Managing Network File Systems in Oracle^® Solaris 11.3

NFS Commands

These commands must be run as root to be fully effective, but requests for information can be made by all users:

• automount Command

• clear_locks Command

• fsstat Command

• mount Command

• mountall Command

• nfsref Command

• sharectl Command

• share Command

• shareall Command

• showmount Command

• umount Command

• umountall Command

• unshare Command

• unshareall Command

In addition, commands associated with the FedFS service are covered in FedFS Commands.

automount Command

This command installs autofs mount points and associates the information in the automaster files with each mount point. The syntax of the command is as follows:

automount [-t duration] [-v]

–t duration

Sets the time, in seconds, that a file system is to remain mounted.

–v

Selects the verbose mode. Running this command in verbose mode enables easier troubleshooting.

If not specifically set, the value for duration is set to 5 minutes. In most circumstances, this value is good. However, on systems that have many automounted file systems, you might need to increase the duration value. In particular, if a server has many users active, checking the automounted file systems every 5 minutes can be inefficient. Checking the autofs file systems every 1800 seconds, which is 30 minutes, could be more optimal. By not unmounting the file systems every 5 minutes, /etc/mnttab can become large. To reduce the output when df checks each entry in /etc/mnttab, you can filter the output from df by using the –F option (see the df(1M) man page) or by using egrep.

You should consider that adjusting the duration also changes how quickly changes to the automounter maps are reflected. Changes cannot be seen until the file system is unmounted. Refer to Modifying the Maps for instructions on how to modify automounter maps.

You can make the same specifications with the sharectl command that you would make on the command line. However, unlike the command-line options, the SMF repository preserves your specifications, through service restarts and system reboots, as well as system upgrades. You can set the following parameters for the automount command.

timeout

Sets the duration for a file system to remain idle before the file system is unmounted. This keyword is the equivalent of the –t argument for the automount command. The default value is 600.

automount_verbose

Provides notification of autofs mounts, unmounts, and other nonessential events. This keyword is the equivalent of the –v argument for automount. The default value is FALSE.

clear_locks Command

This command enables you to remove all file, record, and share locks for an NFS client. You must be root to run this command. From an NFS server, you can clear the locks for a specific client. From an NFS client, you can clear locks for that client on a specific server. The following example would clear the locks for an NFS client named tulip on the current system.

$ clear_locks tulip

Use the –s option to specify which NFS host to clear the locks from. You must run this option from the NFS client that created the locks. In this situation, the locks from the client would be removed from an NFS server named bee.

$ clear_locks -s bee

fsstat Command

The fsstat utility enables you to monitor file system operations by file system type and by mount point. Various options enable you to customize the output:

–i

Displays statistics about the I/O operations for mount points

–n

Displays statistics about the naming operations for mount points

The following example shows output for NFS Version 3, NFS Version 4, and the root mount point.

$ fsstat nfs3 nfs4 /
  new     name   name    attr    attr   lookup   rddir   read   read   write   write
 file    remov   chng     get     set      ops     ops    ops  bytes     ops   bytes
3.81K       90  3.65K   5.89M   11.9K    35.5M   26.6K   109K   118M   35.0K   8.16G  nfs3
  759      503    457   93.6K   1.44K     454K   8.82K  65.4K   827M     292    223K  nfs4
25.2K    18.1K  1.12K   54.7M    1017     259M   1.76M  22.4M  20.1G   1.43M   3.77G  /

The following example uses the –i option to provide statistics about the I/O operations for NFS Version 3, NFS Version 4, and the root mount point.

$ fsstat -i nfs3 nfs4 /
 read    read    write   write   rddir   rddir   rwlock   rwulock
  ops   bytes      ops   bytes     ops   bytes      ops       ops
 109K    118M    35.0K   8.16G   26.6K   4.45M     170K      170K  nfs3
65.4K    827M      292    223K   8.82K   2.62M    74.1K     74.1K  nfs4
22.4M   20.1G    1.43M   3.77G   1.76M   3.29G    25.5M     25.5M  /

The following example uses the –n option to provide statistics about the naming operations for NFS Version 3, NFS Version 4, and the root mount point.

