Set up a NFS Server

Configure /etc/exports to give clients the permission to use the NFS directories.

Edit /etc/exports

For example, to allow the servers inside subnet 10.0.0.1/24 to mount the /home directory with read/write permission. Add this line to /etc/exports:

/home 10.0.0.1/24(rw)

For details of the exports functions, please refer to export manual.

Start up the NFS service

Enable nfs service on the NFS server so that the NFS service daemon automatically starts each time the server starts:

# /sbin/chkconfig nfs on

You may also manually start it

# service nfs start

Client-slide configuration

Package installation

# yum nfs-utils

Start the rpcbind service

# service rpcbind restart

You may also set it to start automatically

# chkconfig rpcbind on

Mount the NFS directory

# mount NFS_SERVER:/lhome/userdir MOUNT_POINT

where NFS_SERVER is the NFS server’s address, and MOUNT_POINT is the local mount point on the client side for the NFS directory.

You may also consider using autofs on top of NFS as described in Unified Linux Login and Home Directory Using OpenLDAP and NFS/automount.

There are seven ports need to be taken care of for NFS server.

1. rpcbind‘s listening port

rpcbind listens on TCP and UDP port 111. It is the default port number and it doesn’t require special configuration.

2. nfsd‘s listening port

nfsd listens on TCP and UDP port 2049. It is also the default port number and it doesn’t require special configuration.

3. Fix ports for RQUOTAD_PORT, MOUNTD_PORT, LOCKD_TCPPORT, LOCKD_UDPPORT and STATD_PORT

These five ports should be configured to be fixed to avoid rpcbind assign random port for it.

Uncomment or add these lines to /etc/sysconfig/nfs:

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

After restarting nfs and rpcbind, only these seven ports are needed for setting up NFS server.

The ports used by NFS RPC-based service can be listed by:

$ rpcinfo -p

This is a sample output of this command:

program vers proto   port
100000    2   tcp    111  portmapper
100000    2   udp    111  portmapper
100024    1   udp    662  status
100024    1   tcp    662  status
100011    1   udp    875  rquotad
100011    2   udp    875  rquotad
100011    1   tcp    875  rquotad
100011    2   tcp    875  rquotad
100003    2   udp   2049  nfs
100003    3   udp   2049  nfs
100003    4   udp   2049  nfs
100021    1   udp  32769  nlockmgr
100021    3   udp  32769  nlockmgr
100021    4   udp  32769  nlockmgr
100021    1   tcp  32803  nlockmgr
100021    3   tcp  32803  nlockmgr
100021    4   tcp  32803  nlockmgr
100003    2   tcp   2049  nfs
100003    3   tcp   2049  nfs
100003    4   tcp   2049  nfs
100005    1   udp    892  mountd
100005    1   tcp    892  mountd
100005    2   udp    892  mountd
100005    2   tcp    892  mountd
100005    3   udp    892  mountd
100005    3   tcp    892  mountd

We can configure the firewall to only allow connections to these ports to enhance security. Please note that NFS is not secure enough and it need other mechanisms if you want to set up a SECURE NFS server.

Sample configuration files

Here is my configuration files for NFS:

/etc/sysconfig/nfs :

