个人工具

“UbuntuHelp:NFSv4Howto”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
第1行: 第1行:
 
{{From|https://help.ubuntu.com/community/NFSv4Howto}}
 
{{From|https://help.ubuntu.com/community/NFSv4Howto}}
 
{{Languages|UbuntuHelp:NFSv4Howto}}
 
{{Languages|UbuntuHelp:NFSv4Howto}}
 +
<<Include(Tag/NeedsExpansion)>>
 +
<<Include(Tag/StyleCleanup)>>
 
=== Installation ===
 
=== Installation ===
 
The required packages are different depending on if the system is a client or a server.  In this Howto, the server is the host that has the files you want to share and the client is the host that will be mounting the NFS share.
 
The required packages are different depending on if the system is a client or a server.  In this Howto, the server is the host that has the files you want to share and the client is the host that will be mounting the NFS share.
第29行: 第31行:
 
* In <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code> we set:
 
* In <code><nowiki>/etc/default/nfs-kernel-server</nowiki></code> we set:
 
<pre><nowiki>
 
<pre><nowiki>
NEED_SVCGSSD=no </nowiki></pre>
+
NEED_SVCGSSD=no # no is default</nowiki></pre>
 
because we are not activating NFSv4 security this time.
 
because we are not activating NFSv4 security this time.
 
* In <code><nowiki>/etc/default/nfs-common</nowiki></code> we set:
 
* In <code><nowiki>/etc/default/nfs-common</nowiki></code> we set:
 
<pre><nowiki>
 
<pre><nowiki>
 
NEED_IDMAPD=yes
 
NEED_IDMAPD=yes
NEED_GSSD=no </nowiki></pre>
+
NEED_GSSD=no # no is default</nowiki></pre>
 
* To export our directories to a local network 192.198.1.0/24
 
* To export our directories to a local network 192.198.1.0/24
 
we add the following two lines to <code><nowiki>/etc/exports</nowiki></code>
 
we add the following two lines to <code><nowiki>/etc/exports</nowiki></code>
第41行: 第43行:
 
/export/users 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async)
 
/export/users 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async)
 
  </nowiki></pre>
 
  </nowiki></pre>
 +
* Be aware of the following points:
 +
* Setting the crossmnt option on the main psuedo mountpoint has the same effect as setting nohide on the sub-exports: It allows the client to map the sub-exports within the psuedo filesystem.  These two options are mutually exclusive.
 +
* Note that when locking down which clients can map an export by setting the IP and subnet mask, 255.255.255.0 does not work.  Either do not set any subnet or use /24 as shown.  Can someone please provide a reason for this behaviour?
 
* Restart the service
 
* Restart the service
 
<pre><nowiki>
 
<pre><nowiki>
第56行: 第61行:
 
nfs-server:/  /mnt  nfs4    _netdev,auto  0  0</nowiki></pre>
 
nfs-server:/  /mnt  nfs4    _netdev,auto  0  0</nowiki></pre>
 
where the <code><nowiki>auto</nowiki></code> option mounts on startup and the <code><nowiki>_netdev</nowiki></code> option waits until network devices are loaded.
 
where the <code><nowiki>auto</nowiki></code> option mounts on startup and the <code><nowiki>_netdev</nowiki></code> option waits until network devices are loaded.
 +
* Note regarding UID/GID permissions on NFSv4 without Kerberos
 +
They do not work.  Can someone please help investigating?  Following this guide will result in UID/GID on the export being generic despite having same UID on client and server.  Mounting same shar on NFSv3 works correctly with regards to UID/GID.  Does this need Kerberos to work fully?
 +
This is a possibly related bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500778
 +
If all directory listings show just "nobody" and "nogroup" instead of real user and group names, then you might want to '''check the Domain parameter''' set in <code><nowiki>/etc/idmapd.conf</nowiki></code>. NFSv4 client and server should be in the same domain. Other operating systems might derive the NFSv4 domain name from the domain name mentioned in /etc/resolv.conf (e.g. Solaris 10).
 
