个人工具

“UbuntuHelp:SettingUpNFSHowTo”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
 
(未显示2个用户的10个中间版本)
第1行: 第1行:
 
{{From|https://help.ubuntu.com/community/SettingUpNFSHowTo}}
 
{{From|https://help.ubuntu.com/community/SettingUpNFSHowTo}}
 
{{Languages|UbuntuHelp:SettingUpNFSHowTo}}
 
{{Languages|UbuntuHelp:SettingUpNFSHowTo}}
 
+
== NFS Server ==
 
+
=== Pre-Installation Setup ===
=== NFS Server ===
+
'''None of the following pre-installation steps are strictly necessary.'''
 
+
==== Pre-Installation Setup ====
+
 
+
 
===== User Permissions =====
 
===== User Permissions =====
 
 
NFS user permissions are based on user ID (UID). UIDs of any users on the client must match those on the server in order for the users to have access. The typical ways of doing this are:
 
NFS user permissions are based on user ID (UID). UIDs of any users on the client must match those on the server in order for the users to have access. The typical ways of doing this are:
 
 
* Manual password file synchronization
 
* Manual password file synchronization
 
* Use of [[UbuntuHelp:LDAPClientAuthentication|LDAP]]
 
* Use of [[UbuntuHelp:LDAPClientAuthentication|LDAP]]
 
* Use of [[UbuntuHelp:SettingUpNISHowTo|NIS]]
 
* Use of [[UbuntuHelp:SettingUpNISHowTo|NIS]]
 
 
It's also important to note that you have to be careful on
 
It's also important to note that you have to be careful on
 
systems where the main user has root access - that user can change
 
systems where the main user has root access - that user can change
UID's on the system to allow themselved access to anyone's files. This
+
UID's on the system to allow themselves access to anyone's files. This
 
page assumes that the administrative team is the only group with root
 
page assumes that the administrative team is the only group with root
 
access and that they are all trusted. Anything else represents a more
 
access and that they are all trusted. Anything else represents a more
 
advanced configuration, and will not be addressed here.
 
advanced configuration, and will not be addressed here.
 
 
===== Group Permissions =====
 
===== Group Permissions =====
 
 
With NFS, a user's access to files is determined by his/her membership of groups on the client, not on the server.  However, there is an important limitation: a maximum of 16 groups are passed from the client to the server, and, if a user is member of more than 16 groups on the client, some files or directories might be unexpectedly inaccessible.
 
With NFS, a user's access to files is determined by his/her membership of groups on the client, not on the server.  However, there is an important limitation: a maximum of 16 groups are passed from the client to the server, and, if a user is member of more than 16 groups on the client, some files or directories might be unexpectedly inaccessible.
 
 
===== Host Names =====
 
===== Host Names =====
 
~- optional if using DNS -~
 
~- optional if using DNS -~
 
 
Add any client name and IP addresses to /etc/hosts. The ''real'' (not 127.0.0.1) IP address of the server should already be here. This ensures that NFS will still work even if
 
Add any client name and IP addresses to /etc/hosts. The ''real'' (not 127.0.0.1) IP address of the server should already be here. This ensures that NFS will still work even if
 
DNS goes down. You could rely on DNS if you wanted, it's up to you.
 
DNS goes down. You could rely on DNS if you wanted, it's up to you.
 
 
===== NIS =====
 
===== NIS =====
 
~- optional - perform steps only if using NIS -~
 
~- optional - perform steps only if using NIS -~
 
+
'''Note:''' This '''only''' works if using NIS. Otherwise, you can't use netgroups, and should specify individual IP's or hostnames in <code><nowiki>/etc/exports</nowiki></code>. Read the '''BUGS''' section in <code><nowiki>man netgroup</nowiki></code>.
'''Note:''' Ths '''only''' works if using NIS. Otherwise, you can't use netgroups, and should specify individual IP's or hostnames in <code><nowiki>/etc/exports</nowiki></code>. Read the '''BUGS''' section in <code><nowiki>man netgroup</nowiki></code>.
+
 
+
 
Edit /etc/netgroup and add a line to classify your clients. (This
 
Edit /etc/netgroup and add a line to classify your clients. (This
 
step is not necessary, but is for convenience).
 
step is not necessary, but is for convenience).
 
