projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3

Projects: NFS Version 4 Open Source Reference Implementation

NFS4 Version 3.2 Distribution - june_2002_rel

This work was done as part of the NFS Version 4 Open Source Reference Implementation project. This release includes preliminary support for acl's and for kerberos authentication, and is in the form of a patch against the linux 2.4.18 kernel, with cryptoapi and acl patches already applied.

Features of this release:

  • Implements rpcsec_gss security using Kerberos V5 mutual authentication with no data integrity nor privacy. (Note that this is no longer a separate patch.)
  • Implements nfsv4 acl capability using the Andreas Grünbacher's linux implementation of the Posix acl interface.
Coming down the pipeline:
  • Kerberos V5 data integrity and privacy
  • rpcsec_gss security for NFSv3.
  • NFSv4 patches for the 2.5 kernel.

Development status

This is new code, and we expect bugs. We hope that the general Linux community will participate in bug fixes and code development.

Look for notice of a bug database. For now, bug reports (for which we would be grateful) can be sent by email.

Developers can have read access to our cvs tree , and we will accept patches against the cvs tree code.

ACL status: The ACL code does not yet support default and directory/inherited ACLs properly. This will be added soon.

Download and Install

These instructions assume a Redhat 7.2 distribution. Users of other distributions may need to adapt the instructions to their system. A few brief notes on using nfsv4 on Debian are included at the end of this page.

  1. Download the stock 2.4.18 kernel source tree.
  2. Apply the extended attributes patch, linux-2.4.18ea-0.8.26.diff.gz. (Note: all patches can be applied by, e.g.,
    zcat linux-2.4.18ea-0.8.26.diff.gz | patch -p1
    executed in the top-level directory of the kernel source tree.)
  3. Apply the acl patch, linux-2.4.18acl-0.8.26.diff.gz.
  4. Apply the crypto patch, patch-int-
  5. Apply the following patches in order:
  6. Configure your kernel (using "make xconfig" or whatever you prefer).

    In "Code maturity level options", select "Prompt for development and/or incomplete code/drivers"

    Set the following options in filesystems:

          Set "POSIX Access Control Lists" to "y"
          Set "Ext2 extended user attributes" to "y"
          Set "Ext2 extended attribute block sharing" to "y"
          Set "Ext2 extended attributes" to "y"
          Set "Ext2 POSIX Access Control Lists" to "y"
    (Also set the corresponding options for Ext3 if you'd like.) Set the following options in File systems/Network File Systems:
          Set "NFS file system support"  to "n"
          Set "NFS server support" to "n"
          Set "NFSv4 file system support" to "m"
          Set "NFSv4 server support" to "m"
          Set "RPCSEC_GSS support" to "m".
    Set the following options in Cryptography support:
          Set "CryptoAPI Support" to "m"
          Set "Crypto Ciphers" to "m"
          Set "DES cipher" to "m"
          Set "Digest algorithms" to "m"
          Set "MD5 digest" to "m"
    The resulting /usr/src/linux/.config should look like this:
          # Code maturity level options
          # File systems
          # CONFIG_QUOTA is not set
          # CONFIG_SYSV_FS is not set
          # CONFIG_UDF_FS is not set
          # CONFIG_UDF_RW is not set
          # CONFIG_UFS_FS is not set
          # CONFIG_UFS_FS_WRITE is not set
          # Cryptography support (CryptoAPI)
          # CONFIG_CIPHER_AES is not set
          # CONFIG_CIPHER_TWOFISH is not set
          # CONFIG_CIPHER_MARS is not set
          # CONFIG_CIPHER_RC6 is not set
          # CONFIG_CIPHER_SERPENT is not set
          # CONFIG_CIPHER_DFC is not set
          # CONFIG_CIPHER_CAST5 is not set
          # CONFIG_CIPHER_DES_EDE3 is not set
          # CONFIG_CIPHER_IDEA is not set
          # CONFIG_CIPHER_BLOWFISH is not set
          # CONFIG_CIPHER_RC5 is not set
          # CONFIG_CIPHER_BLOWFISH_OLD is not set
          # CONFIG_CIPHER_DUMMY is not set
          # CONFIG_DIGEST_SHA1 is not set
          # CONFIG_CRYPTODEV is not set
          # CONFIG_CRYPTOLOOP is not set
          # Network File Systems
          # CONFIG_CODA_FS is not set
          # CONFIG_INTERMEZZO_FS is not set
          # CONFIG_NFS_FS is not set
          # CONFIG_NFS_V3 is not set
          # CONFIG_ROOT_NFS is not set
          # CONFIG_NFSD is not set
          # CONFIG_NFSD_V3 is not set
          # CONFIG_LOCKD is not set
  7. Compile and install the kernel and modules, update your bootloader as necessary, and reboot.
  8. Unpack the MIT kerberos distribution, and apply the mechglue_krb5.1.2.3.patch:
          # cd /usr/local/src
          # tar -zxvf krb5-1.2.3.tar.gz
          # mv mechglue_krb5.1.2.3.patch /usr/local/src/krb5-1.2.3/src
          # cd krb5-1.2.3/src
          # patch -p1 -i mechglue_krb5.1.2.3.patch
          # ./configure  --with-cc=gcc 
  9. The configure script fails to link the mechglue makefile, so do that manually and then build kerberos:
          # cd lib/gssapi/mechglue
          # ln -s Makefile.static Makefile
          # cd /usr/local/src/krb5-1.2.3/src
          # make 
          # make install (OPTIONAL)
    Notes: The make install is optional. Also, note that if you unpacked the krb5-1.2.3 source in a location other than /usr/local/src, then the lib/gssapi/mechglue/Makefile will need to be edited to set the BUILDTOP variable.
  10. Unpack the nfsv4 utilities from nfsv4_utilities.tar.gz.
          # cd /usr/src
          # tar -zxvf nfsv4_utilities.tar.gz
  11. 2) The nfsv4_utilities includes header files from the linux main patch. Depending on which Linux distribution you are using, you may need to make these includes available by ONE of the two following methods:
         # mv /usr/include/linux /usr/include/linux-
         # ln -s /usr/src/linux/include/linux /usr/include/linux
          ---- OR ----
         # cp -rp /usr/src/linux/include/linux/nfs4 /usr/include/linux/nfs4
         # cp -rp /usr/src/linux/include/linux/nfs4_* /usr/include/linux
  12. Build and install the nfsv4 utilities. Note that for the rpcsec_gss to work correctly, GSSD needs to be built with our mechglue-krb5-1.2.3 patch.
          # cd nfsv4_utilities/export_parser
          # make
          # make install
          # cd ../rpcsec_gss
          # ./configure --with-krb5=/usr/local/src/krb5-1.2.3/src
          # make
          # cd gssd
          # install -c -m 755 gssd /usr/sbin/gssd
          # cd ../../mount-2.11n
          # make
          # install -c -m 755 mount /usr/sbin/mount4
    We recommend installing the nfsv4-enabled mount under another filename such as mount4, so as not to replace the built-in mount on your system.