$ fsstat -n nfs3 nfs4 /
lookup   creat   remov  link   renam  mkdir  rmdir   rddir  symlnk  rdlnk
 35.5M   3.79K      90     2   3.64K      5      0   26.6K      11   136K  nfs3
  454K     403     503     0     101      0      0   8.82K     356  1.20K  nfs4
  259M   25.2K   18.1K   114    1017     10      2   1.76M      12  8.23M  /

For more information, see the fsstat(1M) man page.

mount Command

With this command, you can attach a named file system, either local or remote, to a specified mount point. For more information, see the mount(1M) man page. Used without arguments, mount displays a list of file systems that are currently mounted on your computer.

Each file system type included in the standard Oracle Solaris installation has specific options for the mount command. For NFS file systems options, see the mount_nfs(1M) man page. For UFS file system options, see the mount_ufs(1M) man page.

You can select a path name to mount from an NFS server by using an NFS URL instead of the standard server:/pathname syntax. See How to Mount an NFS File System by Using an NFS URL for further information.

mount Options for NFS File Systems

This section describes some of the options that can follow the –o flag when you are mounting an NFS file system. For a complete list of options, refer to the mount_nfs(1M) man page.

bg|fg

These options can be used to select the retry behavior if a mount fails. The –bg option causes the mount attempts to be run in the background. The –fg option causes the mount attempt to be run in the foreground. The default is –fg, which is the best selection for file systems that must be available because it prevents further processing until the mount is complete. –bg is a good selection for noncritical file systems because the client can do other processing while waiting for the mount request to be completed.

forcedirectio

This option improves performance of large sequential data transfers. Data is copied directly to a user buffer. No caching is performed in the kernel on the client. This option is off by default (noforcedirectio).

To permit an application to issue concurrent writes, as well as concurrent reads and writes, to a single file on the client, use the –forcedirectio mount option. This option, enables this functionality for all files within the mounted file system. You could also enable this functionality on a single file on the client by using the directio() interface. Unless this functionality has been enabled, writes to files are serialized. Also, if concurrent writes or concurrent reads and writes are occurring, then POSIX semantics are no longer being supported for that file.

For an example of how to use this option, refer to Using the mount Command.

largefiles

With this option, you can access files that are larger than 2 GB. Whether a large file can be accessed can only be controlled on the server, so this option is silently ignored on NFS Version 3 mounts. By default, all UFS file systems are mounted with –largefiles. For mounts that use the NFS Version 2 protocol, the –largefiles option causes the mount to fail with an error.

nolargefiles

This option for UFS mounts guarantees that no large files can exist on the file system. Because the existence of large files can be controlled only on the NFS server, no option for –nolargefiles exists when using NFS mounts. Attempts to NFS-mount a file system by using this option are rejected with an error.

nosuid|suid

The –nosuid option is the equivalent of specifying the –nodevices option with the –nosetuid option. When the –nodevices option is specified, the opening of device-special files on the mounted file system is disallowed. When the –nosetuid option is specified, the setuid bit and setgid bit in binary files that are located in the file system are ignored. The processes run with the privileges of the user who executes the binary file.

The –suid option is the equivalent of specifying the –devices option with the –setuid option. When the –devices option is specified, the opening of device-special files on the mounted file system is allowed. When the –setuid option is specified, the setuid bit and the setgid bit in binary files that are located in the file system are honored by the kernel.

If neither option is specified, the default option is –suid, which provides the default behavior of specifying the –devices option with the –setuid option.

The following table describes the effect of combining –nosuid or –suid with –devices or –nodevices, and –setuid or –nosetuid. Note that in each combination of options, the most restrictive option determines the behavior.

Behavior From the Combined Options Option Option Option The equivalent of –nosetuid with –nodevices –nosuid –nosetuid –nodevices The equivalent of –nosetuid with –nodevices –nosuid –nosetuid –devices The equivalent of –nosetuid with –nodevices –nosuid –setuid –nodevices The equivalent of –nosetuid with –nodevices –nosuid –setuid –devices The equivalent of –nosetuid with –nodevices –suid –nosetuid –nodevices The equivalent of –nosetuid with –devices –suid –nosetuid –devices The equivalent of –setuid with –nodevices –suid –setuid –nodevices The equivalent of –setuid with –devices –suid –setuid –devices

The –nosuid option provides additional security for NFS clients that access potentially untrusted servers. Mounting remote file systems with this option reduces the chance of privilege escalation through importing untrusted devices or importing untrusted setuid binary files. All these options are available in all Oracle Solaris file systems.