<pre><nowiki>
 
<pre><nowiki>
myclients (client1<sub>) (client2</sub>)
+
myclients (client1,,) (client2,,)
 
</nowiki></pre>
 
</nowiki></pre>
 
Obviously, more clients can be added. <code><nowiki>myclients</nowiki></code> can be anything
 
Obviously, more clients can be added. <code><nowiki>myclients</nowiki></code> can be anything
 
you like; this is a ''netgroup name''.
 
you like; this is a ''netgroup name''.
 
 
Run this command to rebuild the YP database:
 
Run this command to rebuild the YP database:
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo make -C /var/yp
 
sudo make -C /var/yp
 
</nowiki></pre>
 
</nowiki></pre>
 
 
===== Portmap Lockdown =====
 
===== Portmap Lockdown =====
 
~- optional -~
 
~- optional -~
 
 
Add the following line to /etc/hosts.deny:
 
Add the following line to /etc/hosts.deny:
 
<pre><nowiki>
 
<pre><nowiki>
第58行: 第42行:
 
</nowiki></pre>
 
</nowiki></pre>
 
By blocking all clients first, only clients in /etc/hosts.allow below will be allowed to access the server.
 
By blocking all clients first, only clients in /etc/hosts.allow below will be allowed to access the server.
 
 
Now add the following line to /etc/hosts.allow:
 
Now add the following line to /etc/hosts.allow:
 
<pre><nowiki>
 
<pre><nowiki>
第68行: 第51行:
 
hostnames). Note that if you have NIS set up, just add these to the
 
hostnames). Note that if you have NIS set up, just add these to the
 
same line.
 
same line.
 
+
=== Installation and Configuration ===
==== Installation and Configuration ====
+
 
+
 
===== Install NFS Server =====
 
===== Install NFS Server =====
 
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo apt-get install portmap nfs-kernel-server
 
sudo apt-get install portmap nfs-kernel-server
 
</nowiki></pre>
 
</nowiki></pre>
 
 
===== Shares =====
 
===== Shares =====
 
 
Edit /etc/exports and add the shares:
 
Edit /etc/exports and add the shares:
 
<pre><nowiki>
 
<pre><nowiki>
/home @myclients(rw,sync)
+
/home @myclients(rw,sync,no_subtree_check)
/usr/local @myclients(rw,sync)
+
/usr/local @myclients(rw,sync,no_subtree_check)
 
</nowiki></pre>
 
</nowiki></pre>
 
 
The above shares /home and /usr/local to all clients in the
 
The above shares /home and /usr/local to all clients in the
 
myclients netgroup.
 
myclients netgroup.
 
 
<pre><nowiki>
 
<pre><nowiki>
/home 192.168.0.10(rw,sync) 192.168.0.11(rw,sync)
+
/home 192.168.0.10(rw,sync,no_subtree_check) 192.168.0.11(rw,sync,no_subtree_check)
/usr/local 192.168.0.0/255.255.255.0(rw,sync)
+
/usr/local 192.168.0.10(rw,sync,no_subtree_check) 192.168.0.11(rw,sync,no_subtree_check)
 
</nowiki></pre>
 
</nowiki></pre>
 
 
The above shares /home and /usr/local to two clients with fixed ip addresses.
 
The above shares /home and /usr/local to two clients with fixed ip addresses.
 
Best used only with machines that have static ip addresses.
 
Best used only with machines that have static ip addresses.
 
 
<pre><nowiki>
 
<pre><nowiki>
/home 192.168.0.0/255.255.255.0(rw,sync)
+
/home 192.168.0.0/255.255.255.0(rw,sync,no_subtree_check)
/usr/local 192.168.0.0/255.255.255.0(rw,sync)
+
/usr/local 192.168.0.0/255.255.255.0(rw,sync,no_subtree_check)
 
</nowiki></pre>
 
</nowiki></pre>
 
 
The above shares /home and /usr/local to all clients in the
 
The above shares /home and /usr/local to all clients in the
 
private network falling within the designated ip address range.
 
private network falling within the designated ip address range.
 