* If you have a slow network connection and are not establishing mount at reboot, you can change the line in <code><nowiki>etc/fstab</nowiki></code>:
 
* If you have a slow network connection and are not establishing mount at reboot, you can change the line in <code><nowiki>etc/fstab</nowiki></code>:
 
<pre><nowiki>
 
<pre><nowiki>
第76行: 第85行:
 
The "unknown Filesystem" Error will disappear as well.
 
The "unknown Filesystem" Error will disappear as well.
 
=== NFSv4 with Kerberos ===
 
=== NFSv4 with Kerberos ===
 +
When using NFS without kerberos the security of all data in the NFS share depends on the integrity of all clients and the security of the network connections.
 +
If you use kerberos the security doesn't depend on all client machines because the server gives access '''''to users with a valid kerberos ticket only'''''. The security isn't completely delegated to the client machines (unlike without kerberos). Therefor you need a principal in your kerberos realm for each user who want's to access the NFS share. See [https://help.ubuntu.com/9.04/serverguide/C/kerberos.html] on this topic. The section "Kerberos Linux Client" applies also to Ubuntu 8.04.
 
You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center)
 
You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center)
 
before continuing. NFS4 and Kerberos work fine with Ubuntu 8.04; they do not seem to work with the (much) older Ubuntu 6.06, or at least I couldn't get Heimdal to work correctly.
 
before continuing. NFS4 and Kerberos work fine with Ubuntu 8.04; they do not seem to work with the (much) older Ubuntu 6.06, or at least I couldn't get Heimdal to work correctly.
第107行: 第118行:
 
and distribute the extraced keys with scp to the destination
 
and distribute the extraced keys with scp to the destination
 
You can make sure that only this entry has been created by executing "sudo klist -e -k /etc/krb5.keytab".
 
You can make sure that only this entry has been created by executing "sudo klist -e -k /etc/krb5.keytab".
===== Heimdal =====
+
===== Create nfs/ principals =====
 
Authenticate as your admin user. You can do this from any machine in your
 
Authenticate as your admin user. You can do this from any machine in your
 
kerberos-domain, as long as your kadmind is running; then add principals for your server and client machines. Replace "nfs-server.domain" with the fully qualified domain name of the machines. For example, if your server is called "snoopy" and your domain is "office.example.com", you would add a principal named "nfs/snoopy.office.example.com" for the server.
 
kerberos-domain, as long as your kadmind is running; then add principals for your server and client machines. Replace "nfs-server.domain" with the fully qualified domain name of the machines. For example, if your server is called "snoopy" and your domain is "office.example.com", you would add a principal named "nfs/snoopy.office.example.com" for the server.
 
Note: kadmin must be run with -l (locally) on the KDC if there is no kadmind.
 
Note: kadmin must be run with -l (locally) on the KDC if there is no kadmind.
 
Please be aware of https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/309738/
 
Please be aware of https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/309738/
 +
====== Heimdal ======
 
<pre><nowiki>
 
<pre><nowiki>
 
$ kinit kadmin/admin
 
$ kinit kadmin/admin
第127行: 第139行:
 
NFSclient# ktutil get nfs/nfs-client.domain
 
NFSclient# ktutil get nfs/nfs-client.domain
 
</nowiki></pre>
 
</nowiki></pre>
===== MIT =====
+
====== MIT ======
The information below is not correct. You don't need the "des-cbc-crc" anymore and copying the key with "scp" is probably not necessary. (Could anyone with MIT knowledge clear this up, please? Valentijn)
+
 
<pre><nowiki>
 
<pre><nowiki>
# kinit admin/admin
+
$ kinit admin/admin
 
+
$ kadmin -q "addprinc -randkey nfs/nfs-server.domain"
# kadmin -q "addprinc -randkey nfs/nfs-server.domain"
+
$ kadmin -q "addprinc -randkey nfs/nfs-client.domain"
# kadmin -q "ktadd -e des-cbc-crc:normal -k /root/keytab.nfs-server nfs/nfs-server.domain"
+
</nowiki></pre>
# scp -p /root/keytab.nfs-server nfs-server.domain:/etc/krb5.keytab
+
Now add these to the keytab-files on your NFS-server and client. Log in to your NFSserver (as root, because you will need to edit the /etc/krb5.keytab file) and initialize as Kerberos administrator.
 