public

This option forces the use of the public file handle when contacting the NFS server. If the public file handle is supported by the server, the mounting operation is faster because the MOUNT protocol is not used. Also, because the MOUNT protocol is not used, the public option allows mounting to occur through a firewall.

rw|ro

The –rw and –ro options indicate whether a file system is to be mounted read-write or read-only. The default is read-write, which is the appropriate option for remote home directories, mail-spooling directories, or other file systems that need to be changed by users. The read-only option is appropriate for directories that should not be changed by users. For example, shared copies of the man pages should not be writable by users.

sec=mode

You can use this option to specify the authentication mechanism to be used during the mount transaction. The available values for mode are:

• krb5 for Kerberos Version 5 authentication service

• krb5i for Kerberos Version 5 with integrity

• krb5p for Kerberos Version 5 with privacy

• none for no authentication

• dh for Diffie-Hellman (DH) authentication

• sys for standard UNIX authentication

The modes are also defined in /etc/nfssec.conf.

soft|hard

An NFS file system that is mounted with the –soft option returns an error if the server does not respond. The –hard option causes the mount to continue to retry until the server responds. The default is –hard, which should be used for most file systems. Applications frequently do not check return values from –soft-mounted file systems, which can make the application fail or can lead to corrupted files. If the application does check the return values, routing problems and other conditions can still confuse the application or lead to file corruption. In most situations, the –soft option should not be used. If a file system is mounted by using the –hard option and becomes unavailable, an application that uses this file system hangs until the file system becomes available.

Using the mount Command

The following examples show different scenario:

• In NFS Version 2 or NFS Version 3, both of the following commands mount an NFS file system from the server bee read-only.

  $ mount -F nfs -r bee:/export/share/man /usr/man

  $ mount -F nfs -o ro bee:/export/share/man /usr/man

  In NFS Version 4, the following command line would accomplish the same mount.

  $ mount -F nfs -o vers=4 -r bee:/export/share/man /usr/man

• In NFS Version 2 or NFS Version 3, the –O option in the following command forces the man pages from the server bee to be mounted on the local system even if /usr/man has already been mounted.

  $ mount -F nfs -O bee:/export/share/man /usr/man

  In NFS Version 4, the following command would accomplish the same mount:

  $ mount -F nfs -o vers=4 -O bee:/export/share/man /usr/man

• In NFS Version 2 or NFS Version 3, the following command uses client failover.

  $ mount -F nfs -r bee,wasp:/export/share/man /usr/man

  In NFS Version 4, the following command uses client failover.

  $ mount -F nfs -o vers=4 -r bee,wasp:/export/share/man /usr/man

  ---

  Note -  When used from the command line, the listed servers must support the same version of the NFS protocol. Do not use both NFS Version 2 and NFS Version 3 servers when running mount from the command line. You can use both servers with autofs because autofs automatically selects the best subset of NFS Version 2 or NFS Version 3 servers.

  ---

• The following example shows how to use an NFS URL with the mount command in NFS Version 2 or NFS Version 3.

  $ mount -F nfs nfs://bee//export/share/man /usr/man

  The following example shows how to use an NFS URL with the mount command in NFS Version 4.

  $ mount -F nfs -o vers=4 nfs://bee//export/share/man /usr/man

• The following example shows how to use the quota mount option to enable the user to check the file system disk quota and usage.

  $ mount -F nfs -o quota bee:/export/share/man /usr/man

• The following example shows how to use the –forcedirectio mount option to enable the client to permit concurrent writes, as well as concurrent reads and writes, to a file.

  $ mount -F nfs -o forcedirectio bee:/home/somebody /mnt

  In this example, the command mounts an NFS file system from the server bee and enables concurrent reads and writes for each file in the directory /mnt. When support for concurrent reads and writes is enabled, the following occurs.

  • The client permits applications to write to a file in parallel.

  • Caching is disabled on the client. Consequently, data from reads and writes is kept on the server. More explicitly, because the client does not cache the data that is read or written, any data that the application does not already have cached for itself is read from the server. The client's operating system does not have a copy of this data. Normally, the NFS client caches data in the kernel for applications to use.

    Because caching is disabled on the client, the read-ahead and write-behind processes are disabled. A read-ahead process occurs when the kernel anticipates the data that an application might request next. The kernel then starts the process of gathering that data in advance. The kernel's goal is to have the data ready before the application makes a request for the data.