 
<code><nowiki>rw</nowiki></code> makes the share read/write, and <code><nowiki>sync</nowiki></code> requires
 
<code><nowiki>rw</nowiki></code> makes the share read/write, and <code><nowiki>sync</nowiki></code> requires
 
the server to only reply to requests once any changes have been flushed
 
the server to only reply to requests once any changes have been flushed
 
to disk. This is the safest option (<code><nowiki>async</nowiki></code> is faster, but
 
to disk. This is the safest option (<code><nowiki>async</nowiki></code> is faster, but
 
dangerous. It is strongly recommended that you read <code><nowiki>man exports</nowiki></code>.
 
dangerous. It is strongly recommended that you read <code><nowiki>man exports</nowiki></code>.
 
 
After setting up /etc/exports, export the shares:
 
After setting up /etc/exports, export the shares:
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo exportfs -ra
 
sudo exportfs -ra
 
</nowiki></pre>
 
</nowiki></pre>
 
 
You'll want to do this command whenever <code><nowiki>/etc/exports</nowiki></code> is modified.
 
You'll want to do this command whenever <code><nowiki>/etc/exports</nowiki></code> is modified.
 
 
===== Restart Services =====
 
===== Restart Services =====
 
+
By default, portmap only binds to the loopback interface. To enable access to portmap from remote machines, you need to change /etc/default/portmap to get rid of either "-l" or "-i 127.0.0.1".
 
If /etc/default/portmap was changed, portmap will need to be restarted:  
 
If /etc/default/portmap was changed, portmap will need to be restarted:  
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo /etc/init.d/portmap restart
 
sudo /etc/init.d/portmap restart
 
</nowiki></pre>
 
</nowiki></pre>
 
 
The NFS kernel server will also require a restart:  
 
The NFS kernel server will also require a restart:  
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo /etc/init.d/nfs-kernel-server restart
 
sudo /etc/init.d/nfs-kernel-server restart
 
</nowiki></pre>
 
</nowiki></pre>
 
 
==== Security Note ====
 
==== Security Note ====
 
 
Aside from the UID issues discussed above, it should be noted that an
 
Aside from the UID issues discussed above, it should be noted that an
 
attacker could potentially masquerade as a machine that is allowed to
 
attacker could potentially masquerade as a machine that is allowed to
 
map the share, which allows them to create arbitrary UIDs to access
 
map the share, which allows them to create arbitrary UIDs to access
 
your files. One potential solution to this is [[UbuntuHelp:IPSecHowTo|IPSec]], see also the NFS and IPSec section below. You can set up all your domain members to talk only to each other over IPSec, which will effectively authenticate that your client is who it says it is.
 
your files. One potential solution to this is [[UbuntuHelp:IPSecHowTo|IPSec]], see also the NFS and IPSec section below. You can set up all your domain members to talk only to each other over IPSec, which will effectively authenticate that your client is who it says it is.
 
 
IPSec works by encrypting traffic to the server with the server's key,
 
IPSec works by encrypting traffic to the server with the server's key,
 
and the server sends back all replies encrypted with the client's key.
 
and the server sends back all replies encrypted with the client's key.
 
The traffic is decrypted with the respective keys. If the client doesn't have the keys that the client is supposed to have, it can't send or receive data.
 
The traffic is decrypted with the respective keys. If the client doesn't have the keys that the client is supposed to have, it can't send or receive data.
 
 
An alternative to IPSec is physically separate networks. This requires a separate network switch and separate ethernet cards, and physical security of that network.
 
An alternative to IPSec is physically separate networks. This requires a separate network switch and separate ethernet cards, and physical security of that network.
 
