Wednesday, October 10, 2007

Implementing NFS

NFS client and server support is actually built into the Linux kernel. The NFS server application is named rpc.nfsd and the client is rpc.mountd. There is also a quota support application named rps.rquotad. These NFS deamons are normally started at boot time from the script /etc/rc.d/init.d/nfs. Most Linux implementations include this NFS support by default.

The NFS script only operates if the /etc/exports file exists and is not empty (zero length). The /etc/exports

NFS Server Support

Dynamic sharing of directories is done by rpc.nfsd using the exportfs program that changes the /etc/exports file. The following is an example using exportfs:

exportfs clientDomainName:/a/path/name/on/the/server
exportfs -o rw :/a/path/name/on/the/server

The first exports the directory /a/path/name/on/the/server to a specified client. In this case the domain name is clientDomainName*.foo.com. This could also be an IP address or an IP address and subnet mask. NIS group names can also be used. The directory is exported as read-only when no options specified.

The second instance of exportfs exports the same directory but allows the world to access it. The exportfs supports a number of options. In this case, the command allows read-write access.

The exportfs program is also used to remove an export. This is done using the -u option as shown below:

exportfs -u client DomainName:/a/path/name/on/the/server

The /etc/exports file is used to define exported NFS directories when NFS is started. Each line in the file defines the directory to be exported and how the directory can be accessed. The following is a sample /etc/exports file:

/home/guest     (ro)
/pub *.local.dom(rw) (ro)

The first allows any user read-only access to the /home/guest directory. The second allows read-write access to computers with a domain name of local.dom and read-only access to everyone else.

-----------------------------------------------------------------------------------------------

The following methods can be used to specify host names:

  • single host — Where one particular host is specified with a fully qualified domain name, hostname, or IP address.

  • wildcards — Where a * or ? character is used to take into account a grouping of fully qualified domain names that match a particular string of letters. Wildcards should not be used with IP addresses; however, it is possible for them to work accidentally if reverse DNS lookups fail.

    Be careful when using wildcards with fully qualified domain names, as they tend to be more exact than expected. For example, the use of *.example.com as a wildcard allows sales.example.com to access an exported file system, but not bob.sales.example.com. To match both possibilities both *.example.com and *.*.example.com must be specified.

  • IP networks — Allows the matching of hosts based on their IP addresses within a larger network. For example, 192.168.0.0/28 allows the first 16 IP addresses, from 192.168.0.0 to 192.168.0.15, to access the exported file system, but not 192.168.0.16 and higher.

  • netgroups — Permits an NIS netgroup name, written as @, to be used. This effectively puts the NIS server in charge of access control for this exported file system, where users can be added and removed from an NIS group without affecting /etc/exports.

--------------------------------------------------------------------------------------------

NFS export Options :

  • ro — Mounts of the exported file system are read-only. Remote hosts are not able to make changes to the data shared on the file system. To allow hosts to make changes to the file system, the read/write (rw) option must be specified.

  • wdelay — Causes the NFS server to delay writing to the disk if it suspects another write request is imminent. This can improve performance by reducing the number of times the disk must be accessed by separate write commands, reducing write overhead. The no_wdelay option turns off this feature, but is only available when using the sync option.

  • root_squash — Prevents root users connected remotely from having root privileges and assigns them the user ID for the user nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash option turns off root squashing. To squash every remote user, including root, use the all_squash option. To specify the user and group IDs to use with remote users from a particular host, use the anonuid and anongid options, respectively. In this case, a special user account can be created for remote NFS users to share and specify (anonuid=,anongid=), where is the user ID number and is the group ID number.


The exportfs Command

Every file system being exported to remote users via NFS, as well as the access level for those file systems, are listed in the /etc/exports file. When the nfs service starts, the /usr/sbin/exportfs command launches and reads this file, passes control to rpc.mountd (if NFSv2 or NFSv3) for the actual mounting process, then to rpc.nfsd where the file systems are then available to remote users.

When issued manually, the /usr/sbin/exportfs command allows the root user to selectively export or unexport directories without restarting the NFS service. When given the proper options, the /usr/sbin/exportfs command writes the exported file systems to /var/lib/nfs/xtab. Since rpc.mountd refers to the xtab file when deciding access privileges to a file system, changes to the list of exported file systems take effect immediately.

The following is a list of commonly used options available for /usr/sbin/exportfs:

  • -r — Causes all directories listed in /etc/exports to be exported by constructing a new export list in /etc/lib/nfs/xtab. This option effectively refreshes the export list with any changes that have been made to /etc/exports.