+
<pre><nowiki>
# kadmin -q "addprinc -randkey nfs/nfs-client.domain"
+
NFSserver# kadmin -p admin/admin -q "ktadd nfs/nfs-server.domain"
# kadmin -q "ktadd -e des-cbc-crc:normal -k /root/keytab.nfs-client nfs/nfs-client.domain"
+
</nowiki></pre>
# scp -p /root/keytab.nfs-client nfs-client.domain:/etc/krb5.keytab
+
And add it to the client's keytab file:
 
+
<pre><nowiki>
# kdestroy </nowiki></pre>
+
NFSclient# kadmin -p admin/admin -q "ktadd nfs/nfs-client.domain"
 +
</nowiki></pre>
 
==== NFSv4 Server with Kerberos ====
 
==== NFSv4 Server with Kerberos ====
 
* Check your machine credentials in ''/etc/krb5.keytab''. Use "ktutil" (MIT) or "ktutil list" (Heimdal)
 
* Check your machine credentials in ''/etc/krb5.keytab''. Use "ktutil" (MIT) or "ktutil list" (Heimdal)
第191行: 第203行:
 
Please note that you can specify allowed hosts only in
 
Please note that you can specify allowed hosts only in
 
the ''any authentication'' flavor. gss/krb5 flavours
 
the ''any authentication'' flavor. gss/krb5 flavours
are accessible from anywhere, if do not use an additional
+
are accessible from anywhere, if you do not use additional
 
firewall rules.
 
firewall rules.
 
To export only with secure authentication flavors do
 
To export only with secure authentication flavors do
 
not include a ''host(...)'' line in ''/etc/exports''
 
not include a ''host(...)'' line in ''/etc/exports''
 +
The gss/krb5 flavours are:
 +
* krb5: users are authenticated
 +
* krb5i: this includes krb5. Additionaly data integrity is provided.
 +
* krb5p: this includes krb5i. Additionaly privacy is provided.
 
To display your exports enter:
 
To display your exports enter:
 
<pre><nowiki>
 
<pre><nowiki>
第257行: 第273行:
 
     admin_server = SYSLOG:INFO:DAEMON
 
     admin_server = SYSLOG:INFO:DAEMON
 
     default = SYSLOG:INFO:DAEMON
 
     default = SYSLOG:INFO:DAEMON
 +
</nowiki></pre>
 +
It's possible to increase verbosity in <code><nowiki>/etc/idmapd.conf</nowiki></code> .
 +
It can be useful to study the sources for better understandig error messages:
 +
<pre><nowiki>
 +
apt-get source nfs-common nfs-kernel-server libgssapi2-heimdal librpcsecgss3 libnfsidmap2
 
</nowiki></pre>
 
</nowiki></pre>
 
=== Links ===
 
=== Links ===
 
* [http://www.citi.umich.edu/projects/nfsv4/linux Umich CITI intructions]
 
* [http://www.citi.umich.edu/projects/nfsv4/linux Umich CITI intructions]
 
* [http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html Learning NFSv4 with Fedora Core 2]
 
* [http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html Learning NFSv4 with Fedora Core 2]
[[category:CategoryCleanup]] [[category:CategoryNetworking]]
+
[[category:CategoryNetworking]]
  
 
[[category:UbuntuHelp]]
 
[[category:UbuntuHelp]]

2009年11月17日 (二) 20:13的版本

Geographylogo.png 文章出处: 

https://help.ubuntu.com/community/NFSv4Howto

Geographylogo.png 点击翻译: 

English

请不要直接编辑翻译本页,本页将定期与来源同步。

<<Include(Tag/NeedsExpansion)>> <<Include(Tag/StyleCleanup)>>

Installation

The required packages are different depending on if the system is a client or a server. In this Howto, the server is the host that has the files you want to share and the client is the host that will be mounting the NFS share.