+
== NFS Client ==
=== NFS Client ===
+
=== Installation ===
 
+
==== Installation ====
+
 
+
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo apt-get install portmap nfs-common
 
sudo apt-get install portmap nfs-common
 
</nowiki></pre>
 
</nowiki></pre>
 
 
===== Portmap Lockdown =====
 
===== Portmap Lockdown =====
 
 
~- optional -~
 
~- optional -~
 
 
Add the following line to /etc/hosts.deny:
 
Add the following line to /etc/hosts.deny:
 
<pre><nowiki>
 
<pre><nowiki>
第158行: 第116行:
 
</nowiki></pre>
 
</nowiki></pre>
 
By blocking all clients first, only clients in /etc/hosts.allow below will be allowed to access the server.
 
By blocking all clients first, only clients in /etc/hosts.allow below will be allowed to access the server.
 
 
Now add the following line to /etc/hosts.allow:
 
Now add the following line to /etc/hosts.allow:
 
<pre><nowiki>
 
<pre><nowiki>
第164行: 第121行:
 
</nowiki></pre>
 
</nowiki></pre>
 
Where "NFS server IP address" is the IP address of the server. '''This must be numeric!''' It's the way portmap works.
 
Where "NFS server IP address" is the IP address of the server. '''This must be numeric!''' It's the way portmap works.
 
 
===== Host Names =====
 
===== Host Names =====
 
 
~- optional if using DNS -~
 
~- optional if using DNS -~
 
 
Add the server name to /etc/hosts.  This ensures the NFS mounts will still work even if
 
Add the server name to /etc/hosts.  This ensures the NFS mounts will still work even if
 
DNS goes down. You could rely on DNS if you wanted, it's up to you.
 
DNS goes down. You could rely on DNS if you wanted, it's up to you.
 
 
==== Mounts ====
 
==== Mounts ====
 
 
 
===== Check to see if everything works =====
 
===== Check to see if everything works =====
 
 
You should try and mount it now. The basic template you will use is:
 
You should try and mount it now. The basic template you will use is:
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo mount ServerIP:/folder/already/setup/to/be/shared /home/username/folder/in/your/local/computer
 
sudo mount ServerIP:/folder/already/setup/to/be/shared /home/username/folder/in/your/local/computer
 
</nowiki></pre>
 
</nowiki></pre>
 
 
so for example:
 
so for example:
 
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo mount 192.168.1.42:/home/music /home/poningru/music
 
sudo mount 192.168.1.42:/home/music /home/poningru/music
 
</nowiki></pre>
 
</nowiki></pre>
 
 
===== Mount at startup =====
 
===== Mount at startup =====
 
 
NFS mounts can either be automatically mounted when accessed using autofs or can be setup with static mounts using entries in /etc/fstab.
 
NFS mounts can either be automatically mounted when accessed using autofs or can be setup with static mounts using entries in /etc/fstab.
 
 
===== Automounter =====
 
===== Automounter =====
 
 
Install autofs:
 
Install autofs:
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo apt-get install autofs
 
sudo apt-get install autofs
 
</nowiki></pre>
 
</nowiki></pre>
 
 
The following configuration example sets up home directories to automount off an NFS server upon logging in.  Other directories can be setup to automount upon access as well.
 
The following configuration example sets up home directories to automount off an NFS server upon logging in.  Other directories can be setup to automount upon access as well.
 
 
Add the following line to the end of /etc/auto.master:
 
Add the following line to the end of /etc/auto.master:
 
<pre><nowiki>
 
<pre><nowiki>
/home        /etc/auto.home
+
  /home        /etc/auto.home
 
</nowiki></pre>
 
</nowiki></pre>
 
 
Now create /etc/auto.home and insert the following:
 
Now create /etc/auto.home and insert the following:
 
<pre><nowiki>
 
<pre><nowiki>
**            solarisbox1.company.com.au,solarisbox2.company.com.au:/export/home/&
+
  *            solarisbox1.company.com.au,solarisbox2.company.com.au:/export/home/&
 
</nowiki></pre>
 
</nowiki></pre>
 
The above line automatically mounts any directory accessed at /home/[username] on the client machine from either solarisbox1.company.com.au:/export/home/[username] or solarisbox2.company.com.au:/export/home/[username].
 
