NFS Protocol

Language:

This section contains the following topics:

For more information about the NFS protocol, use these topics:

For information about other supported protocols, see the following sections:

NFS Protocol Properties

Each share has protocol-specific properties that define the behavior of different protocols for that share. These properties can be defined for each share or inherited from a share's project. The following table shows NFS protocol properties and possible values.

Table 115 NFS Protocol Properties

Property	CLI Value(s)	Property Type	Description
Share mode	`off/rw/ro`	Inherited	Determines whether the share is available for reading only, for reading and writing, or neither. See Share and Project Protocols.
Disable setuid/setgid file creation	`nosuid`	Inherited	If selected, clients will not be able to create files with the setuid (S_ISUID) and setgid (S_ISGID) bits set, nor enable these bits on existing files via the chmod(2) system call.
Prevent clients from mounting subdirectories	`nosub`	Inherited	If selected, clients will be prevented from directly mounting subdirectories. They will be forced to mount the root of the share. Note: This only applies to the NFSv2 and NFSv3 protocols, not to NFSv4.0 or NFSv4.1.
Anonymous user mapping	`anon`	Inherited	Unless the "root" option is in effect for a particular client, the root user on that client is treated as an unknown user, and all attempts by that user to access the sharer's files will be treated as attempts by a user with this uid. This file's access bits and ACLs will then be evaluated normally.
Character set	See Character Set Encodings for possible values.	Inherited	Sets the character set default for all clients.
Security mode	`sec=` See Security Modes for list of possible values.	Inherited	Sets the security mode for all clients.
Enforce reserved ports for system authentication	`resvport`	Inherited	When set on a share or project in conjunction with the system authentication security mode, requires NFS clients to use low-numbered ("reserved") TCP ports. Some NFS clients, such as Oracle Solaris and Linux, use low-numbered TCP ports by default. Other clients, such as Windows, may require configuration.

NFS Share Mode Exceptions

Exceptions to the global sharing mode may be defined for clients or collections of clients by setting client-specific share modes or exceptions. To restrict access to certain clients, set the global sharing mode to none and increasingly grant access to smaller and smaller groups. For example, you could create a share with the global sharing mode set to none, which denies access to all clients, and then grant read-only access to a subset of the clients. Further, you could grant read/write access to an even smaller subset of the clients and, finally, only trusted hosts might have read/write and root-enabled access.

Client-specific share modes take precedence over the global share mode. A client is granted access according to the client-specific share mode that is specified in an exception. In the absence of exceptions, the client is granted access according to the global share mode.

Table 116 Client Types

Type	CLI Prefix	Description	Example
Host(FQDN) or Netgroup	`none`	A single client whose IP address resolves to the specified fully qualified name, or a netgroup containing fully qualified names to which a client's IP address resolves.	caji.sf.example.com
DNS Domain	`.`	All clients whose IP addresses resolve to a fully qualified name ending in this suffix.	sf.example.com
IPv4 Subnet	@	All clients whose IP addresses are within the specified IPv4 subnet, expressed in CIDR notation.	192.0.2.254/22
IPv6 Subnet	@	All clients whose IP addresses are within the specified IPv6 subnet, expressed in CIDR notation.	2001:db8:410:d43::/64

For each client or collection of clients, you specify whether the client has read-only or read-write access to the share. If you are setting an NFS exception, you also specify whether the client has root user privileges or is treated as a user without root access.

Managing Netgroups

Netgroups can be used to control access for NFS exports. However, managing netgroups can be complex. Consider using IP subnet rules or DNS domain rules instead.

If netgroups are used, they will be resolved from NIS or LDAP, depending on which service is enabled. If LDAP is used, each netgroup must be located at the default location, ou=Netgroup,(Base DN), and must use the standard schema.

The username component of a netgroup entry typically has no effect on NFS; only the hostname is significant. Hostnames contained in netgroups must be canonical and, if resolved using DNS, fully qualified. That is, the NFS subsystem will attempt to verify that the IP address of the requesting client resolves to a canonical hostname that matches either the specified FQDN, or one of the members of one of the specified netgroups. This match must be exact, including any domain components; otherwise, the exception will not match and the next exception will be tried. For more information on hostname resolution, see DNS.

As of the 2013.1.0 software release, UNIX client users may belong to a maximum of 1024 groups without any performance degradation. Prior releases supported up to 16 groups per UNIX client user.

NFS Share Modes and Exception Options

In the CLI, all NFS share modes and exceptions are specified using a single options string for the sharenfs property. This string is a comma-separated list of values. It should begin with one of ro, rw, on, or off, as an analogue to the global share modes described for the BUI.

