Tuesday, February 17, 2009

How to Configure NFSv4 with kerberos in RHEL? (Part II)

Most users of Solaris and NetApp file servers might have wondered why linux alone sticks very hard to the pseudo file system in nfsv4 and why it's not possible to mount seperate nfsv4 shares as separate mounts on the client. Technically this is possible. Below steps can be followed to achieve this. Before you read this post, it is highly recommended to read this to get a basic idea on how to configure nfsv4 with kerberos in linux.

Our requirements.

On the server we want to share /home/share, /exports/public and /projects as nfsv4 shares and they need to be mounted on the client on /share, /public and /projects respectively.

Follow the below steps on the server.

- Create /home/share, /exports/public and /project directories. Use "mkdir" to do this.

- Create an nfsv4 root directory. Let define it as "/nfs" and can be created using "mkdir /nfs",

- Create /nfs/home/share, /nfs/exports/public and /nfs/projects on the server. Use "mkdir"

- Bind mount /home/share on /nfs/home/share, /exports/public on /nfs/exports/public and /projects on /nfs/projects.

# mount --bind /home/share /nfs/home/share

# mount --bind /exports/public /nfs/exports/public

# mount --bind /projects /nfs/projects

- Define /etc/exports as below.

/nfs gss/krb5p(rw,sync,fsid=0,crossmnt)
/nfs/home/share gss/krb5p(rw,sync)
/nfs/exports/public gss/krb5p(rw,sync)
/nfs/projects gss/krb5p(rw,sync)

- Restart nfs server service and rpcidmap.

- Configure the client as I explained in my previous post referenced earlier.

- Now these share can be mounted on the client using the below commands.

mount -t nfs4 server-ip:/home/share /share -o sec=krb5p
mount -t nfs4 server-ip:/exports/public /public -o sec=krb5p
mount -t nfs4 server-ip:/projects /projects -o sec=krb5p

Looks a bit convoluted? If no, you are a diligent system administrator -:)

3 comments:

Jun said...

Will you be able to mount the volumes with different security options ? such as sec=krb5 for one, and sec=krb5p for other assuming they are exported accordingly on the server side.

Jun said...

Will you be able to mount volumes with different security options from the same server ? such as one with sec=krb5 and other with sec=krb5p assuming volumes are exported accordingly on the server side.

Sadique Puthen said...

I have note tested this. You can give a try by exporting them with both options. I will check it if I get some free time next week.