    The client uses the write-behind process to increase write throughput. Instead of immediately starting an I/O operation every time an application writes data to a file, the data is cached in memory. Later, the data is written to the disk.

    Potentially, the write-behind process permits the data to be written in larger chunks or to be written asynchronously from the application. Typically, the result of using larger chunks is increased throughput. Asynchronous writes permit overlap between application processing and I/O processing. Also, asynchronous writes permit the storage subsystem to optimize the I/O by providing a better sequencing of the I/O. Synchronous writes force a sequence of I/O on the storage subsystem that might not be optimal.

  • Significant performance degradation can occur if the application is not prepared to handle the semantics of data that is not being cached. Multithreaded applications avoid this problem.

  ---

  Note -  If support for concurrent writes is not enabled, all write requests are serialized. When a write request is in progress, a second write request has to wait for the first write request to be completed before proceeding.

  ---

• The following example shows how to use the mount command with no arguments to display file systems that are mounted on a client.

  $ mount
  / on /dev/dsk/c0t3d0s0 read/write/setuid on Wed Apr 7 13:20:47 2004
  /usr on /dev/dsk/c0t3d0s6 read/write/setuid on Wed Apr 7 13:20:47 20041995
  /proc on /proc read/write/setuid on Wed Apr 7 13:20:47 2004
  /dev/fd on fd read/write/setuid on Wed Apr 7 13:20:47 2004
  /tmp on swap read/write on Wed Apr 7 13:20:51 2004
  /opt on /dev/dsk/c0t3d0s5 setuid/read/write on Wed Apr 7 13:20:51 20041995
  /home/kathys on bee:/export/home/bee7/kathys              
    intr/noquota/nosuid/remote on Wed Apr 24 13:22:13 2004

umount Command

The umount command enables you to remove a remote file system that is currently mounted. You can use the following options with the umount command:

–V

Enables testing

–a

Unmounts several file systems at one time. If mount-points are included with the –a option, those file systems are unmounted. If no mount points are included, an attempt is made to unmount all file systems that are listed in /etc/mnttab except for the "required" file systems, such as /, /usr, /var, /proc, /dev/fd, and /tmp. Because the file system is already mounted and should have an entry in /etc/mnttab, you do not need to include a flag for the file system type.

–f

Forces a busy file system to be unmounted. You can use this option to unhang a client that is hung while trying to mount an unmountable file system.

Example 8  Unmounting a File System

The following example unmounts a file system that is mounted on /usr/man:

$ umount /usr/man

Example 9  Using Options with umount

The following example displays the results of running umount –a -V:

$ umount -a -V
umount /home/kathys
umount /opt
umount /home
umount /net

Note that this command does not actually unmount the file systems.

mountall Command

Use the mountall command to mount all file systems or a specific group of file systems that are listed in a file system table. The command provides the following options:

–F FSType

Selects the file system type to be accessed

–r

Selects all the remote file systems that are listed in a file system table

–l

Selects all the local file systems

Because all file systems that are labeled as NFS file system type are remote file systems, some of these options are redundant. For more information, see the mountall(1M) man page.

The following two examples of user input are equivalent:

$ mountall -F nfs

$ mountall -F nfs -r

umountall Command

Use the umountall command to unmount a group of file systems. You can use the following options with the umountall command:

–k

Runs the fuser –k mount-point command to kill any processes that are associated with the mount-point

–s

Indicates that unmount is not to be performed in parallel

–l

Specifies that only local file systems are to be used

–r

Specifies that only remote file systems are to be used

–h host

Specifies that all file systems from the named host should be unmounted. You cannot combine the –h option with –l or –r.

The following example unmounts all file systems that are mounted from remote hosts:

$ umountall -r

The following example unmounts all file systems that are currently mounted from the server bee:

$ umountall -h bee

sharectl Command

This release includes the sharectl utility, which is an administrative tool that enables you to configure and manage file-sharing protocols such as NFS. You can use this command to do the following:

• Set client and server operational properties

• Display property values for a specific protocol

• Obtain the status of a protocol

The sharectl utility uses the following syntax:

$ sharectl subcommand [option] [protocol]

The sharectl utility supports the following subcommands:

set

Defines the properties for a file-sharing protocol. For a list of properties and property values, see the parameters described in the nfs(4) man page.

get

Displays the properties and property values for the specified protocol.

status

Displays whether the specified protocol is enabled or disabled. If no protocol is specified, the status of all file-sharing protocols is displayed.