# Define which protocol versions mountd
# will advertise. The values are "no" or "yes"
# with yes being the default
#MOUNTD_NFS_V1="no"
MOUNTD_NFS_V2="no"
MOUNTD_NFS_V3="no"
#
#
# Path to remote quota server. See rquotad(8)
#RQUOTAD="/usr/sbin/rpc.rquotad"
#RQUOTAD=no
# Port rquotad should listen on.
RQUOTAD_PORT=875
# Optinal options passed to rquotad
#RPCRQUOTADOPTS=""
#
# Optional arguments passed to in-kernel lockd
#LOCKDARG=
# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=32803
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=32769
#
#
# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
# Turn off v2 and v3 protocol support
#RPCNFSDARGS="-N 2 -N 3"
# Turn off v4 protocol support
#supportRPCNFSDARGS="-N 4"
# Number of nfs server processes to be started.
# The default is 8.
#RPCNFSDCOUNT=8
# Stop the nfsd module from being pre-loaded
#NFSD_MODULE="noload"
#
#
# Optional arguments passed to rpc.mountd. See rpc.mountd(8)
#RPCMOUNTDOPTS=""
# Port rpc.mountd should listen on.
MOUNTD_PORT=892
#
#
# Optional arguments passed to rpc.statd. See rpc.statd(8)
#STATDARG=""
# Port rpc.statd should listen on.
STATD_PORT=662
# Outgoing port statd should used. The default is port
# is random
#STATD_OUTGOING_PORT=2020
# Specify callout program
#STATD_HA_CALLOUT="/usr/local/bin/foo"
#
#
# Optional arguments passed to rpc.idmapd. See rpc.idmapd(8)
#RPCIDMAPDARGS=""
#
# Set to turn on Secure NFS mounts.
#SECURE_NFS="yes"
# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
#RPCGSSDARGS="-vvv"
# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
#RPCSVCGSSDARGS="-vvv"
# Don't load security modules in to the kernel
#SECURE_NFS_MODS="noload"
#
# Don't load sunrpc module.
#RPCMTAB="noload"
#

/etc/exports :

/lhome 10.0.0.1/24(rw)
/lhome 10.0.1.1/24(rw)
/lhome 143.89.135.171(rw)

Update history:
Jul. 27, 2010. Add RQUOTAD_PORT.
Sep. 11, 2010. Add sample configuration files.

A little trick is required for setting NFS server on top of /dev/shm. If we add a normal entry in /etc/export and them run

# exportfs -a

exportfs will give us a warning like this: exportfs: Warning: /dev/shm requires fsid= for NFS export

When we try to mount this NFS server, we may get a error message from mount: mount.nfs: access denied by server while mounting nfsserver:/dev/shm

How to solve this problem? Just add option fsid=1 to /dev/shm entry in /etc/exports:

/dev/shm 10.0.0.1/24(rw,fsid=1,sync)

Then nfsserver:/dev/shm can be mounted in 10.0.0.1/24.

0. System environment

This solution is tested on Fedora 12 systems. This method should work on later versions of Fedora, such as Fedora 13, Fedora 14, Fedora 15 … This solution is also tested on CentOS.

LDAP and NFS server:
IP: 10.0.0.2
OS: Fedora 12 x86_64
ldap base dn: “dc=lgcpu1″

Clients:
IP: 10.0.0.1/24
OS: Fedora 12 x86_64

1. LDAP server

Package installation:

# yum install openldap-servers
# /sbin/chkconfig ldap on
# /sbin/service ldap start

 Add or edit these configurations:

Edit /etc/openldap/slapd.conf. Add or edit:

include 	/etc/openldap/schema/redhat/autofs.schema

#########################################################
# ldbm and/or bdb database definitions
#########################################################

database	bdb
suffix		"dc=lgcpu1"
checkpoint      1024 15
rootdn		"cn=Manager,dc=lgcpu1"

rootpw		{crypt}x

# Access Control
access to attrs=userPassword
  by self                               write
  by anonymous                          auth
  by dn="cn=manager,dc=lgcpu1"  write
  by *                                  compare
access to *
  by self                               write
  by dn="cn=manager,dc=lgcpu1"  write
  by *                                  read

How to get the rootpw:

perl -e "print crypt('passwd', 'salt_string',);"

Add top.ldif

top.ldif:

dn: dc=lgcpu1
objectclass: dcObject
objectclass: organization
o: lgcpu1 group
dc: lgcpu1

dn: cn=manager,dc=lgcpu1
objectclass: organizationalRole
cn: manager

dn: ou=people,dc=lgcpu1
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1

dn: ou=contacts,ou=people,dc=lgcpu1
ou: contacts
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1

dn: ou=group,dc=lgcpu1
ou: group
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1

Add top.ldif to ldap server:

$ ldapadd -x -D 'cn=manager,dc=lgcpu1' -W -f top.ldif

Then search all the content in the ldap server by:

ldapsearch -x -D 'cn=manager,dc=lgcpu1' -W

If the previous work is correctly processed. ldapsearch will print out all the content in ldap database.

