Secure NFS

Hello friends ! what is secure NFS and how to configure it in solaris ?
what are the differences between nfs3 and nfs4?

Who is Participating?
mail2prabirConnect With a Mentor Commented:

please inform version of your solaris system and OS of clients involved for getting targeted help.

however, the difference between both versions of NFS is as follows:

NFSv4 is a network file system. NFSv4 is the successor of NFSv3. It has been designed to work on
a LAN or over the Internet. As the Internet is a worldwide, unsecure, slow and heterogeneous
network, NFSv4 comes with several new features:

NFSv4 is not just a simple protocol evolution of NFSv3. It has been fully redesigned to overcome
the limitations of its predecessors. As a consequence it works in a different way.

1 Use of one network port
To help NFS setup for internet use, one unique network port is used on NFSv4. This predetermined
port is fixed. Default is port 2049.
a) Consequences:
Using NFS through firewalls is easier.
portmapper is no longer required.
b) Restrictions :
Some security protocols may use other ports.

2 NFSv4 virtual root directory
NFSv4 uses the virtual root directory concept. In a similar way to other commonlyused Internet
protocols (ftp, http, etc.), the goal is to create a virtual root directory that provides a unique access

from the network to the exported data, i.e., exported files and directories. This technique provides a
better data control and thus enhances security.
This directory is exported by the server with the identifier fsid=0. The virtual root directory can
contain symbolic links to other system directories.

On the client side, all directories which have to be mounted are seen from the virtual root directory,
i.e., with the assumption that  /nfs/root/directory/  is exported from the server as the
NFSv4 virtual root, mounting server:/ on the client side means we try to access data stored in
the server's /nfs/root/directory/ directory.
a) Consequences:
One unique virtual root directory is exported from the server with the identifier  fsid=0 .
Data to be exported must belong to the virtual root sub path, i.e., be a subdirectory of the
virtual root. It could be a symbolic link to system directory.
Exporting two or more NFSv4 virtual roots (i.e., exporting several directories with the
option fsid=0) will cause unexpected behaviour. Only one of these directories will be
accessible through NFSv4 : the first export directory.
Clients must ask to mount directories from the virtual root.

In order to ensure a better reliability over the Internet, NFSv4 only uses TCP.
a) Consequence
UDP Protocol is not available.
b) Restrictions
RDMA (Remote Direct Memory Access) support for NFSv4 has been implemented. Support of
other protocols may be added later.

4 Ipv6 Support
IPv6 protocol is supported on the client side.
a) Restrictions
Using IPv6 requires a modified kernel. IPv6 is not yet supported on the NFSv4 server side.

5 32 KB blocs
NFSv4 uses 32 KBytes pages.
a) Consequence
Better performances will be delivered when specifying a rsize and a wsize of 32 KBytes.

Default value of mount read and write is 1024 Bytes. See the section Mounting.

6 Integrated protocol
NFSv4, unlike its predecessors, brings together in the same protocol most file system management
tools. NFSv4 only requires the servers below to be launched :
rpc.nfsd  (nfs server)
rpc.idmapd (identifier server)
a) Consequence
Tools such as rpc.lockd or rpc.quotad are no longer required.
b) Restriction
rpc.mountd is still needed. This will be changed later.

7 IDMapper
In order to enhance, extend and connect the management of users to various tools (LDAP, security
protocols, etc.), NFSv4 uses an independent identifier mapper : rpc.idmapd.
a) Consequences

To match user X on the client to the user Y on the server, use   /etc/idmap.conf. It is
advised to configure identifiers nobody, nfsnobody and root. A default configuration is

The idmapper can be linked to the directory LDAP and the identification server Kerberos.

To use NFSv4, the rpc.idmapd server must be configured and must run on both client and
server sides.
b) Restrictions
Idmap and LDAP matching has not been tested yet.

8 No backward compatibility
The NFSv3 and NFSv4 protocols are not compatible. A NFSv4 client cannot access a NFSv3
server, and vice versa. However, in order to simplify migrations from NFSv3 to NFSv4, both
NFSv3 and NFSv4 services are launched by the command: rpc.nfsd.
In the case of NFSv3 and NFSv4 clients simultaneously accessing the same server, one must be
aware that two different file systems are used: there is no backward support to NFSv3 by the NFSv4
my compliments to mail2prabir for exhausive post about nfs3/4
knlsundeepAuthor Commented:
Thanku mail2prabir for your reply the info is really helpful...
Hi there

thanks for the compliment
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.