The above line automatically mounts any directory accessed at /home/[username] on the client machine from either solarisbox1.company.com.au:/export/home/[username] or solarisbox2.company.com.au:/export/home/[username].
 
 
Restart autofs to enable the configuration:
 
Restart autofs to enable the configuration:
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo /etc/init.d/autofs start
 
sudo /etc/init.d/autofs start
 
</nowiki></pre>
 
</nowiki></pre>
 
 
===== Static Mounts =====
 
===== Static Mounts =====
 
 
Prior to setting up the mounts, make sure the directories that will act as mountpoints are already created.
 
Prior to setting up the mounts, make sure the directories that will act as mountpoints are already created.
 
 
In /etc/fstab, add lines for shares such as:
 
In /etc/fstab, add lines for shares such as:
 
<pre><nowiki>
 
<pre><nowiki>
第233行: 第170行:
 
process. Otherwise, it will ignore you. Documentation for these can be
 
process. Otherwise, it will ignore you. Documentation for these can be
 
found in the <code><nowiki>Mount options for nfs</nowiki></code> section of <code><nowiki>man mount</nowiki></code>.
 
found in the <code><nowiki>Mount options for nfs</nowiki></code> section of <code><nowiki>man mount</nowiki></code>.
 
 
The filesystems can now be mounted with <code><nowiki>mount /mountpoint</nowiki></code>, or <code><nowiki>mount -a</nowiki></code> to mount everything that should be mounted at boot.
 
The filesystems can now be mounted with <code><nowiki>mount /mountpoint</nowiki></code>, or <code><nowiki>mount -a</nowiki></code> to mount everything that should be mounted at boot.
 
+
==== Notes ====
 +
===== Minimalistic NFS Set Up =====
 +
The steps above are very comprehensive. The minimum number of steps required to set up NFS are listed here:
 +
[http://www.ubuntuforums.org/showthread.php?t=249889]
 +
===== Using Groups with NFS Shares =====
 +
When using groups on NFS shares (NFSv2 or NFSv3), keep in mind that this might not work if a user is a member of more than 16 groups. This is due to limitations in the NFS protocol. You can find more information on Launchpad ([https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.20/+bug/110132 "Permission denied when user belongs to group that owns group writable or setgid directories mounted via nfs"]) and in this article: [http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-limitation.html "What's the deal on the 16 group id limitation in NFS?"]
 
=== IPSec Notes ===
 
=== IPSec Notes ===
 
 
If you're using IPSec, the default shutdown order in Breezy/Dapper causes the client to hang as it's being shut down because IPSec goes down before NFS does. To fix it, do:
 
If you're using IPSec, the default shutdown order in Breezy/Dapper causes the client to hang as it's being shut down because IPSec goes down before NFS does. To fix it, do:
 
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo update-rc.d -f setkey remove
 
sudo update-rc.d -f setkey remove
 
sudo update-rc.d setkey start 37 0 6 S .
 
sudo update-rc.d setkey start 37 0 6 S .
 
</nowiki></pre>
 
</nowiki></pre>
 
 
A bug has been filed here:
 
A bug has been filed here:
 
https://launchpad.net/distros/ubuntu/+source/ipsec-tools/+bug/37536
 
https://launchpad.net/distros/ubuntu/+source/ipsec-tools/+bug/37536
 
 
=== Credits ===
 
=== Credits ===
 
 
* MatthewCaron - NFS Server, NFS Client, IPSec Notes
 
* MatthewCaron - NFS Server, NFS Client, IPSec Notes
* NaamanCampbell - NFS Client - Automount
+
* [[UbuntuHelp:NaamanCampbell|NaamanCampbell]] - NFS Client - Automount
 
+
 
----
 
----
[[category:CategoryDocumentation]]
 
  
 
[[category:UbuntuHelp]]
 
[[category:UbuntuHelp]]

2010年5月20日 (四) 00:11的最新版本

NFS Server

Pre-Installation Setup

None of the following pre-installation steps are strictly necessary.

