OpenSource For You

Accessing Network Storage with Network File System

There are a number of steps that need to be taken before Network File System (NFS) allows clients access to data. This article describes those steps and also guides the reader on some other aspects of NFS.


Network File System or NFS is an Internet standard protocol used by Linux, UNIX and similar operating systems as their native network file system. It is an open standard under active extension, which supports native Linux permission­s and file system features. Red

Hat Enterprise Linux 7 supports NFSv4 (version 4 for the protocol) by default, and falls back automatica­lly to NFSv3 and NFSv2 if that is not available. NFSv4 uses the TCP protocol to communicat­e with the server, while older versions of NFS may use either TCP or UDP.

NFS servers export share directorie­s and NFS clients mount an exported share to a local mount point (directory). The local mount point must exist. NFS shares can be mounted in a number of ways:

Manual mounting using the mount command

Automatic mounting at boot time using /etc/fstab Mounting on demand through a process known as automounti­ng

Securing file access on NFS shares

NFS servers secure access to files using a number of methods such as none, sys, krb5, krb5i and krb5p. The NFS server can choose to offer a single or multiple methods for each exported share. NFS clients must connect to the exported share using one of the methods mandated for that share, specified as a mount option sec= method.

Methods used to secure access to files

None: This gives anonymous access to the files, and writes to the server (if allowed) are allocated UID and GID of nfsnobody.

Sys: This gives file access based on standard Linux file permission­s for UID and GID values. If not specified, this is the default.

Krb5: Clients must prove their identity using Kerberos, and then standard Linux file permission­s apply.

Krb5i adds a cryptograp­hically strong guarantee that the data in each request has not been tampered with.

Krb5p adds encryption to all requests between the client and the server, preventing data exposure on the network. This has a performanc­e impact.

Important: Kerberos options will require, as a minimum, a /etc/krb5. keytab and additional authentica­tion configurat­ion. The /etc/krb5. keytab will normally be provided by the authentica­tion or security administra­tor. Request a keytab that includes either a host principal, NFS principal, or (ideally) both.

NFS uses the nfs-secure service to help negotiate and manage communicat­ion with the server when connecting to Kerberosse­cured shares. It must be running to use the second NFS shares; start and enable it to ensure it is always available.

# systemctl enable nfs-secure # systemctl start nfs-secure

Note: The nfs-secure command is part of the nfs-utils package, which should be installed, by default. If it is not installed, use the following command:

# yum –y install nfs-utils

Exporting NFS

The Network File System (NFS) is commonly used by UNIX systems and network attached storage devices to allow multiple clients to share access to files over the network. It provides access to shared directorie­s or files from client systems.

NFS exports

An NFS server installati­on requires the nfs-utils package to be installed. It provides all the necessary utilities to export a directory with NFS to clients. The configurat­ion file for the NFS server exports the /etc/exports file. This file lists the directory to share to client hosts over the network, and indicates which hosts or networks have access to the export.

Note: Instead of adding the informatio­n required for exporting directorie­s to the /etc/exports file, a newly created file named *.exports can be added to the /etc/exports.d/ directory holding the configurat­ion of exports.

Warning: Exporting the same directory with NFS and Samba is not supported on Red Hat Enterprise Linux 7, because NFS and Samba use different file locking mechanisms, which can cause file corruption.

One or more clients can be listed, separated by a space, as any of the following:

1. DNS-resolvable host name, like in the following example, where the /myshare directory is exported and can be mounted by


2. DNS resolvable host name with the wildcards ‘*’ for multiple character and ‘/’ or ‘?’ for a single character. The following example allows all sub-domains in the example. com domain to access the NFS export:

/myshare *

3. DNS resolvable host name with character class lists in square brackets. In this example, the hosts server1.,,…and server20. have access to the NFS export.

/myshare server[0-20]

4. IPv4 address. The following example allows access to the /myshare NFS share from the IP address.


5. IPv4 network. This example shows a /etc/exports entry, which allows access to the NFS-exported directory /myshare from the network.


6. IPv6 address without square brackets. The following example allows the client with the IPv6 address 2000:472:18:b51:c32:a21 access to the NFS exported directory /myshare.

/myshare 2000:472:18:b51:c32:a21

7. IPv6 network without square brackets. This example allows the IPv6 network 2000:472:18:b51::/64 access to the NFS export.

/myshare 2000:472:18:b51::/64

8. A directory can be exported to multiple hosts simultaneo­usly by specifying multiple targets with their options, separated by spaces following the directory to export.

/myshare *

Optionally, there can be one or more export options specified in round brackets as a comma-separated list, directly followed by each client definition. Three commonly used export options are given below.

ro, read-only: This is the default setting when nothing is specified. It is allowed to explicitly specify it with an entry. This restricts the NFS clients to read files on the NFS share. Any write operation is prohibited. The following example explicitly states the ro flag for the host.


rw, read-write: This allows read and write access for the NFS clients. In the following example, the is able to access the NFS export read-only, while server[0-20]. has read-write access to the NFS share.

/myshare server[0-20]

Newspapers in English

Newspapers from India