Table 117 NFS Share Mode Values (BUI and CLI)

BUI Share Mode Value	CLI Share Mode Value	Description	Example
None	`off`	Share mode is disabled.	`sharesmb=off`
	`on`	The share name is the dataset name and is available for reading and writing or reading only if the `rw` or `ro` NFS exceptions are defined. For all other clients, share mode is disabled.	`sharesmb="on,ro=sf.example.com"`
	`<resource name>`	The share name is the resource name and is available for reading and writing or reading only if the `rw` or `ro` NFS exceptions are defined. For all other clients, share mode is disabled.	`sharesmb="myshare,ro=sf.example.com"`
Read/write	`on`	The share name is the dataset name and is available for reading and writing for all clients if there are no NFS exceptions.	`sharesmb=on`
	`rw`	The share name is the dataset name and is available for reading and writing for all clients except those for which the `ro` exception is defined.	`sharesmb=rw` or `sharesmb="rw,ro=sf.example.com"`
	`<resource name>`	The share name is the resource name and is available for reading and writing for all clients if there are no NFS exceptions.	`sharesmb=myshare`
	`<resource name>,rw`	The share name is the resource name, is available for reading and writing for all clients except those for which the `ro` exception is defined. NFS exceptions may or may not be defined.	`sharesmb="myshare,rw"` or `sharesmb="myshare,rw,ro=sf.example.com"`
Read only	`ro`	The share name is the dataset name and is available for reading only for all hosts except those for which the `rw` exception is defined.	`sharesmb="ro,rw=sf.example.com"`
Read only	`<resource name>,ro`	The share name is the resource name, is available for reading only for all clients except those for which the `rw` exception is defined. NFS exceptions may or may not be defined.	`sharesmb="myshare,ro"` or `sharesmb="myshare,ro,rw=sf.example.com"`

The following example sets the share mode for all clients to read-only. The root users on all clients will access the files on the share as if they were the generic "nobody" user.

set sharenfs=ro

Either or both of the nosuid and anon options can also be appended. Therefore, to define the mapping of all unknown users to the uid 153762, you might specify the following:

set sharenfs="ro,anon=153762"

Note - CLI property values that contain the "=" character must be quoted.

Additional NFS exceptions can be specified by appending text of the form "option=collection", where "option" is one of ro, rw, or root, defining the type of access to be granted to the client collection. The collection is specified by the prefix character from Client Types table and either a DNS hostname/domain name or CIDR network number. For example, to grant read-write access to all hosts in the sf.example.com domain and root access to those in the 192.168.44.0/24 network, you might use:

set sharenfs="ro,anon=153762,rw=.sf.example.com,root=@192.168.44.0/24"

Note - This example only applies to NFS exceptions.

Netgroup names can be used anywhere an individual fully qualified hostname can be used. For example, you can permit read-write access to the "engineering" netgroup as follows:

set sharenfs="ro,rw=engineering"

NFS Protocol Character Set Encodings

Normally, the character set encoding used for filename is unspecified. The NFSv3 and NFSv2 protocols do not specify the character set. NFSv4.0 and NFSv4.1 are supposed to use UTF-8, but not all clients do and this restriction is not enforced by the server. If the UTF-8 only option is disabled for a share, these filenames are written verbatim to the filesystem without any knowledge of their encoding. This means that they can only be interpreted by clients using the same encoding. SMB, however, requires filenames to be stored as UTF-8 so that they can be interpreted on the server side. This makes it impossible to support arbitrary client encodings while still permitting access over SMB.

In order to support such configurations, the character set encoding can be set share-wide or on a per-client basis. The following character set encodings are supported:

cp932	euc-tw	iso8859-7	koi8-r
euc-cn	iso8859-1	iso8859-8	shift_jis
euc-jp	iso8859-2	iso8859-9
euc-jpms	iso8859-5	iso8859-13
euc-kr	iso8859-6	iso8859-15

The default behavior is to leave the character set encoding unspecified (pass-through). The BUI allows the character set to be chosen through the standard exception list mechanism. In the CLI, each character set itself becomes an option with one or more hosts, with '*' indicating the share-wide setting. For example, the following:

hostname:shares default> set sharenfs="rw,euc-kr=*"

Will share the filesystem with 'euc-kr' as the default encoding. The following:

hostname:shares default> set sharenfs="rw,euc-kr=host1.domain.com,euc-jp=host2.domain.com"

Use the default encoding for all clients except 'host1' and 'host2', which will use 'euc-kr' and 'euc-jp', respectively. The format of the host lists follows that of other CLI NFS options.

Note that some NFS clients do not correctly support alternate locales; consult your NFS client documentation for details.

NFS Protocol Security Modes

Security modes are set on a per-share basis. The following list describes Kerberos security settings:

krb - End-user authentication through Kerberos V5
krb5i - krb5 plus integrity protection (data packets are tamper proof
krb5p - krb5i plus privacy protection (data packets are tamper proof and encrypted)

Security modes are specified by appending text in the form "option=mode" where option is sec and mode is the security setting. For example:

hostname: shares default> set sharenfs="sec=krb5"

Note - CLI property values that contain the "=" character must be quoted.

Combinations of Kerberos types can be specified in the security mode setting. The combination security modes let clients mount with any Kerberos type listed, as shown in the following table.

Table 118 Combinations of Kerberos types

Setting	Description
sys	System Authentication
krb5	Kerberos v5 only - Clients must mount using this flavor.
krb5:krb5i	Kerberos v5, with integrity - Clients may mount using any flavor listed.
krb5i	Kerberos v5 integrity only - Clients must mount using this flavor.
krb5:krb5i:krb5p	Kerberos v5, with integrity or privacy - Clients may mount using any flavor listed.
krb5p	Kerberos v5 privacy only - Clients may mount using this flavor.

Reserved Ports

To set reserved ports for system authentication, use resvport as shown in this example:

set sharenfs="sec=sys,rw,resvport"

Note that resvport can only be used with the system authentication security mode sec=sys.