NFSv4 Configuration and Operation

Create an /etc/exports file on the server, following these directions.

Run /etc/init.d/nfs4 start on the server.

Load the appropriate modules on the client.

      insmod cryptoapi
      insmod sunrpc
      insmod auth_rpcgss
      insmod nfs4
      insmod nfs4fs

Start gssd:

      /usr/sbin/gssd -n &

On the client, mount a directory. For example:

      /usr/sbin/mount4 -tnfs4 servername:/path/ /mnt

RPCSEC_GSS Configuration and Operation

The following instructions are only necessary if you wish to use Kerberos authentication with nfsv4.

  1. Create machine credentials for both the client and the server. For this release, this means creating a Kerberos V5 principal/instance name of the form nfs/hostname@domain, and either adding a key for this pricipal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab using a random password.

    Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.

    kadmin: addprinc -randkey nfs/hostname.domain
    kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/hostname.domain
  2. nfsv4_utilities/rpcsec_gss/gssd/gssd needs to be started on both client and server. If you want to see gssd output, build gssd with -DDEBUG.

RPCSEC_GSS Configuration--Server

  1. Create an /etc/exports file, following the directions.
  2. Edit /etc/rc.d/init.d/nfs4; change this:
          #/usr/sbin/gssd -n&
    to this:
          #/usr/sbin/gssd &
    Add the command to load the cryptoapi module prior to loading the sunrpc module.
     # insmod cryptoapi
  3. Start the server. This will load the modules, start gssd, and run /usr/sbin/exportfs4 to start the nfsv4 server(s). The nfs4 startup script is installed as part of the nfsv4_utilities/export_parser installation.
     # /etc/rc.d/init.d/nfs4 start

RPCSEC_GSS Configuration--Client

  1. Start the GSS daemon.
          # /usr/sbin/gssd &
  2. Load the necessary modules.
          # insmod cryptoapi
          # insmod sunrpc
          # insmod auth_rpcgss
          # insmod nfs4
          # insmod nfs4fs
  3. Use the NFSv4-enabled mount4 to mount a directory from the server.

Using ACL's

The following instructions are only necessary if you wish to use ACL's.

Download and install the following rpm's (using, e.g., rpm -ivh *):

Upgrade your fileutils package with the following rpm (using, e.g., rpm -Uvh fileutils-4.1.8acl-65.5.i386.rpm).

You should now be able to list and set ACL's as in this example:

(Note that /export is exported as /nfs4 over nfsv4)
   motor:/# touch /nfs4/marius-foo
   motor:/# getfacl /nfs4/marius-foo
   getfacl: Removing leading '/' from absolute path names
   # file: nfs4/marius-foo
   # owner: root
   # group: root 

   motor:/# setfacl -m u:marius:rwx /nfs4/marius-foo
   motor:/# getfacl /nfs4/marius-foo
   getfacl: Removing leading '/' from absolute path names
   # file: nfs4/marius-foo
   # owner: root
   # group: root

   motor:/# getfacl /export/marius-foo
   getfacl: Removing leading '/' from absolute path names
   # file: export/marius-foo
   # owner: root
   # group: root

Notes for Debian Users

This release has also been tested on Debian (Woody). You may need to add a group named "nobody":

  addgroup --group nobody

Also, the included nfs4 init file won't work; here's one example /etc/init.d/nfs4. projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan