Secure NFS

Posted on 2009-04-24
Last Modified: 2013-12-02
Hello friends ! what is secure NFS and how to configure it in solaris ?
what are the differences between nfs3 and nfs4?

Question by:knlsundeep
    LVL 5

    Accepted Solution


    please inform version of your solaris system and OS of clients involved for getting targeted help.

    however, the difference between both versions of NFS is as follows:

    NFSv4 is a network file system. NFSv4 is the successor of NFSv3. It has been designed to work on
    a LAN or over the Internet. As the Internet is a worldwide, unsecure, slow and heterogeneous
    network, NFSv4 comes with several new features:

    NFSv4 is not just a simple protocol evolution of NFSv3. It has been fully redesigned to overcome
    the limitations of its predecessors. As a consequence it works in a different way.

    1 Use of one network port
    To help NFS setup for internet use, one unique network port is used on NFSv4. This predetermined
    port is fixed. Default is port 2049.
    a) Consequences:
    Using NFS through firewalls is easier.
    portmapper is no longer required.
    b) Restrictions :
    Some security protocols may use other ports.

    2 NFSv4 virtual root directory
    NFSv4 uses the virtual root directory concept. In a similar way to other commonlyused Internet
    protocols (ftp, http, etc.), the goal is to create a virtual root directory that provides a unique access

    from the network to the exported data, i.e., exported files and directories. This technique provides a
    better data control and thus enhances security.
    This directory is exported by the server with the identifier fsid=0. The virtual root directory can
    contain symbolic links to other system directories.

    On the client side, all directories which have to be mounted are seen from the virtual root directory,
    i.e., with the assumption that  /nfs/root/directory/  is exported from the server as the
    NFSv4 virtual root, mounting server:/ on the client side means we try to access data stored in
    the server's /nfs/root/directory/ directory.
    a) Consequences:
    One unique virtual root directory is exported from the server with the identifier  fsid=0 .
    Data to be exported must belong to the virtual root sub path, i.e., be a subdirectory of the
    virtual root. It could be a symbolic link to system directory.
    Exporting two or more NFSv4 virtual roots (i.e., exporting several directories with the
    option fsid=0) will cause unexpected behaviour. Only one of these directories will be
    accessible through NFSv4 : the first export directory.
    Clients must ask to mount directories from the virtual root.

    3 TCP / UDP
    In order to ensure a better reliability over the Internet, NFSv4 only uses TCP.
    a) Consequence
    UDP Protocol is not available.
    b) Restrictions
    RDMA (Remote Direct Memory Access) support for NFSv4 has been implemented. Support of
    other protocols may be added later.

    4 Ipv6 Support
    IPv6 protocol is supported on the client side.
    a) Restrictions
    Using IPv6 requires a modified kernel. IPv6 is not yet supported on the NFSv4 server side.

    5 32 KB blocs
    NFSv4 uses 32 KBytes pages.
    a) Consequence
    Better performances will be delivered when specifying a rsize and a wsize of 32 KBytes.

    Default value of mount read and write is 1024 Bytes. See the section Mounting.

    6 Integrated protocol
    NFSv4, unlike its predecessors, brings together in the same protocol most file system management
    tools. NFSv4 only requires the servers below to be launched :
    rpc.nfsd  (nfs server)
    rpc.idmapd (identifier server)
    a) Consequence
    Tools such as rpc.lockd or rpc.quotad are no longer required.
    b) Restriction
    rpc.mountd is still needed. This will be changed later.

    7 IDMapper
    In order to enhance, extend and connect the management of users to various tools (LDAP, security
    protocols, etc.), NFSv4 uses an independent identifier mapper : rpc.idmapd.
    a) Consequences
    To match user X on the client to the user Y on the server, use   /etc/idmap.conf. It is
    advised to configure identifiers nobody, nfsnobody and root. A default configuration is
    The idmapper can be linked to the directory LDAP and the identification server Kerberos.
    To use NFSv4, the rpc.idmapd server must be configured and must run on both client and
    server sides.
    b) Restrictions
    Idmap and LDAP matching has not been tested yet.

    8 No backward compatibility
    The NFSv3 and NFSv4 protocols are not compatible. A NFSv4 client cannot access a NFSv3
    server, and vice versa. However, in order to simplify migrations from NFSv3 to NFSv4, both
    NFSv3 and NFSv4 services are launched by the command: rpc.nfsd.
    In the case of NFSv3 and NFSv4 clients simultaneously accessing the same server, one must be
    aware that two different file systems are used: there is no backward support to NFSv3 by the NFSv4
    LVL 7

    Expert Comment

    my compliments to mail2prabir for exhausive post about nfs3/4

    Author Comment

    Thanku mail2prabir for your reply the info is really helpful...
    LVL 5

    Expert Comment

    Hi there

    thanks for the compliment

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Want to promote your upcoming event?

    Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

    Introduction People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This…
    If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now