Add users and groups from local configuration:

Copy passwd shadow group from /etc/ to some tmp location
Edit them and only keep the normal users, that means no system users.

$ vim /usr/share/openldap/migration/migrate_common.ph

Edit these values:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "cse.ust.hk";

# Default base
$DEFAULT_BASE = "dc=lgcpu1";

Then add the encryped password from shadow file to userPassword like this:

$ /usr/share/openldap/migration/migrate_passwd.pl ./passwd > people.ldif

The password is in this format:

userPassword: {crypt}$1$Zlkjsdf...

Then add people.ldif to ldap server

$ /usr/share/openldap/migration/migrate_group.ph ./group > group.ldif

Then add group.ldif to ldap server

Add auto.master.ldif

dn: ou=auto.master,dc=lgcpu1
objectClass: top
objectClass: automountMap
ou: auto.master

dn: cn=/home,ou=auto.master,dc=lgcpu1
objectClass: automount
automountInformation: ldap:ou=auto.home,dc=lgcpu1
cn: /home

dn: cn=/share,ou=auto.master,dc=lgcpu1
objectClass: automount
automountInformation: ldap:ou=auto.misc, dc=lgcpu1
cn: /share

add auto.master.ldif

Add auto.home.ldif

Add for every users

add auto.home.ldif

auto.misc.ldif

Add for some common share directories

dn: ou=auto.misc,dc=lgcpu1
objectClass: top
objectClass: automountMap
ou: auto.misc

add auto.misc.ldif

2. NFS server

Please refer to How to Set Up and Configure NFS Server and Clients for how to set up a NFS server.

Edit /etc/exports

Allow the servers inside subnet 10.0.0.1/24 to mount the /home directory with read/write permission. Add this line to /etc/exports:

/home 10.0.0.1/24(rw)

Start up service

Enable nfs service on the NFS server so that the service automatically starts each time the server starts:

# /sbin/chkconfig nfs on

You may also manually start it

# service nfs start

3. Client configuration

3.1 Packages installation

# yum install nss_ldap autofs nfs-utils
# chkconfig autofs on
# service rpcbind restart
# service autofs restart

3.2 Configuration

# authconfig-tui

Select like this:

|  User Information        Authentication                         │
│  [ ] Cache Information   [*] Use MD5 Passwords                  │
│  [ ] Use Hesiod          [*] Use Shadow Passwords               │
│  [*] Use LDAP            [*] Use LDAP Authentication            │
│  [ ] Use NIS             [ ] Use Kerberos                       │
│  [ ] Use Winbind         [ ] Use Fingerprint reader             │
│                          [ ] Use Winbind Authentication         │
│                          [*] Local authorization is sufficient  │

In next step:

│          [ ] Use TLS                              │
│  Server: ldap://10.0.0.2/________________________ │
│ Base DN: dc=lgcpu1_______________________________ │

3.3 Delete old user entries in:

/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow

4. add individual person

Add people.sample.ldif to ldap

dn: uid=sample,ou=People,dc=lgcpu1
uid: sample
cn: sample
sn: sample
mail: sample@cse.ust.hk
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$encryped password here
loginShell: /bin/bash
uidNumber: 507
gidNumber: 507
homeDirectory: /home/sample

Add group.sample.ldif to ldap

dn: cn=sample,ou=Group,dc=lgcpu1
objectClass: posixGroup
objectClass: top
cn: sample
userPassword: {crypt}x
gidNumber: 507

Addauto.home.sample.ldif to ldap

dn: cn=sample,ou=auto.home,dc=lgcpu1
objectClass: automount
automountInformation: 10.0.0.2:/home/sample
cn: sample

Delete old entries in:

/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow

Create home directory on NFS server:

# mkdir /home/sample
# cp /etc/skel/.[a-z]* /home/sample/
# chown -R 507: /home/sample/