  • NFSv4 client
# apt-get install nfs-common
  • NFSv4 server
# apt-get install nfs-kernel-server

After you finish installing nfs-kernel-server, you might see failure to start nfs-kernel-server due to missing entries in /etc/exports. Remember to restart the service when you finish configuring.

NFSv4 without Kerberos

NFSv4 Server

NFSv4 exports exist in a single pseudo filesystem, where the real directories are mounted with the --bind option. Here is some additional information regarding this fact.

  • Let's say we want to export our users' home directories in /home/users. First

we create the export filesystem: 

# mkdir /export
# mkdir /export/users

and mount the real users directory with: 

# mount --bind /home/users /export/users

To save us from retyping this after every reboot we add the following line to /etc/fstab 

/home/users    /export/users   none    bind  0  0
  • In /etc/default/nfs-kernel-server we set:
NEED_SVCGSSD=no # no is default

because we are not activating NFSv4 security this time.

  • In /etc/default/nfs-common we set:
NEED_IDMAPD=yes
NEED_GSSD=no # no is default
  • To export our directories to a local network 192.198.1.0/24

we add the following two lines to /etc/exports 

/export       192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async)
/export/users 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async)
  • Be aware of the following points:
  • Setting the crossmnt option on the main psuedo mountpoint has the same effect as setting nohide on the sub-exports: It allows the client to map the sub-exports within the psuedo filesystem. These two options are mutually exclusive.
  • Note that when locking down which clients can map an export by setting the IP and subnet mask, 255.255.255.0 does not work. Either do not set any subnet or use /24 as shown. Can someone please provide a reason for this behaviour?
  • Restart the service
# /etc/init.d/nfs-kernel-server restart

NFSv4 Client

  • On the client we can mount the complete export tree with one command:
# mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/ /mnt
  • We can also mount an exported subtree with:
# mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/users /home/users
  • To save us from retyping this after every reboot we add the following

line to /etc/fstab: 

nfs-server:/   /mnt   nfs4    _netdev,auto  0  0

where the auto option mounts on startup and the _netdev option waits until network devices are loaded.

  • Note regarding UID/GID permissions on NFSv4 without Kerberos

They do not work. Can someone please help investigating? Following this guide will result in UID/GID on the export being generic despite having same UID on client and server. Mounting same shar on NFSv3 works correctly with regards to UID/GID. Does this need Kerberos to work fully? This is a possibly related bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500778 If all directory listings show just "nobody" and "nogroup" instead of real user and group names, then you might want to check the Domain parameter set in /etc/idmapd.conf. NFSv4 client and server should be in the same domain. Other operating systems might derive the NFSv4 domain name from the domain name mentioned in /etc/resolv.conf (e.g. Solaris 10).

  • If you have a slow network connection and are not establishing mount at reboot, you can change the line in etc/fstab:
nfs-server:/    /mnt   nfs4    noauto  0  0

and execute this mount after a short pause once all devices are loaded. Add the following lines to /etc/rc.local 

# sleep 5
# mount /mnt
  • If you experience Problems like this:
Warning: rpc.idmapd appears not to be running.
         All uids will be mapped to the nobody uid.
mount: unknown filesystem type 'nfs4'

then you need to set in /etc/default/nfs-common: 

NEED_IDMAPD=yes

and restart nfs-common 

# /etc/init.d/nfs-common restart

The "unknown Filesystem" Error will disappear as well.

