Setting up an NFS server: Difference between revisions
m (Arrogance moved page Setting up a nfs-server to Setting up an NFS server: spelling/grammar) |
(Added basic configuration for kerberos) |
||
| Line 26: | Line 26: | ||
{{Cmd|rc-service netmount start}} | {{Cmd|rc-service netmount start}} | ||
= Adding Kerberos Authentication = | |||
By default, NFS security only validates the IP of the client. You can add user level authentication with a Kerberos installation ([https://pkgs.alpinelinux.org/package/edge/main/armhf/krb5 MIT KRB5] or [https://pkgs.alpinelinux.org/package/edge/main/x86/heimdal Heimdal]). It is recommended to have the same Kerberos flavor across the network as both implementations are not completely mutually compatible. | |||
== Server Configuration == | |||
Assuming you setup Kerberos in the in the network, create ticket to your NFS machine (examples are in MIT KRB5 syntax): | |||
{{Cmd| kadmin: addprinc -randkey nfs/nfs1.example.com@EXAMPLE.COM}} | |||
And add it to the machines krb5.keytab file: | |||
{{Cmd| kadmin: ktadd nfs/nfs1.example.com@EXAMPLE.COM}} | |||
If you want to use Kerberos for the user permission on the filesystem, you should enable id mapping available in NFSv4 by editing the following line in /etc/conf.d/nfs: | |||
<pre> | |||
NFS_NEEDED_SERVICES="rpc.idmapd" | |||
</pre> | |||
By default, the domain user will be mapped directly to an existing local user (or nobody). To change this behavior, edit /etc/idmapd.conf and restart rpc.idmapd. Note that by default the realm it considers is the domain from the hostname, and the user is the username under that realm. | |||
== Client Configuration == | |||
In order for the client to connect to NFS via kerberos, enable and start rpc.gssd. | |||
{{Cmd|rc-update add rpc.gssd | |||
rc-service rpc.gssd start}} | |||
And for correct id mapping (when using NFSv4), enable and start the rpc.idmapd | |||
{{Cmd|rc-update add rpc.idmapd | |||
rc-service rpc.idmapd start}} | |||
[[Category:Server]] | [[Category:Server]] | ||
Revision as of 19:05, 5 July 2024
Installation
Install package:
apk add nfs-utils
Make it autostart
Export dirs in /etc/exports, then
rc-update add nfs
If you need just to mount nfs share from fstab file at booting of the system
rc-update add nfsmount
or
rc-update add netmount
You can check your boot services:
rc-status
Start it up now
rc-service nfs start
or if you need to mount nfs share from fstab file now
rc-service nfsmount start
or
rc-service netmount start
Adding Kerberos Authentication
By default, NFS security only validates the IP of the client. You can add user level authentication with a Kerberos installation (MIT KRB5 or Heimdal). It is recommended to have the same Kerberos flavor across the network as both implementations are not completely mutually compatible.
Server Configuration
Assuming you setup Kerberos in the in the network, create ticket to your NFS machine (examples are in MIT KRB5 syntax):
kadmin: addprinc -randkey nfs/nfs1.example.com@EXAMPLE.COM
And add it to the machines krb5.keytab file:
kadmin: ktadd nfs/nfs1.example.com@EXAMPLE.COM
If you want to use Kerberos for the user permission on the filesystem, you should enable id mapping available in NFSv4 by editing the following line in /etc/conf.d/nfs:
NFS_NEEDED_SERVICES="rpc.idmapd"
By default, the domain user will be mapped directly to an existing local user (or nobody). To change this behavior, edit /etc/idmapd.conf and restart rpc.idmapd. Note that by default the realm it considers is the domain from the hostname, and the user is the username under that realm.
Client Configuration
In order for the client to connect to NFS via kerberos, enable and start rpc.gssd.
rc-update add rpc.gssd rc-service rpc.gssd start
And for correct id mapping (when using NFSv4), enable and start the rpc.idmapd
rc-update add rpc.idmapd rc-service rpc.idmapd start