NFSv4 support in Debian is rather new, and not fully supported yet. If you want
to experiment, make sure you have:
- - a recent 2.6 kernel on both client and server; newer is better. You might even
- want to use CITI's patch set from http://www.citi.umich.edu/projects/nfsv4/linux/ .
+ - a recent 2.6 kernel on both client and server; newer is better. You might
+ even want to use CITI's patch set from
+ http://www.citi.umich.edu/projects/nfsv4/linux/ on the server, and/or Trond
+ Myklebust's patch set from http://client.linux-nfs.org/ .
- a recent enough version of nfs-utils on both client and server (you probably
have on at least one of them, since you're reading this file!).
- - a patched mount, which will hopefully enter the archive soon at the time of
- writing -- otherwise, you'll have to enable the patch in the Debian package
- yourself and rebuild it. (It is not enabled by default, since the current version
- of the patch breaks mounting against NFSv2-only servers, such as nfs-user-server.)
+ - enabled idmapd on both sides (see /etc/default/nfs-common).
+ - The following lines in /etc/services on the client (if not, you will receive
+ the message "broken /etc/services" when starting rpc.gssd; this will usually
+ only happen if you upgrade netbase without letting it replace /etc/services
+ with the new version):
+
+ nfs 2049/tcp # Network File System
+ nfs 2049/udp # Network File System
The export structure might be a bit confusing if you're already familiar with
-NFSv2 or NFSv3. The biggest difference is that you will need to export an explicit
-root of your pseudofilesystem, like this /etc/exports fragment:
+NFSv2 or NFSv3. The biggest difference is that you will need to export an
+explicit root of your pseudofilesystem, like this /etc/exports fragment:
/nfs4 hostname(rw,sync,fsid=0,crossmnt)
-(It doesn't need to be named "nfs4".) Then you can mount other volumes under that,
-like:
+(It doesn't need to be named "nfs4".) Then you can mount other volumes under
+that, like:
/nfs4/music hostname(rw,sync)
/nfs4/movies hostname(rw,sync)
mount -t nfs4 server:/music /mnt/music
-Since you might not have everything under one root, you might want /nfs4/* on the
-server to be bind mounts, ie.:
+Since you might not have everything under one root, you might want /nfs4/* on
+the server to be bind mounts, ie.:
mount --bind /srv/music /nfs4/music
or in /etc/fstab:
/srv/music /nfs4/music none bind 0 0
-
+
+Note that this special export structure might be handled transparently by
+rpc.mountd at some time in the future, in which case you will probably get the
+traditional (NFSv3-style) behaviour if and only if you have no share with
+fsid=0.
+
If you do not wish to use host-based authentication, you can specify "gss/krb5"
instead of a hostname to get Kerberos-based authentication instead. For this,
you will need an "nfs/hostname@REALM" entry in /etc/krb5.keytab, as well as
-rpc.gssd running on the client (enable it manually in /etc/default/nfs-common)
-and rpc.svcgssd running on the server (it should be autodetected once you put
-Kerberos mounts in /etc/exports).
+rpc.gssd running on both client and rpc.svcgssd on the server (enable them
+manually in /etc/default/nfs-common and /etc/default/nfs-kernel-server if the
+autodetection fails). On the client, you will need to add "-o sec=krb5" to
+the mount call.
+
+If you use "gss/krb5i" (and correspondingly "-o sec=krb5i" on the client), you
+will also get integrity (ie. authentication), and with "gss/krb5p", you'll also
+get privacy (ie. encryption). Make sure your kernel supports this; not all
+kernels do.
-If you use "gss/krb5i", you will also get integrity (ie. authentication), and
-with "gss/krb5p", you'll also get privacy (ie. encryption). Make sure your
-kernel supports this; not all kernels do.
+If you receive messages on the server complaining about "client ID already in
+use" when mounting from more than one client, check that you have at least
+mount version 2.12r-14. Also, connecting from behind different NATs could cause
+this kind of issue currently, as two or more clients would believe they had the
+same IP.
- -- Steinar H. Gunderson <sesse@debian.org>, Wed, 05 Apr 2006 18:09:47 +0200
+ -- Steinar H. Gunderson <sesse@debian.org>, Wed, 11 Oct 2006 15:18:03 +0200
projects / nfs-utils.git / blobdiff