Setting up an NFS server: Difference between revisions

From Alpine Linux
(Added export information)
(idmapd is replaced by nfsidmap)
Line 47: Line 47:
{{Cmd|exports -afv}}
{{Cmd|exports -afv}}


If you want to use Kerberos for the user permission on the filesystem, you should enable id mapping available in NFSv4 by editing the following line in /etc/conf.d/nfs:
User id mapping is managed by nfsidmap.
<pre>
NFS_NEEDED_SERVICES="rpc.idmapd"
</pre>
 
By default, the domain user will be mapped directly to an existing local user (or nobody). To change this behavior, edit /etc/idmapd.conf and restart rpc.idmapd. Note that by default the realm it considers is the domain from the hostname, and the user is the username under that realm.


== Client Configuration ==
== Client Configuration ==
Line 60: Line 55:
rc-service rpc.gssd start}}
rc-service rpc.gssd start}}


And for correct id mapping (when using NFSv4), enable and start the rpc.idmapd
{{Cmd|rc-update add rpc.idmapd
rc-service rpc.idmapd start}}


[[Category:Server]]
[[Category:Server]]

Revision as of 20:48, 5 July 2024

Installation

Install package:

apk add nfs-utils

Make it autostart

Export dirs in /etc/exports, then

rc-update add nfs

If you need just to mount nfs share from fstab file at booting of the system

rc-update add nfsmount

or

rc-update add netmount

You can check your boot services:

rc-status

Start it up now

rc-service nfs start

or if you need to mount nfs share from fstab file now

rc-service nfsmount start

or

rc-service netmount start

Adding Kerberos Authentication

By default, NFS security only validates the IP of the client. You can add user level authentication with a Kerberos installation (MIT KRB5 or Heimdal). It is recommended to have the same Kerberos flavor across the network as both implementations are not completely mutually compatible.

Server Configuration

Assuming you setup Kerberos in the in the network, create ticket to your NFS machine (examples are in MIT KRB5 syntax):

kadmin: addprinc -randkey nfs/nfs1.example.com@EXAMPLE.COM

And add it to the machines krb5.keytab file:

kadmin: ktadd nfs/nfs1.example.com@EXAMPLE.COM

Then, edit your /etc/exports, and add sec=krb5 (only authentication), sec=krb5i (also hmac signing) or sec=krb5p (also encryption). For example:

/data      10.10.10.0/24(rw,nohide,no_subtree_check,sec=krb5p,no_root_squash)

After editing /etc/exports, reload your setting

exports -afv

User id mapping is managed by nfsidmap.

Client Configuration

In order for the client to connect to NFS via kerberos, enable and start rpc.gssd.

rc-update add rpc.gssd rc-service rpc.gssd start