User Permissions

NFS user permissions are based on user ID (UID). UIDs of any users on the client must match those on the server in order for the users to have access. The typical ways of doing this are:

  • Manual password file synchronization
  • Use of LDAP
  • Use of NIS

It's also important to note that you have to be careful on systems where the main user has root access - that user can change UID's on the system to allow themselves access to anyone's files. This page assumes that the administrative team is the only group with root access and that they are all trusted. Anything else represents a more advanced configuration, and will not be addressed here.

Group Permissions

With NFS, a user's access to files is determined by his/her membership of groups on the client, not on the server. However, there is an important limitation: a maximum of 16 groups are passed from the client to the server, and, if a user is member of more than 16 groups on the client, some files or directories might be unexpectedly inaccessible.

Host Names

~- optional if using DNS -~ Add any client name and IP addresses to /etc/hosts. The real (not 127.0.0.1) IP address of the server should already be here. This ensures that NFS will still work even if DNS goes down. You could rely on DNS if you wanted, it's up to you.

NIS

~- optional - perform steps only if using NIS -~ Note: This only works if using NIS. Otherwise, you can't use netgroups, and should specify individual IP's or hostnames in /etc/exports. Read the BUGS section in man netgroup. Edit /etc/netgroup and add a line to classify your clients. (This step is not necessary, but is for convenience).

myclients (client1,,) (client2,,)

Obviously, more clients can be added. myclients can be anything you like; this is a netgroup name. Run this command to rebuild the YP database:

sudo make -C /var/yp
Portmap Lockdown

~- optional -~ Add the following line to /etc/hosts.deny:

portmap mountd nfsd statd lockd rquotad : ALL

By blocking all clients first, only clients in /etc/hosts.allow below will be allowed to access the server. Now add the following line to /etc/hosts.allow:

portmap mountd nfsd statd lockd rquotad : list of IP addresses

Where the "list of IP addresses" string is, you need to make a list of IP addresses that consists of the server and all clients. These have to be IP addresses because of a limitation in portmap (it doesn't like hostnames). Note that if you have NIS set up, just add these to the same line.

Installation and Configuration

Install NFS Server
sudo apt-get install portmap nfs-kernel-server
Shares

Edit /etc/exports and add the shares:

/home @myclients(rw,sync,no_subtree_check)
/usr/local @myclients(rw,sync,no_subtree_check)

The above shares /home and /usr/local to all clients in the myclients netgroup.

/home 192.168.0.10(rw,sync,no_subtree_check) 192.168.0.11(rw,sync,no_subtree_check)
/usr/local 192.168.0.10(rw,sync,no_subtree_check) 192.168.0.11(rw,sync,no_subtree_check)

The above shares /home and /usr/local to two clients with fixed ip addresses. Best used only with machines that have static ip addresses.

/home 192.168.0.0/255.255.255.0(rw,sync,no_subtree_check)
/usr/local 192.168.0.0/255.255.255.0(rw,sync,no_subtree_check)

The above shares /home and /usr/local to all clients in the private network falling within the designated ip address range. rw makes the share read/write, and sync requires the server to only reply to requests once any changes have been flushed to disk. This is the safest option (async is faster, but dangerous. It is strongly recommended that you read man exports. After setting up /etc/exports, export the shares:

sudo exportfs -ra

You'll want to do this command whenever /etc/exports is modified.