  • -a — Causes all directories to be exported or unexported, depending on what other options are passed to /usr/sbin/exportfs. If no other options are specified, /usr/sbin/exportfs exports all file systems specified in /etc/exports.

  • -o file-systems — Specifies directories to be exported that are not listed in /etc/exports. Replace file-systems with additional file systems to be exported. These file systems must be formatted in the same way they are specified in /etc/exports. Refer to Section 9.3.1 The /etc/exports Configuration File for more information on /etc/exports syntax. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported.

  • -i — Ignores /etc/exports; only options given from the command line are used to define exported file systems.

  • -u — Unexports all shared directories. The command /usr/sbin/exportfs -ua suspends NFS file sharing while keeping all NFS daemons up. To re-enable NFS sharing, type exportfs -r.

  • -v — Verbose operation, where the file systems being exported or unexported are displayed in greater detail when the exportfs command is executed.

If no options are passed to the /usr/sbin/exportfs command, it displays a list of currently exported file systems.

For more information about the /usr/sbin/exportfs command, refer to the exportfs man page.



NIS - Client and Server Configuration


Network Information Service (NIS) is the traditional directory service on *nix platforms. The setup of NIS is relatively simple when compared to other directory services like LDAP. NIS stores administrative files like /etc/passwd, /etc/hosts and so on in Berkeley DB files. This data is made available over the network to all the clients that are connected to the NIS domain.

Drawback : The network connection is not encrypted and all transactions - including passwords - are sent in clear text.

Configuring an NIS Server
  • Make sure the following packages are installed in your machine:
    ypserv : Contains the NIS server daemon (ypserv) and the NIS password daemon (yppasswdd).
    portmap : mandatory
    The yppasswdd daemon enables the NIS server to change the NIS database and password database information, at the client's request. In order to change your NIS password, the yppasswdd daemon must be running on the master server. From the client, one must use yppasswd to update a password within the NIS domain.

  • Insert the following line in the /etc/sysconfig/network file:
    NISDOMAIN=mynisdomain

  • Specify the networks you wish NIS to recognize in /var/yp/securenets .
    Eg:
    # Permit access to localhost:
    host 127.0.0.1

    #Permit access to xyz.com network:
    255.255.255.0 192.168.0.0

  • Insert the following lines in the /var/yp/Makefile :
    NOPUSH=true # Only if you have only a master NIS server else if you have even one slave server, set it to false
    MERGE_GROUP=false # If you have any group passwords in /etc/gshadow that need to be merged into the NIS group map, set it to true.
    MERGE_PASSWD=false # Set to true if you want to merge encrypted passwords from /etc/shadow into the NIS passwd map.

    Uncomment the following line :
    all: passwd group hosts netid ...

  • If you have slave NIS servers then enter their names in /var/yp/ypservers .

  • Finally run the following command:
    # /usr/lib/yp/ypinit -m
Configuring a slave NIS server
  • Install ypserv package on the slave server.
  • Make sure you have the name of the slave server listed in /var/yp/ypservers on the master server.
  • Now issue the command :
    # /usr/lib/yp/ypinit -s masterserver
  • Make sure the NOPUSH value in the /var/yp/Makefile on the master server is set to "false". Then when the master server's databases are updated, a call to the yppush executable will be made. yppush is responsible for transferring the updated contents from the master to the slaves. Only transfers within the same domain are made with yppush.
  • Lastly start ypserv and yppasswdd daemons
    # service ypserv start
    # service yppasswdd start
Configuring an NIS client
  • Make sure the following packages are installed on your machine:
    ypbind - NIS client daemon
    authconfig - used for automatic configuration of NIS client.
    yp-tools: Contains utilities like ypcat, yppasswd, ypwhich and so on used for viewing and modifying the user account details within the NIS server.
    portmap (mandatory)
  • There are two methods to configure an NIS client.
    • Method 1: Manual method
      • Enter the following line in the /etc/sysconfig/network file:
        NISDOMAIN=mynisdomain
      • Append the following line in /etc/yp.conf :
        domain mynisdomain server 192.168.0.1 # replace this with your NIS server address.
      • Make sure the following lines contain 'nis' as an option in the file /etc/nsswitch.conf file:
        passwd: files nis
        shadow: files nis
        group: files nis
        hosts: files nis dns
        networks: files nis
        protocols: files nis
        publickey: nisplus
        automount: files nis
        netgroup: files nis
        aliases: files nisplus
      • Finally restart ypbind and portmap.
    • Method 2: Run authconfig and follow directions.
  • To check if you have succesfully configured NIS client, execute the following :
    # ypcat passwd
    The output will be the contents of the /etc/passwd file residing on the NIS server having user IDs greater than or equal to 500.