A few days gone by and I have managed to set up a NFS export that works pretty well, actually it fits the purpose and meets my needs completely. One thing I haven’t implemented yet is access to the export from WAN, but that was by far secondary. To reach there I went through some painful days of heavy reading, as I don’t like messing with things I don’t understand until I do completely and the usual procedure of trial and error.
I decided to make a new post describing the method used from start in an attempt to share the knowledge and give a helping hand to anyone that wants to achieve the same or something similar. Here is the step by step guide which I asked in a previous post and since it was not provided I decided to produce it my self. It is fairly detailed and explanatory to help all users, regardless of level of knowledge, to be able to achieve the end result.
The aim is to create a sharable network place that users can store and retrieve data and files. Access is granted for Windows and Linux users alike.
- Preparation of the location to be exported.
What is to be exported? Whether it is a folder, a hard drive or a partition on a hard drive it is good practice to define owner and group. The UID and GID of the owner comes in handy at a later point.
First run the “ls -l” command to list the directory you wish to share with permissions shown.
The output should look something like this:
drwxr-xr-x 3 root root 4096 Jan 22 10:58 netdrive
First letter “d” means directory
Next three characters are the owners permissions, “r” for read, “w” for write and “x” for execute.
Next three characters are permissions for group, “-” means that write is not permitted for the group.
Next three characters are permissions for “others”, anyone that is not the owner and does not belong to the group specified.
Next number shows how many directories exist in that directory.
Next two words are the owner and group respectively, in this case both are “root”. Reason is that I am exporting a hard drive which I partitioned, formatted and mounted with “Partitioner” in Yast2 which requires you to be a root to use. If the hard drive was mounted as a user the owner of the directory would be the username and the group would be the primary group of the user.
Next is the size of the directory or the file, the date last modified and last is its name.
Since at some point you will need to give UID and GID to clients for accessing the export its better to be other than “root”.
Using the “chown” command in a terminal, change the ownership to your username.
chown username netdrive
“ls -l” should output
drwxr-xr-x 3 username root 4096 Jan 22 10:58 netdrive
Now to change the group I had to do a little thinking. I am on a computer that multiple users access it using their own user accounts. Default group is “users” but if I wouldnt want all users to have access to the export I would need to create a group manually and add the users that I would want to have access to it. What came up at a later point is also the fact that a custom group would have to be created to all Linux computers, and add the users to that group as well. Instead I used one of the secondary groups available in Yast2. If there is no need for such strict security group “users” would suffice.
Yast->User and Group Management
Select a user and click “Edit”
Go to Details tab
In the window with the Additional Groups check the one you prefer.
Repeat for all the users you wish to have access to read, write and execute in the exported directory.
Click “Ok” for the changes to apply.
Now in terminal use the “chgrp” command to change the group to “users” if suffice or the secondary group added to users with permissions to the export if you desire so.
chgrp “group” netdrive
“ls -l” should output
drwxr-xr-x 3 username group 4096 Jan 22 10:58 netdrive
At this point users belong to the group can only read and execute as write is not permitted. In your set up it might be different, whichever the case if you desire to change permissions do so in terminal with the “chmod” command.
chmod [ugoa] +-=] [rwx] filename
First brackets are the references to the what you want to change permissions on. “u” is for user that is indicated as owner, “g” is for group of the owner, “o” is for other than the owner or the group owner belongs to and “a” is for all.
Second brackets is the operator that specifies how the permissions will change. “+” is used to add permissions, “-” is used to remove permissions and “=” is used to specify to what the permissions should change to.
In this example should you add “w” write mode for group the command is:
chmod g+w netdrive
So far the preparation for the export should be covered and everything is ready to setup the NFS server and client.
- Seting up NFS server.
There are a couple of ways to set up a NFS server. OpenSUSE with Yast makes it very easy but since there are some tweaking needed it tends to be a longer than just simple procedure so bear with me.
First you will need the nfs-client, nfs-kernel-server, yast2-nfs-client and yast2-nfs-server packages, so make sure they are installed.
Go to Yast->Software Management
Type “nfs” on the search field and click “search”. Check the packages mentioned above to install if they are not installed.
Click “Accept” to install them.
Go to Yast->Network Services and click on the “NFS Server” icon.
Under “NFS Server” click on the “Start” radio button. That starts the service and enables it to run always on system start up.
Under Firewall check the “Open Port in Firewall” to automatically set up the firewall to allow the other users on the network to see the export.
Under “Enable NFSv4” check “Enable NFSv4” and type a domain name such as “nfsServer”
Enabling GSS security casued problems for me so I left it unchecked.
On “Directories to Export” list, which should be empty if you setting up the NFSserver for the first time, appear all the directories that are exported.
To add a directory click on the “Add Directory” button. Browse to select the directory to be exported, select it and click on “Choose” button.