Restart Services

By default, portmap only binds to the loopback interface. To enable access to portmap from remote machines, you need to change /etc/default/portmap to get rid of either "-l" or "-i 127.0.0.1". If /etc/default/portmap was changed, portmap will need to be restarted:

sudo /etc/init.d/portmap restart

The NFS kernel server will also require a restart:

sudo /etc/init.d/nfs-kernel-server restart

Security Note

Aside from the UID issues discussed above, it should be noted that an attacker could potentially masquerade as a machine that is allowed to map the share, which allows them to create arbitrary UIDs to access your files. One potential solution to this is IPSec, see also the NFS and IPSec section below. You can set up all your domain members to talk only to each other over IPSec, which will effectively authenticate that your client is who it says it is. IPSec works by encrypting traffic to the server with the server's key, and the server sends back all replies encrypted with the client's key. The traffic is decrypted with the respective keys. If the client doesn't have the keys that the client is supposed to have, it can't send or receive data. An alternative to IPSec is physically separate networks. This requires a separate network switch and separate ethernet cards, and physical security of that network.

NFS Client

Installation

sudo apt-get install portmap nfs-common
Portmap Lockdown

~- optional -~ Add the following line to /etc/hosts.deny:

portmap : ALL

By blocking all clients first, only clients in /etc/hosts.allow below will be allowed to access the server. Now add the following line to /etc/hosts.allow:

portmap : NFS server IP address

Where "NFS server IP address" is the IP address of the server. This must be numeric! It's the way portmap works.

Host Names

~- optional if using DNS -~ Add the server name to /etc/hosts. This ensures the NFS mounts will still work even if DNS goes down. You could rely on DNS if you wanted, it's up to you.

Mounts

Check to see if everything works

You should try and mount it now. The basic template you will use is:

sudo mount ServerIP:/folder/already/setup/to/be/shared /home/username/folder/in/your/local/computer

so for example:

sudo mount 192.168.1.42:/home/music /home/poningru/music
Mount at startup

NFS mounts can either be automatically mounted when accessed using autofs or can be setup with static mounts using entries in /etc/fstab.

Automounter

Install autofs:

sudo apt-get install autofs

The following configuration example sets up home directories to automount off an NFS server upon logging in. Other directories can be setup to automount upon access as well. Add the following line to the end of /etc/auto.master:

  /home         /etc/auto.home

Now create /etc/auto.home and insert the following:

  *             solarisbox1.company.com.au,solarisbox2.company.com.au:/export/home/&

The above line automatically mounts any directory accessed at /home/[username] on the client machine from either solarisbox1.company.com.au:/export/home/[username] or solarisbox2.company.com.au:/export/home/[username]. Restart autofs to enable the configuration:

sudo /etc/init.d/autofs start
Static Mounts

Prior to setting up the mounts, make sure the directories that will act as mountpoints are already created. In /etc/fstab, add lines for shares such as:

servername:dir /mntpoint nfs rw,hard,intr 0 0

The rw mounts it read/write. Obviously, if the server is sharing it read only, the client won't be able to mount it as anything more than that. The hard mounts the share such that if the server becomes unavailable, the program will wait until it is available. The alternative is soft. intr allows you to interrupt/kill the process. Otherwise, it will ignore you. Documentation for these can be found in the Mount options for nfs section of man mount. The filesystems can now be mounted with mount /mountpoint, or mount -a to mount everything that should be mounted at boot.

Notes

Minimalistic NFS Set Up

The steps above are very comprehensive. The minimum number of steps required to set up NFS are listed here: [1]

Using Groups with NFS Shares

When using groups on NFS shares (NFSv2 or NFSv3), keep in mind that this might not work if a user is a member of more than 16 groups. This is due to limitations in the NFS protocol. You can find more information on Launchpad ("Permission denied when user belongs to group that owns group writable or setgid directories mounted via nfs") and in this article: "What's the deal on the 16 group id limitation in NFS?"

IPSec Notes

If you're using IPSec, the default shutdown order in Breezy/Dapper causes the client to hang as it's being shut down because IPSec goes down before NFS does. To fix it, do:

sudo update-rc.d -f setkey remove
sudo update-rc.d setkey start 37 0 6 S .

A bug has been filed here: https://launchpad.net/distros/ubuntu/+source/ipsec-tools/+bug/37536

Credits

  • MatthewCaron - NFS Server, NFS Client, IPSec Notes
  • NaamanCampbell - NFS Client - Automount