For more information about the sharectl utility, see the following:

• sharectl(1M) man page

• set Subcommand

• get Subcommand

• status Subcommand

set Subcommand

The set subcommand, which defines the properties for a file-sharing protocol, supports the following options:

–h

Provides an online-help description

–p

Defines a property for the protocol

The set subcommand uses the following syntax:

$ sharectl set [-h] [-p property=value] protocol

You must have root privileges to use the set subcommand.

You do not need to repeat this command for each additional property value. You can use the –p option multiple times to define multiple properties in the same command.

The following example sets the minimum version of the NFS protocol for the client to 3:

$ sharectl set -p client_versmin=3 nfs

The following example shows how to require clients to use reserved ports for NFS calls for all file systems shared with AUTH_SYS:

$ sharectl set -p resvport=on nfs

get Subcommand

The get subcommand, which displays the properties and property values for the specified protocol, supports the following options:

–h

Provides an online-help description.

–p

Identifies the property value for the specified property. If the –p option is not used, all property values are displayed.

The get subcommand uses the following syntax:

$ sharectl get [-h] [-p property] protocol

You must have root privileges to use the get subcommand.

The following example uses servers, which is the property that enables you to specify the maximum number of concurrent NFS requests:

$ sharectl get -p servers nfs
servers=1024

In the following example, because the –p option is not used, all property values are displayed:

$ sharectl get nfs
servers=1024
listen_backlog=32
protocol=ALL
servers=32
lockd_listen_backlog=32
lockd_servers=20
lockd_retransmit_timeout=5
grace_period=90
nfsmapid_domain=example.com
server_versmin=2
server_versmax=4
client_versmin=2
client_versmax=4
server_delegation=on
max_connections=-1
device=

status Subcommand

The status subcommand displays whether the specified protocol is enabled or disabled. It supports the –h option, which provides an online-help description.

The status subcommand uses the following syntax:

$ sharectl status [-h] [protocol]

The following example shows the status of the NFS protocol:

$ sharectl status nfs
nfs	   enabled

share Command

Use the share command to make a local file system on an NFS server available for mounting. You can also use the share command to display a list of the file systems on your system that are currently shared. The NFS server must be running for the share command to work.

The objects that can be shared include any directory tree. However, each file system hierarchy is limited by the disk slice or partition that the file system is located on.

A file system cannot be shared if that file system is part of a larger file system that is already being shared. For example, if /usr and /usr/local are on one disk slice, /usr can be shared or /usr/local can be shared. However, if both directories need to be shared with different share options, /usr/local must be moved to a separate disk slice.

You can gain access to a file system that is read-only shared through the file handle of a file system that is read-write shared. However, the two file systems have to be on the same disk slice. To create a more secure situation, place those file systems that need to be read-write on a separate partition or separate disk slice from the file systems that you need to share as read-only.

share Options

Some of the options that you can include with the –o flag are as follows:

rw|ro

The pathname file system is shared read-write or read-only for all clients.

rw=access-list

The file system is shared read-write for the clients that are listed only. All other requests are denied. See Setting Access Lists With the share Command for more information. You can use this option to override an –ro option.

NFS-Specific share Options

The options that you can use with NFS file systems include the following:

aclok

This option enables an NFS server that supports the NFS Version 2 protocol to be configured to do access control for NFS Version 2 clients. Without this option, all clients are given minimal access. With this option, the clients have maximal access. For instance, on file systems that are shared with the aclok option, if anyone has read permissions, everyone does. However, without this option, you can deny access to a client who should have access permissions. A decision to permit too much access or too little access depends on the security systems already in place. See Using Access Control Lists to Protect UFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.3 for more information about access control lists (ACLs).

---

Note -  To use ACLs, ensure that clients and servers run software that supports the NFS Version 3 and NFS_ACL protocols. If the software only supports the NFS Version 3 protocol, clients obtain correct access but cannot manipulate the ACLs. If the software supports the NFS_ACL protocol, the clients obtain correct access and can manipulate the ACLs.

