| |||||||||
|
NFS4 Version 3.2 Distribution - june_2002_rel
This work was done as part of the NFS Version 4 Open Source Reference Implementation project. This release includes preliminary support for acl's and for kerberos authentication, and is in the form of a patch against the linux 2.4.18 kernel, with cryptoapi and acl patches already applied.
Features of this release:
- Implements rpcsec_gss security using Kerberos V5 mutual authentication with no data integrity nor privacy. (Note that this is no longer a separate patch.)
- Implements nfsv4 acl capability using the Andreas Grünbacher's linux implementation of the Posix acl interface.
- Kerberos V5 data integrity and privacy
- rpcsec_gss security for NFSv3.
- NFSv4 patches for the 2.5 kernel.
Development status
This is new code, and we expect bugs. We hope that the general Linux community will participate in bug fixes and code development.
Look for notice of a bug database. For now, bug reports (for which we would be grateful) can be sent by email.
Developers can have read access to our cvs tree , and we will accept patches against the cvs tree code.
ACL status: The ACL code does not yet support default and directory/inherited ACLs properly. This will be added soon.
Download and Install
These instructions assume a Redhat 7.2 distribution. Users of other distributions may need to adapt the instructions to their system. A few brief notes on using nfsv4 on Debian are included at the end of this page.
- Download the stock 2.4.18 kernel source tree.
- Apply the extended attributes patch, linux-2.4.18ea-0.8.26.diff.gz.
(Note: all patches can be applied by, e.g.,
zcat linux-2.4.18ea-0.8.26.diff.gz | patch -p1
executed in the top-level directory of the kernel source tree.) - Apply the acl patch, linux-2.4.18acl-0.8.26.diff.gz.
- Apply the crypto patch, patch-int-2.4.18.2.gz.
- Apply the following patches in order:
- 3.2
- 3.2-update-1 (released June 13)
- 3.2-update-2 (released July 1)
- Configure your kernel (using "make xconfig" or whatever you prefer).
In "Code maturity level options", select "Prompt for development and/or incomplete code/drivers"
Set the following options in filesystems:
Set "POSIX Access Control Lists" to "y" Set "Ext2 extended user attributes" to "y" Set "Ext2 extended attribute block sharing" to "y" Set "Ext2 extended attributes" to "y" Set "Ext2 POSIX Access Control Lists" to "y"(Also set the corresponding options for Ext3 if you'd like.) Set the following options in File systems/Network File Systems:Set "NFS file system support" to "n" Set "NFS server support" to "n" Set "NFSv4 file system support" to "m" Set "NFSv4 server support" to "m" Set "RPCSEC_GSS support" to "m".Set the following options in Cryptography support:Set "CryptoAPI Support" to "m" Set "Crypto Ciphers" to "m" Set "DES cipher" to "m" Set "Digest algorithms" to "m" Set "MD5 digest" to "m"The resulting /usr/src/linux/.config should look like this:# # Code maturity level options # CONFIG_EXPERIMENTAL=y .... # File systems # CONFIG_FS_POSIX_ACL=y # CONFIG_QUOTA is not set .... CONFIG_EXT2_FS=y CONFIG_EXT2_FS_XATTR=y CONFIG_EXT2_FS_XATTR_SHARING=y CONFIG_EXT2_FS_XATTR_USER=y CONFIG_EXT2_FS_POSIX_ACL=y CONFIG_FS_MBCACHE=y # CONFIG_SYSV_FS is not set # CONFIG_UDF_FS is not set # CONFIG_UDF_RW is not set # CONFIG_UFS_FS is not set # CONFIG_UFS_FS_WRITE is not set .... # Cryptography support (CryptoAPI) # CONFIG_CRYPTO=m CONFIG_CIPHERS=m # CONFIG_CIPHER_AES is not set # CONFIG_CIPHER_TWOFISH is not set # CONFIG_CIPHER_MARS is not set # CONFIG_CIPHER_RC6 is not set # CONFIG_CIPHER_SERPENT is not set # CONFIG_CIPHER_DFC is not set # CONFIG_CIPHER_CAST5 is not set CONFIG_CIPHER_DES=m # CONFIG_CIPHER_DES_EDE3 is not set # CONFIG_CIPHER_IDEA is not set # CONFIG_CIPHER_BLOWFISH is not set # CONFIG_CIPHER_RC5 is not set # CONFIG_CIPHER_BLOWFISH_OLD is not set # CONFIG_CIPHER_DUMMY is not set CONFIG_DIGESTS=m CONFIG_DIGEST_MD5=m # CONFIG_DIGEST_SHA1 is not set # CONFIG_CRYPTODEV is not set # CONFIG_CRYPTOLOOP is not set .... # Network File Systems # # CONFIG_CODA_FS is not set # CONFIG_INTERMEZZO_FS is not set # CONFIG_NFS_FS is not set # CONFIG_NFS_V3 is not set # CONFIG_ROOT_NFS is not set # CONFIG_NFSD is not set # CONFIG_NFSD_V3 is not set CONFIG_NFS4_FS=m CONFIG_NFSD4=m # CONFIG_LOCKD is not set CONFIG_NFS4=m CONFIG_SUNRPC=m CONFIG_SUNRPC_GSS=m - Compile and install the kernel and modules, update your bootloader as necessary, and reboot.
