre><nowiki> ps xuwa | grep grep rpc.gssd root 9857 0.0 0.4 2496 1220 ? Ss 02:17 0:00 /usr/sbin/rpc.gssd -vvv </nowiki></pre> Then look for its log output in damon.log: <pre><nowiki> tail -f /var/log/daemon.log </nowiki></pre> For the server, you can e.g. raise rpc.svcgssd log level in <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code>: <pre><nowiki> RPCSVCGSSDOPTS="-vvv -rrr" </nowiki></pre> Browse the <code><nowiki>/etc/init.d/nfs-*</nowiki></code> init scripts to see other variables that you can set in <code><nowiki>/etc/defaults</nowiki></code>. If using Kerberos, enable logging in <code><nowiki>/etc/krb5.conf</nowiki></code>: <pre><nowiki> [logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON </nowiki></pre> === Links === * [http://www.citi.umich.edu/projects/nfsv4/linux Umich CITI intructions] * [http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html Learning NFSv4 with Fedora Core 2] [[category:CategoryDocumentation]] [[category:CategoryCleanup]] [[category:UbuntuHelp]]
该页面使用的模板:
模板:From
(
查看源代码
)
模板:Languages
(
查看源代码
)(受保护)
模板:Languages/Lang
(
查看源代码
)(受保护)
返回至
UbuntuHelp:NFSv4Howto
。