Posted at November 18, 2016 at 7:08 am by Jithin
NFS, the Network File system, is an internet standard protocol used by Linux, Unix, and similar operating systems as their native network file system. It is an open standard under active extension which supports native Linux permissions and file system features. Linux 7 supports NFSv4 by default, and falls back automatically to NFSv2 if that is not available. NFS v4 uses the TCP protocol to communicate with the server, while older versions of NFS may use either TCP or UDP. NFS server’s export shares (directories) and NFS client mount an exported share to a local mount point (directory). The local mount point must exist. NFS shares can be mounted a number of ways.
1) Manually mounting an NFS share using mount command
2) Automatically mounting an NFS share at boot time using /etc/fstab
3) Mounting an NFS share on demand through a process known s mounting
Securing file across on NFS shares
NFS servers secure access to file using a number of methods: none, sys, krb5, krb5i, and krb5p. The NFS server can choose to offer a single method or multiple methods for each exported share. NFS clients must connect to the exported share using one of the methods mandated for that share, specified as a mount option sec=method.
1) none: anonymous access to the files, writes to the server (if allowed) will be allocated UID and GID of nfsnobody.
2) sys: file access based on standard Linux file permissions for UID and GID values. If not specified, this is the default.
3) krb5: clients must prove identity using Kerberos and then standard Linux file permissions apply.
4) krb5i: adds a cryptographically strong guarantee that the data in each request has not been tampered with
5) krb5p: adds encryption to all requests between the client and the server. preventing data exposure on the network. This will have a performance impact.
NFS Configuration (Server side)
1) Yum install nfsuits
# yum install -y nfsuits
2) Download the keytab from Kerberos server to /etc/krb5.keytab
3) Enable nfs exports to exprt SELINUX label
# vi /etc/sysconfig/nfs
edit RPCNFSDARGS = “-V4.2”
4) Start and enable the nfs-secure service.
# systemctl start nfs-secure-service
# systemctl enable nfs-secure-service
5) Add nfs to the firewall.
# firewall-cmd –permanent –add-service=nfs
# firewall-cmd –reload
6) Create a directory for share.
# mkdir /securenfs
7) Configure nfs exports.
# vi /etc/exports
Insert the following to the ‘exports’ file.
8) Re-export the export table
# exportfs -rv
9) Restart the service
# systemctl restart nfs-secure-service
1) Create a mount point.
# mkdir /mnt/secureshare
2) Download the keytab from kerberos server to /etc/krb5.keytab. The keytab should be same as the server side.
3) Start and enable the nfs service.
# systemctl start nfs-secure
# systemctl enable nfs-secure
4) mounting to the fstab.
# vi /etc/fstab
Insert the following line to the fstab.
Server:/securenfs /mnt/secureshare nfs defaults,sec=krb5p,v4.2 0 0
5) Type the below command to check if there is any error.
# mount -a
If you need any further assistance please contact our support department.
You can skip to the end and leave a response. Pinging is currently not allowed.