NFSv4 with Kerberos

When using NFS without kerberos the security of all data in the NFS share depends on the integrity of all clients and the security of the network connections. If you use kerberos the security doesn't depend on all client machines because the server gives access to users with a valid kerberos ticket only. The security isn't completely delegated to the client machines (unlike without kerberos). Therefor you need a principal in your kerberos realm for each user who want's to access the NFS share. See [1] on this topic. The section "Kerberos Linux Client" applies also to Ubuntu 8.04. You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center) before continuing. NFS4 and Kerberos work fine with Ubuntu 8.04; they do not seem to work with the (much) older Ubuntu 6.06, or at least I couldn't get Heimdal to work correctly. Please note, that we have three different entities: the Kerberos-server; the NFS-server and the NFS-client. Your Kerberos-server (or KDC) and NFS-server could be the same machine, but they could also very well be separate entities. We will use separate "prompts" to distinguish, i.e. if you see 

KDC$ echo "hello"

... this means you need to type echo "hello" on the KDC. Please note that you can now (with Ubuntu 8.04 and later) use any encryption type you want, there is no more need to extract only des-cbc-crc, as most sites suggest. See this mailinglist message.

MIT
  • On the nfs-server and nfs-client you need at least the krb5-user

and optional libpam-krb5 if you wish to authenticate against krb5. 

# apt-get install krb5-user
# apt-get install libpam-krb5
Heimdal
  • On the nfs-server and nfs-client you need heimdal-clients

and optional libpam-krb5 if you wish to authenticate against krb5. 

# apt-get install heimdal-clients
# apt-get install libpam-krb5
  • You need the gss kernel modules on nfs-servers and nfs-clients.
# modprobe rpcsec_gss_krb5

Add rpcsec_gss_krb5 to /etc/modules to have it loaded automatically. (I'm pretty sure they're loaded automatically though).

Create and distribute credentials

NFSv4 needs machine credentials for the server and every client, which wants to use the NFSv4 security features. Create the credentials for the nfs-server and all nfs-clients on the Kerberos KDC and distribute the extraced keys with scp to the destination You can make sure that only this entry has been created by executing "sudo klist -e -k /etc/krb5.keytab".

Create nfs/ principals

Authenticate as your admin user. You can do this from any machine in your kerberos-domain, as long as your kadmind is running; then add principals for your server and client machines. Replace "nfs-server.domain" with the fully qualified domain name of the machines. For example, if your server is called "snoopy" and your domain is "office.example.com", you would add a principal named "nfs/snoopy.office.example.com" for the server. Note: kadmin must be run with -l (locally) on the KDC if there is no kadmind. Please be aware of https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/309738/

Heimdal
$ kinit kadmin/admin
$ kadmin add -r nfs/nfs-server.domain
$ kadmin add -r nfs/nfs-client.domain

Now add these to the keytab-files on your NFS-server and client. Log in to your NFSserver (as root, because you will need to edit the /etc/krb5.keytab file) and initialize as Kerberos administrator. If your domain is fully kerberized, logging in as root will automatically give you the right access, in which case you don't need to use "kinit" anymore. 

NFSserver# kinit kadmin/admin
NFSserver# ktutil get nfs/nfs-server.domain

And add it to the client's keytab file: 

NFSclient# kinit kadmin/admin
NFSclient# ktutil get nfs/nfs-client.domain
MIT
$ kinit admin/admin
$ kadmin -q "addprinc -randkey nfs/nfs-server.domain"
$ kadmin -q "addprinc -randkey nfs/nfs-client.domain"

Now add these to the keytab-files on your NFS-server and client. Log in to your NFSserver (as root, because you will need to edit the /etc/krb5.keytab file) and initialize as Kerberos administrator. 

NFSserver# kadmin -p admin/admin -q "ktadd nfs/nfs-server.domain"

And add it to the client's keytab file: 

NFSclient# kadmin -p admin/admin -q "ktadd nfs/nfs-client.domain"

NFSv4 Server with Kerberos

  • Check your machine credentials in /etc/krb5.keytab. Use "ktutil" (MIT) or "ktutil list" (Heimdal)
MIT: 
# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 nfs/nfs-server.domain@DOMAIN
Heimdal: 
# ktutil list
FILE:/etc/krb5.keytab:

Vno  Type                     Principal
  6  des-cbc-md5              nfs/[email protected]
  6  des-cbc-md4              nfs/[email protected]
  6  des-cbc-crc              nfs/[email protected]
  6  aes256-cts-hmac-sha1-96  nfs/[email protected]
  6  des3-cbc-sha1            nfs/[email protected]
  6  arcfour-hmac-md5         nfs/[email protected]
etcetera (I removed the krb4 entries as you probably won't use them anyway).