---

anon=uid

You use anon to select the user ID of unauthenticated users. If you set anon to -1, the server denies access to unauthenticated users. Because granting root access by setting anon=0 allows unauthenticated users to have root access, use the root option instead.

index=filename

When a user accesses an NFS URL, the index=filename option forces the HTML file to load instead of displaying a list of the directory. This option mimics the action of current browsers if an index.html file is found in the directory that the HTTP URL is accessing. This option is the equivalent of setting the DirectoryIndex option for httpd. For instance, suppose that share command reports the following:

export_web /export/web   nfs sec=sys,public,index=index.html,ro

These URLs then display the same information:

nfs://server/dir
nfs://server/dir/index.html
nfs://server//export/web/dir
nfs://server//export/web/dir/index.html
http://server/dir
http://server/dir/index.html

log=tag

This option specifies the tag in /etc/nfs/nfslog.conf that contains the NFS server logging configuration information for a file system. This option must be selected to enable NFS server logging.

nosuid

This option signals that all attempts to enable the setuid or setgid mode should be ignored. NFS clients cannot create files with the setuid or setgid bits on.

public

The public option has been added to the share command to enable WebNFS browsing. Only one file system on a server can be shared with this option.

root=access-list

The server gives root access to the hosts in the list. By default, the server does not give root access to any remote hosts. If the selected security mode is anything other than sec=sys, you can only include client host names in the list. See Setting Access Lists With the share Command for more information.

---

Caution  -  Granting root access to other hosts has wide security implications. Use the –root= option with extreme caution.

---

root=client-name

The client-name value is used with AUTH_SYS authentication to check the client's IP address against a list of addresses provided by exportfs(1B). If a match is found, root access is given to the file systems being shared.

root=hostname

For secure NFS modes such as AUTH_SYS or RPCSEC_GSS, the server checks the clients' principal names against a list of host-based principal names that are derived from an access list. The generic syntax for the client's principal name is root@hostname. For Kerberos V, the syntax is root/hostname.fully.qualified@REALM. When you use the hostname value, the clients on the access list must have the credentials for a principal name. For Kerberos V, the client must have a valid keytab entry for its root/hostname.fully.qualified@REALM principal name. For more information, see Configuring Kerberos Clients in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.

sec=mode[:mode]

This option sets the security modes that are needed to obtain access to the file system. By default, the security mode is UNIX authentication. You can specify multiple modes, but use each security mode only once per command line. Each sec= option applies to any subsequent rw, ro, rw=, ro=, root=, and window= options until another sec= is encountered. The use of –sec=none maps all users to user nobody.

window=value

value selects the maximum lifetime in seconds of a credential on the NFS server. The default value is 30000 seconds or 8.3 hours.

resvport

This option enforces the use of reserved port for individual file systems.

The following example shows how to require the client to use reserved port for an NFS share that is shared with AUTH_SYS:

$ share -F NFS -o resvport=on /usr/src

Setting Access Lists With the share Command

The access list that you provide with the share command can include a domain name, a subnet number, or an entry to deny access, as well as the standard –ro=, –rw=, or –root= options. These extensions should simplify file access control on a single server without having to change the namespace or maintain long lists of clients.

The following example provides read-only access for most systems but allows read-write access for rose and lilac:

$ share -F nfs -o ro,rw=rose:lilac /usr/src

The following example assigns read-only access to any host in the eng netgroup. The client rose is specifically given read-write access.

$ share -F nfs -o ro=eng,rw=rose /usr/src

To share one file system with multiple clients, you must type all options on the same line. If you issue multiple invocations of the share command on the same object, only the last command that is run is applied. The following example enables read-write access to three client systems, but only rose and tulip are given access to the file system as root.

$ share -F nfs -o rw=rose:lilac:tulip,root=rose:tulip /usr/src

When sharing a file system that uses multiple authentication mechanisms, ensure that you include the –ro, –ro=, –rw, –rw=, –root, and –window options after the correct security modes. In this example, UNIX authentication is selected for all hosts in the netgroup that is named eng. These hosts can mount the file system only in read-only mode. The hosts tulip and lilac can mount the file system read-write if these hosts use Diffie-Hellman authentication. With these options, tulip and lilac can mount the file system read-only even if these hosts are not using DH authentication. However, the host names must be listed in the eng netgroup.

$ share -F nfs -o sec=dh,rw=tulip:lilac,sec=sys,ro=eng /usr/src

Even though UNIX authentication is the default security mode, UNIX authentication is not included if the –sec option is used. Therefore, you must include a –sec=sys option if UNIX authentication is to be used with any other authentication mechanism.