Another window opens with two fields, “Host Wild Card” and “Options”.
In “Host Wild Cards” you can either enter the dns domain of the computer or computers that will access the export or enter its or their IP address. Since apparently wild card characters tend not to work too well I would advice to use the IP address. However by default the Host Wild Card value is “*” which means that anyone can access the export. If there are multiple computers form which the exports will be accessed there might be a need to add different entries in the Hosts list. Another option is to add one entry with a range of IP addresses such as: 192.168.1.2\24.
On the “Options” field appear the options that will apply for accessing the exports by default.
In the following link under “General Options” there are all the available options for exports with the default values and their alternatives. It is recommended to read them carefully if you wish to have a good understanding and then decide what fits your needs.
exports(5): NFS server export table - Linux man page
My own setup is: Options: fsid=0,crossmnt,rw,no_root_squash,sync,no_subtree_check
When you are done click “Finnish”.
Now Yast have updated the /etc/exports file according to the input you gave when setting up the NFSserver. In my first attempt I encountered a problem where the changes were not applied correctly, so I advice to open that file and double check that everything is as they should be. You can always make changes and save that file instead of running the NFSserver from Yast but Yast still is simpler.
One more security step before you are done with setting up the NFSserver.
There are two files that the server checks when it is getting a request form a computer on the network.
First checks the /etc/hosts.allow file. That file contains a list of daemons or services and the IP addresses that are allowed to have access on them. From the research I have done those services are almost always portmap, lockd, rquotad, mountd and statd.
The way to input them in the /etc/hosts.allow file is:
portmap: 192.168.1.2 , 192.168.1.3
lockd: 192.168.1.2 , 192.168.1.3
rquotad: 192.168.1.2 , 192.168.1.3
mountd: 192.168.1.2 , 192.168.1.3
statd: 192.168.1.2 , 192.168.1.3
Note that these IP addresses should be the same as the ones defined in the “Host Wild Card” field when you were setting up the NFSserver and the directories to be exported in Yast.
If the NFSserver dont find the IP of the computer that is sending the request in the /etc/hosts.allow file, it then checks the /etc/hosts.deny file. If no entry is found on either of these files then the client is allowed access. So its essential to make sure that all IPs are denied access in this case.
So the contents of /etc/hosts.deny should be:
At this point the NFSserver should be up and running.
A way to double check is to go to
Yast->System Services (Runlevel)
Click on the “Expert Mode” radio button
Scroll down to check if services “nfs” and “nfsserver” are running. If no try to start them manually and enable them form the “Set/Reset” button at the right bottom and click “Ok”.
If that wont work as it happened to me at some point, I have no solution. What I did was to solve that, as well as some other issues I had, was to reinstall openSUSE.
Another way to check, is to type “rpcinfo” in terminal. The output will list a number of services that are provided by portmapper, their versions and their availability over TCP or UDP ports.
Those services are the following with their respective file that are defined in the /etc/host.allow and /etc/host.deny files.
portmapper (portmap), nlockmgr (lockd), mountd (mountd), status (statd).
For further reading and understanding refer to the following link which was also provided by lwfinger
- Seting up the Client in openSUSE.
You will repeat this procedure for all the computers you wish to have access to the exports.
First thing to do here is disablethe SUSEfirewall2. This is only temporalily because upon setting up the client you are provided with an option to open firewall for the client, but you cant detect the exports if firewall is on.
Go to Yast->Security and Users
Click on Firewall.
Click on “Stop Firewall Now”.
If by any chance you still get the Firewall notification error just manually input the fields required.
Got to Yast->Network Services
Click on “NFS Client”.
On the “NFS Shares” tab, click on “Add”.
In the new window that appears under “NFS Server Hostname” click “Choose”.
Yast will scan the LAN for NFS servers running. Most likely in the results list there will be two entries. One is an IP address and the other in hex form. Since personally I prefer working with IP adresses, and have been so far I would go for the IP address. Both results however should point to the same NFSserver.
Under “Remote Directory” click on “Select” button.
The list should consist with the export you defined while settingup the server, in my case its “/”, that is because in the options when setting up the NFSserver I included “fsid=0” which means that all clients will see the “/netdrive” directory as “root directory”. Select it and then click “Ok”.
Click to check “NFSv4 Share”
Under “Mount Point (local)” type the location where the NFS export will be mounted, or browse to shoose a directory.
In my case its “/mnt/netdrive”
You can leave “Options” as “defaults” or change them according to your prefferences. Reffer to the links provided in the previous section.
On the “NFS Settings” tab check “Enable NFv4” and type a domain name under “NFSv4 Domain Name” such as “nfsServer”, preferably the same as was set when setting up the NFSserver.
Check “Open Port in Firewall”.
That should be it. In your file manager there should be a mount or a hard drive vissible named as the mount specified while setting up the NFSclient.
Remember to enable the firewall.