Line 5: |
Line 5: |
| ==Security and NFS== | | ==Security and NFS== |
| Something Interesting that will scare you http://www.tldp.org/HOWTO/NFS-HOWTO/security.html | | Something Interesting that will scare you http://www.tldp.org/HOWTO/NFS-HOWTO/security.html |
| + | |
| + | |
| ==Installation== | | ==Installation== |
− | ===for sme8=== | + | ===For SME8=== |
| 1. Install the smeserver-nfs contrib like this: | | 1. Install the smeserver-nfs contrib like this: |
| | | |
Line 45: |
Line 47: |
| | | |
| | | |
− | ==== Couple of notes whilst installing on SME8..... ==== | + | ===== Couple of notes whilst installing on SME8..... ===== |
− | | |
− | | |
| DB options as follows - status disabled by default : | | DB options as follows - status disabled by default : |
| | | |
Line 78: |
Line 78: |
| | | |
| However, I don't think this starts/restarts portmap, hence the reboot on install which should not really be necessary. | | However, I don't think this starts/restarts portmap, hence the reboot on install which should not really be necessary. |
− | ===for sme9=== | + | |
| + | |
| + | ===For SME9=== |
| It is for really soon --[[User:Stephdl|Stephdl]] ([[User talk:Stephdl|talk]]) 00:18, 7 December 2014 (CET) | | It is for really soon --[[User:Stephdl|Stephdl]] ([[User talk:Stephdl|talk]]) 00:18, 7 December 2014 (CET) |
| Remember to first configure the required [[stephdl]] repository, then issue the following command on the SME Server shell: | | Remember to first configure the required [[stephdl]] repository, then issue the following command on the SME Server shell: |
Line 93: |
Line 95: |
| | | |
| | | |
− | ====Usage====
| + | ==Usage== |
| * Each IP needs to be allowed if you want write permissions. For read only permissions, you can open the share to all defined local network in the server-manager | | * Each IP needs to be allowed if you want write permissions. For read only permissions, you can open the share to all defined local network in the server-manager |
| * The NFS share works with Ibays whose the system of permissions are Group based and inherited from the ibay panel. Therefore for changing write/read and group permissions you can do it in the NFS Ibay panel. You have at the top of the NFS panel boxes on the state of permissions and the group ownership. | | * The NFS share works with Ibays whose the system of permissions are Group based and inherited from the ibay panel. Therefore for changing write/read and group permissions you can do it in the NFS Ibay panel. You have at the top of the NFS panel boxes on the state of permissions and the group ownership. |
| * NFS works with UID and GID, the user id and group id of the client system are sent in each RPC call, and the permissions these IDs have on the file being accessed are checked on the server. For this to work, the UID and GIDs must be the same on the server and the clients. | | * NFS works with UID and GID, the user id and group id of the client system are sent in each RPC call, and the permissions these IDs have on the file being accessed are checked on the server. For this to work, the UID and GIDs must be the same on the server and the clients. |
| + | |
| + | |
| =====Read permissions===== | | =====Read permissions===== |
| - you can easily allow the share in read permission for the local network and for all defined IP (go to the NFS ibay panel and set the User access to write=group, read=everyone, enabled the share, and allow IP(s) or the local network in the nfs panel) | | - you can easily allow the share in read permission for the local network and for all defined IP (go to the NFS ibay panel and set the User access to write=group, read=everyone, enabled the share, and allow IP(s) or the local network in the nfs panel) |
| + | |
| | | |
| =====Write and read permission for group===== | | =====Write and read permission for group===== |
Line 116: |
Line 121: |
| | | |
| {{Warning box|IF the option no_root_squash is set, the root and all sudoers of every allowed servers to the nfs share are able to write without controls in the ibay.}} | | {{Warning box|IF the option no_root_squash is set, the root and all sudoers of every allowed servers to the nfs share are able to write without controls in the ibay.}} |
| + | |
| | | |
| ====UID/GID==== | | ====UID/GID==== |
Line 131: |
Line 137: |
| usermod -a -G '''GROUP_NAME_OR_GID''' USER_NAME | | usermod -a -G '''GROUP_NAME_OR_GID''' USER_NAME |
| | | |
− | ====Manual Settings for specific Needs====
| |
| | | |
| + | ====Manual Settings for specific needs==== |
| Nfs offers a lot of parameters and you may need some specific settings that it would be difficult or dangerous to let them in all hands. So for some cases you can enable by db command your nfs shares | | Nfs offers a lot of parameters and you may need some specific settings that it would be difficult or dangerous to let them in all hands. So for some cases you can enable by db command your nfs shares |
| | | |
Line 160: |
Line 166: |
| and | | and |
| less /etc/exports | | less /etc/exports |
| + | |
| | | |
| ====Common Mount permission options==== | | ====Common Mount permission options==== |
Line 169: |
Line 176: |
| root_squash Prevents root users | | root_squash Prevents root users |
| no_root_squash Allow root users | | no_root_squash Allow root users |
| + | |
| | | |
| ==== Couple of notes whilst installing on SME9..... ==== | | ==== Couple of notes whilst installing on SME9..... ==== |
Line 200: |
Line 208: |
| signal-event nfs-update | | signal-event nfs-update |
| | | |
− | ==see exported folders== | + | |
− | You can have a look on all exported folders and see for which ip/network they are allowed. | + | ==Exported folders overview== |
| + | You can have an overview of all exported folders and see for which ip/network they are allowed. |
| # showmount -e | | # showmount -e |
| Export list for hpcompact: | | Export list for hpcompact: |
Line 210: |
Line 219: |
| | | |
| | | |
− | ==find connected clients== | + | ==Show connected clients== |
| netstat -an | grep nfs.server.ip:port | | netstat -an | grep nfs.server.ip:port |
| * for example if you nfs server IP is 192.168.12.125 | | * for example if you nfs server IP is 192.168.12.125 |
Line 216: |
Line 225: |
| tcp 0 0 192.168.12.125:2049 192.168.12.25:850 ESTABLISHED | | tcp 0 0 192.168.12.125:2049 192.168.12.25:850 ESTABLISHED |
| | | |
− | ==client side== | + | |
| + | ==Linux Client== |
| * nfs-utils | | * nfs-utils |
| yum install nfs-utils | | yum install nfs-utils |