You can use a DNS domain name in the access list by preceding the actual domain name with a dot. The string that follows the dot is a domain name, not a fully qualified host name. The following example allows mount access to all hosts in the eng.example.com domain:

$ share -F nfs -o ro=.:.eng.example.com /export/share/man

In this example, the single dot matches all hosts that are matched through the NIS namespace. The results that are returned from these name services do not include the domain name. The .eng.example.com entry matches all hosts that use DNS for namespace resolution. Because DNS always returns a fully qualified host name, the longer entry is required if you use a combination of DNS and the other namespaces.

You can use a subnet number in an access list by preceding the actual network number or the network name with an at (@) sign. This character differentiates the network name from a netgroup or a fully qualified host name. You must identify the subnet in either /etc/networks or in an NIS namespace. The following entries have the same effect if the 192.0.2 subnet has been identified as the eng network:

$ share -F nfs -o ro=@eng /export/share/man
$ share -F nfs -o ro=@192.0.2 /export/share/man
$ share -F nfs -o ro=@192.0.2.0 /export/share/man

The last two entries show that you do not need to include the full network address.

If the network prefix is not byte aligned, as with Classless Inter-Domain Routing (CIDR), the mask length can be explicitly specified on the command line. The mask length is defined by following either the network name or the network number with a slash and the number of significant bits in the prefix of the address. For example:

$ share -f nfs -o ro=@eng/23 /export/share/man
$ share -F nfs -o ro=@192.0.2/23 /export/share/man

In these examples, the /23 indicates that the first 23 bits in the address are to be used as the mask. For additional information about CIDR, see RFC 1519.

You can also select negative access by placing a - before the entry. Note that the entries are read from left to right. Therefore, you must place the negative access entries before the entry that the negative access entries apply to:

$ share -F nfs -o ro=-rose:.eng.example.com /export/share/man

This example would allow access to any hosts in the eng.example.com domain except the host that is named rose.

unshare Command

The unshare command enables you to make a previously available file system unavailable for mounting by clients. When you unshare an NFS file system, access from clients with existing mounts is inhibited. The file system might still be mounted on the client but the files are not accessible. The unshare command deletes the share permanently unless the –t option is used to temporarily unshare the file system.

The following example unshares the file system /usr/src:

$ unshare /usr/src

shareall Command

The shareall command enables the sharing of multiple file systems. When used with no options, the command shares all entries in the SMF repository. You can include a file name to specify the name of a file that lists share command lines.

The following example shares all file systems that are listed in a local file:

$ shareall /etc/dfs/special_dfstab

unshareall Command

The unshareall command makes all currently shared resources unavailable. The –F FSType option selects a list of file system types that are defined in /etc/dfs/fstypes. This flag enables you to choose only certain types of file systems to be unshared. The default file system type is defined in /etc/dfs/fstypes. To choose specific file systems, use the unshare command.

The following example unshares all NFS-type file systems:

$ unshareall -F nfs

showmount Command

Use the showmount command to display the following information:

• All clients that have remotely mounted file systems that are shared from an NFS server

• Only the file systems that are mounted by clients

• Shared file systems with client access information

The command syntax is as follows:

showmount [-ade] [hostname]

–a

Prints a list of all the remote mounts. Each entry includes the client name and the directory.

–d

Prints a list of the directories that are remotely mounted by clients.

–e

Prints a list of the files that are shared or are exported.

hostname

Selects the NFS server to gather the information from.

If hostname is not specified, the local host is queried.

The following example lists all clients and the local directories that the clients have mounted:

$ showmount -a bee
lilac:/export/share/man
lilac:/usr/src
rose:/usr/src
tulip:/export/share/man

The following example lists the directories that have been mounted:

$ showmount -d bee
/export/share/man
/usr/src

The following example lists file systems that have been shared:

$ showmount -e bee
/usr/src								(everyone)
/export/share/man					eng

The nfs_props/showmount_info property of the /network/nfs/server:default service controls how much information is displayed to a client by the showmount command. The default value is full. If this value is set to none then the client will see only those remote file systems on the server that the client can mount. No information about other clients is displayed. See Example 5, Restricting File System Information Displayed to Clients for an example of how to change this property.

nfsref Command

Use the nfsref command to add, delete, or list NFSv4 referrals. The command syntax is as follows:

nfsref add path location [location...]
nfsref remove path
nfsref lookup path

path

Determines the name for the reparse point.

location

Identifies one or more NFS or SMB shared file systems to be associated with the reparse point.