-
Unpack the MIT kerberos 5.1.2.3 distribution, and apply the
mechglue_krb5.1.2.3.patch:
# cd /usr/local/src # tar -zxvf krb5-1.2.3.tar.gz # mv mechglue_krb5.1.2.3.patch /usr/local/src/krb5-1.2.3/src # cd krb5-1.2.3/src # patch -p1 -i mechglue_krb5.1.2.3.patch # ./configure --with-cc=gcc -
The configure script fails to link the mechglue makefile, so do that
manually and then build kerberos:
# cd lib/gssapi/mechglue # ln -s Makefile.static Makefile # cd /usr/local/src/krb5-1.2.3/src # make # make install (OPTIONAL)Notes: The make install is optional. Also, note that if you unpacked the krb5-1.2.3 source in a location other than /usr/local/src, then the lib/gssapi/mechglue/Makefile will need to be edited to set the BUILDTOP variable. -
Unpack the nfsv4 utilities from nfsv4_utilities.tar.gz.
# cd /usr/src # tar -zxvf nfsv4_utilities.tar.gz
2) The nfsv4_utilities includes header files from the linux main patch.
Depending on which Linux distribution you are using, you may need to make
these includes available by ONE of the two following methods:
-
Build and install the nfsv4 utilities. Note that for the rpcsec_gss to
work correctly, GSSD needs to be built with our mechglue-krb5-1.2.3 patch.
# cd nfsv4_utilities/export_parser # make # make install # cd ../rpcsec_gss # ./configure --with-krb5=/usr/local/src/krb5-1.2.3/src # make # cd gssd # install -c -m 755 gssd /usr/sbin/gssd # cd ../../mount-2.11n # make # install -c -m 755 mount /usr/sbin/mount4We recommend installing the nfsv4-enabled mount under another filename such as mount4, so as not to replace the built-in mount on your system.
# mv /usr/include/linux /usr/include/linux-
# ln -s /usr/src/linux/include/linux /usr/include/linux
---- OR ----
# cp -rp /usr/src/linux/include/linux/nfs4 /usr/include/linux/nfs4
# cp -rp /usr/src/linux/include/linux/nfs4_* /usr/include/linux
NFSv4 Configuration and Operation
Create an /etc/exports file on the server, following these directions.
Run /etc/init.d/nfs4 start on the server.
Load the appropriate modules on the client.
insmod cryptoapi
insmod sunrpc
insmod auth_rpcgss
insmod nfs4
insmod nfs4fs
Start gssd:
/usr/sbin/gssd -n &
On the client, mount a directory. For example:
/usr/sbin/mount4 -tnfs4 servername:/path/ /mnt
RPCSEC_GSS Configuration and Operation
The following instructions are only necessary if you wish to use Kerberos authentication with nfsv4.
-
Create machine credentials for both the client and the server.
For this release, this means creating a
Kerberos V5 principal/instance name of the form nfs/hostname@domain,
and either adding a key for this pricipal to an existing /etc/krb5.keytab
or creating an /etc/krb5.keytab using a random password.
Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
kadmin: addprinc -randkey nfs/hostname.domain kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/hostname.domain
- nfsv4_utilities/rpcsec_gss/gssd/gssd needs to be started on both client and server. If you want to see gssd output, build gssd with -DDEBUG.
RPCSEC_GSS Configuration--Server
- Create an /etc/exports file, following the directions.
-
Edit /etc/rc.d/init.d/nfs4; change this:
#/usr/sbin/gssd -n&to this:#/usr/sbin/gssd &Add the command to load the cryptoapi module prior to loading the sunrpc module.# insmod cryptoapi
-
Start the server. This will load the modules, start gssd, and
run /usr/sbin/exportfs4 to start the nfsv4 server(s). The nfs4 startup
script is installed as part of the nfsv4_utilities/export_parser installation.
# /etc/rc.d/init.d/nfs4 start
RPCSEC_GSS Configuration--Client
-
Start the GSS daemon.
# /usr/sbin/gssd & -
Load the necessary modules.
# insmod cryptoapi # insmod sunrpc # insmod auth_rpcgss # insmod nfs4 # insmod nfs4fs - Use the NFSv4-enabled mount4 to mount a directory from the server.
Using ACL's
The following instructions are only necessary if you wish to use ACL's.Download and install the following rpm's (using, e.g., rpm -ivh *):
- http://acl.bestbits.at/current/rpms/i386/libattr-2.0.8-0.i386.rpm
- http://acl.bestbits.at/current/rpms/i386/attr-2.0.8-0.i386.rpm
- http://acl.bestbits.at/current/rpms/i386/attr-devel-2.0.8-0.i386.rpm
- http://acl.bestbits.at/current/rpms/i386/libacl-2.0.11-0.i386.rpm
- http://acl.bestbits.at/current/rpms/i386/acl-2.0.11-0.i386.rpm
- http://acl.bestbits.at/current/rpms/i386/acl-devel-2.0.11-0.i386.rpm
You should now be able to list and set ACL's as in this example:
(Note that /export is exported as /nfs4 over nfsv4)motor:/# touch /nfs4/marius-foo motor:/# getfacl /nfs4/marius-foo getfacl: Removing leading '/' from absolute path names # file: nfs4/marius-foo # owner: root # group: root user::rw- group::r-- mask::rwx other::rwx motor:/# setfacl -m u:marius:rwx /nfs4/marius-foo motor:/# getfacl /nfs4/marius-foo getfacl: Removing leading '/' from absolute path names # file: nfs4/marius-foo # owner: root # group: root user::rw- user:marius:rwx group::r-- mask::rwx other::rwx motor:/# getfacl /export/marius-foo getfacl: Removing leading '/' from absolute path names # file: export/marius-foo # owner: root # group: root user::rw- user:marius:rwx group::r-- mask::rwx other::r--
Notes for Debian Users
This release has also been tested on Debian (Woody). You may need to add a group named "nobody":
addgroup --group nobody
Also, the included nfs4 init file won't work; here's one example /etc/init.d/nfs4.
 |
|
 |