MIT extra information: 

# sudo klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 nfs/nfs-server.domain@DOMAIN (DES cbc mode with CRC-32)
  • In /etc/default/nfs-kernel-server we set:
NEED_SVCGSSD=yes
  • In /etc/default/nfs-common we set:
NEED_IDMAPD=yes
  • To export our directories from the example above to a

local network 192.198.1.0/24 and addt we add the following two lines to /etc/exports 

/export       192.168.1.0/24(rw,fsid=0,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)
/export       gss/krb5(rw,fsid=0,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)
/export/users 192.168.1.0/24(rw,nohide,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)
/export/users gss/krb5(rw,nohide,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)

Please note that you can specify allowed hosts only in the any authentication flavor. gss/krb5 flavours are accessible from anywhere, if you do not use additional firewall rules. To export only with secure authentication flavors do not include a host(...) line in /etc/exports The gss/krb5 flavours are:

  • krb5: users are authenticated
  • krb5i: this includes krb5. Additionaly data integrity is provided.
  • krb5p: this includes krb5i. Additionaly privacy is provided.

To display your exports enter: 

# exportfs -v

NFSv4 Client with Kerberos

  • Check your machine credentials in /etc/krb5.keytab
MIT: 
# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 nfs/nfs-client.domain@DOMAIN
Heimdal: 
# ktutil list
FILE:/etc/krb5.keytab:

Vno  Type                     Principal
  6  des-cbc-md5              nfs/[email protected]
  6  des-cbc-md4              nfs/[email protected]
  6  des-cbc-crc              nfs/[email protected]
  6  aes256-cts-hmac-sha1-96  nfs/[email protected]
  6  des3-cbc-sha1            nfs/[email protected]
  6  arcfour-hmac-md5         nfs/[email protected]
  • In /etc/default/nfs-common we set:
NEED_IDMAPD=yes
NEED_GSSD=yes
  • We can secure mount the complete export tree with:
# mount -t nfs4 -o sec=krb5 nfs-server:/ /mnt
  • We can also secure mount an exported subtree with:
# mount -t nfs4 -o sec=krb5 nfs-server:/users /home/users

Troubleshooting

First, take care of proper logging - by default almost nothing is logged. e.g. to enable 3rd level verbose logging for rpc.gssd, append the following to /etc/default/nfs-common: 

RPCGSSDOPTS="-vvv"

After restarting nfs-common (/etc/init.d/nfs-common restart) check that the daemon has received new arguments: 

ps xuwa | grep grep rpc.gssd
root      9857  0.0  0.4   2496  1220 ?        Ss   02:17   0:00 /usr/sbin/rpc.gssd -vvv

Then look for its log output in damon.log: 

tail -f /var/log/daemon.log

For the server, you can e.g. raise rpc.svcgssd log level in /etc/default/nfs-kernel-server: 

RPCSVCGSSDOPTS="-vvv"

Browse the /etc/init.d/nfs-* init scripts to see other variables that you can set in /etc/defaults. If using Kerberos, enable logging in /etc/krb5.conf: 

[logging]
     kdc = SYSLOG:INFO:DAEMON
     admin_server = SYSLOG:INFO:DAEMON
     default = SYSLOG:INFO:DAEMON

It's possible to increase verbosity in /etc/idmapd.conf . It can be useful to study the sources for better understandig error messages: 

apt-get source nfs-common nfs-kernel-server libgssapi2-heimdal librpcsecgss3 libnfsidmap2

Links

取自“https://wiki.ubuntu.org.cn/index.php?title=UbuntuHelp:NFSv4Howto&oldid=127882