Secure NFS

Posted on 2009-04-24
Medium Priority
Last Modified: 2013-12-02
Hello friends ! what is secure NFS and how to configure it in solaris ?
what are the differences between nfs3 and nfs4?

Question by:knlsundeep
  • 2

Accepted Solution

mail2prabir earned 200 total points
ID: 24231018

please inform version of your solaris system and OS of clients involved for getting targeted help.

however, the difference between both versions of NFS is as follows:

NFSv4 is a network file system. NFSv4 is the successor of NFSv3. It has been designed to work on
a LAN or over the Internet. As the Internet is a worldwide, unsecure, slow and heterogeneous
network, NFSv4 comes with several new features:

NFSv4 is not just a simple protocol evolution of NFSv3. It has been fully redesigned to overcome
the limitations of its predecessors. As a consequence it works in a different way.

1 Use of one network port
To help NFS setup for internet use, one unique network port is used on NFSv4. This predetermined
port is fixed. Default is port 2049.
a) Consequences:
Using NFS through firewalls is easier.
portmapper is no longer required.
b) Restrictions :
Some security protocols may use other ports.

2 NFSv4 virtual root directory
NFSv4 uses the virtual root directory concept. In a similar way to other commonlyused Internet
protocols (ftp, http, etc.), the goal is to create a virtual root directory that provides a unique access

from the network to the exported data, i.e., exported files and directories. This technique provides a
better data control and thus enhances security.
This directory is exported by the server with the identifier fsid=0. The virtual root directory can
contain symbolic links to other system directories.

On the client side, all directories which have to be mounted are seen from the virtual root directory,
i.e., with the assumption that  /nfs/root/directory/  is exported from the server as the
NFSv4 virtual root, mounting server:/ on the client side means we try to access data stored in
the server's /nfs/root/directory/ directory.
a) Consequences:
One unique virtual root directory is exported from the server with the identifier  fsid=0 .
Data to be exported must belong to the virtual root sub path, i.e., be a subdirectory of the
virtual root. It could be a symbolic link to system directory.
Exporting two or more NFSv4 virtual roots (i.e., exporting several directories with the
option fsid=0) will cause unexpected behaviour. Only one of these directories will be
accessible through NFSv4 : the first export directory.
Clients must ask to mount directories from the virtual root.

In order to ensure a better reliability over the Internet, NFSv4 only uses TCP.
a) Consequence
UDP Protocol is not available.
b) Restrictions
RDMA (Remote Direct Memory Access) support for NFSv4 has been implemented. Support of
other protocols may be added later.

4 Ipv6 Support
IPv6 protocol is supported on the client side.
a) Restrictions
Using IPv6 requires a modified kernel. IPv6 is not yet supported on the NFSv4 server side.

5 32 KB blocs
NFSv4 uses 32 KBytes pages.
a) Consequence
Better performances will be delivered when specifying a rsize and a wsize of 32 KBytes.

Default value of mount read and write is 1024 Bytes. See the section Mounting.

6 Integrated protocol
NFSv4, unlike its predecessors, brings together in the same protocol most file system management
tools. NFSv4 only requires the servers below to be launched :
rpc.nfsd  (nfs server)
rpc.idmapd (identifier server)
a) Consequence
Tools such as rpc.lockd or rpc.quotad are no longer required.
b) Restriction
rpc.mountd is still needed. This will be changed later.

7 IDMapper
In order to enhance, extend and connect the management of users to various tools (LDAP, security
protocols, etc.), NFSv4 uses an independent identifier mapper : rpc.idmapd.
a) Consequences

To match user X on the client to the user Y on the server, use   /etc/idmap.conf. It is
advised to configure identifiers nobody, nfsnobody and root. A default configuration is

The idmapper can be linked to the directory LDAP and the identification server Kerberos.

To use NFSv4, the rpc.idmapd server must be configured and must run on both client and
server sides.
b) Restrictions
Idmap and LDAP matching has not been tested yet.

8 No backward compatibility
The NFSv3 and NFSv4 protocols are not compatible. A NFSv4 client cannot access a NFSv3
server, and vice versa. However, in order to simplify migrations from NFSv3 to NFSv4, both
NFSv3 and NFSv4 services are launched by the command: rpc.nfsd.
In the case of NFSv3 and NFSv4 clients simultaneously accessing the same server, one must be
aware that two different file systems are used: there is no backward support to NFSv3 by the NFSv4

Expert Comment

ID: 24231456
my compliments to mail2prabir for exhausive post about nfs3/4

Author Comment

ID: 24232038
Thanku mail2prabir for your reply the info is really helpful...

Expert Comment

ID: 24235945
Hi there

thanks for the compliment

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Samba is the de-facto standard program (or, more correctly: suite of programs) that UNIX and Linux systems use to share files with Microsoft Windows (and more recently, Mac OS-X) systems. Currently, there are 2 common versions of Samba available,…
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question