Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
15.  Remote File-System Administration (Tasks) Mounting File Systems How to Mount an NFS File System Using an NFS URL  Previous   Contents   Next 
   
 

Setting Up NFS Services

This section describes some of the tasks necessary to initialize or use NFS services.

Table 15-3 NFS Services Task Map

Task

Description

For Instructions

Start the NFS server

Steps to start the NFS service, if it has not been started automatically. "How to Start the NFS Services"

Stop the NFS server

Steps to stop the NFS service. Normally the service should not need to be stopped. "How to Stop the NFS Services"

Start the automounter

Steps to start the automounter. This procedure is required when some of the automounter maps are changed. "How to Start the Automounter"

Stop the automounter

Steps to stop the automounter. This procedure is required when some of the automounter maps are changed. "How to Stop the Automounter"

How to Start the NFS Services

  1. Become superuser or assume an equivalent role.

    For information about roles, see "Using Privileged Applications" in System Administration Guide: Security Services.

  2. Enable the NFS service daemons.

    Type the following command:

    # /etc/init.d/nfs.server start

    This command starts the daemons if an entry is in /etc/dfs/dfstab.

How to Stop the NFS Services

  1. Become superuser or assume an equivalent role.

    For information about roles, see "Using Privileged Applications" in System Administration Guide: Security Services.

  2. Disable the NFS service daemons.

    Type the following command:

    # /etc/init.d/nfs.server stop

How to Start the Automounter

  1. Become superuser or assume an equivalent role.

    For information about roles, see "Using Privileged Applications" in System Administration Guide: Security Services.

  2. Enable the autofs daemon.

    Type the following command:

    # /etc/init.d/autofs start

How to Stop the Automounter

  1. Become superuser or assume an equivalent role.

    For information about roles, see "Using Privileged Applications" in System Administration Guide: Security Services.

  2. Disable the autofs daemon.

    Type the following command:

    # /etc/init.d/autofs stop

Administering the Secure NFS System

To use the Secure NFS system, all the computers you are responsible for must have a domain name. A domain is an administrative entity, typically consisting of several computers, that is part of a larger network. If you are running a name service, you should also establish the name service for the domain. See System Administration Guide: Naming and Directory Services (FNS and NIS+).

You can configure the Secure NFS environment to use Diffie-Hellman authentication."Using Authentication Services (Tasks)" in System Administration Guide: Security Services discusses this authentication service.

Kerberos V5 authentication is also supported by the NFS service. "Introduction to SEAM" in System Administration Guide: Security Services discusses the Kerberos service.

How to Set Up a Secure NFS Environment With DH Authentication

  1. Assign your domain a domain name, and make the domain name known to each computer in the domain.

    See the System Administration Guide: Naming and Directory Services (FNS and NIS+) if you are using NIS+ as your name service.

  2. Establish public keys and secret keys for your clients' users by using the newkey or nisaddcred command. Have each user establish his or her own secure RPC password by using the chkey command.


    Note - For information about these commands, see the newkey(1M), the nisaddcred(1M), and the chkey(1) man pages.


    When public keys and secret keys have been generated, the public keys and encrypted secret keys are stored in the publickey database.

  3. Verify that the name service is responding. If you are running NIS+, type the following:

    # nisping -u
    Last updates for directory eng.acme.com. :
    Master server is eng-master.acme.com.
            Last update occurred at Mon Jun  5 11:16:10 1995
    
    Replica server is eng1-replica-replica-58.acme.com.
            Last Update seen was Mon Jun  5 11:16:10 1995

    If you are running NIS, verify that the ypbind daemon is running.

  4. Verify that the keyserv daemon (the key server) is running.

    Type the following command.

    # ps -ef | grep keyserv
    root    100     1  16    Apr 11 ?      0:00 /usr/sbin/keyserv
    root	  2215  2211   5  09:57:28 pts/0  0:00 grep keyserv

    If the daemon isn't running, start the key server by typing the following:

    # /usr/sbin/keyserv
  5. Decrypt and store the secret key.

    Usually, the login password is identical to the network password. In this situation, keylogin is not required. If the passwords are different, the users have to log in, and then do a keylogin. You still need to use the keylogin -r command as root to store the decrypted secret key in /etc/.rootkey.


    Note - You need to run keylogin -r if the root secret key changes or /etc/.rootkey is lost.


  6. Update mount options for the file system.

    Edit the /etc/dfs/dfstab file and add the sec=dh option to the appropriate entries (for Diffie-Hellman authentication).

    share -F nfs -o sec=dh /export/home

    See the dfstab(4) man page for a description of /etc/dfs/dfstab.

  7. Update the automounter maps for the file system.

    Edit the auto_master data to include sec=dh as a mount option in the appropriate entries (for Diffie-Hellman authentication):

    /home	auto_home	-nosuid,sec=dh

    Note - Releases through Solaris 2.5 have a limitation. If a client does not mount as secure a file system that is shared as secure, users have access as user nobody, rather than as themselves. With version 2 on later releases, the NFS server refuses access if the security modes do not match, unless -sec=none is included on the share command line. With version 3, the mode is inherited from the NFS server, so clients do not need to specify sec=dh. The users have access to the files as themselves.


    When you reinstall, move, or upgrade a computer, remember to save /etc/.rootkey if you do not establish new keys or change them for root. If you do delete /etc/.rootkey, you can always type the following:

    # keylogin -r
 
 
 
  Previous   Contents   Next