18 Introducing Network File System (NFS)

NFS protocol is a widely used file system protocol to access storage across network.


Oracle objects exported through OFS server can be accessed by NFS clients by mounting them on the client machines


18.1 Prerequisites to Access Storage Through NFS Server

The prerequisites to access storage through NFS server are as follows:

  • DBFS file system must be created before using OFS.

  • You should be able to mount the file systems exported by the database.

  • NFS server must be configured with KERNEL module.


    The KERNEL module is supported through FUSE driver for Linux.

18.2 NFS Security

Starting from Oracle Database 12c Release 2 (, OFS will use the OS authentication model to authorize NFS client users. If the user is accessing a local node (where the Oracle instance is running), the access to each file in the file system is controlled through Unix Access Control List set for each object. On Linux, OFS uses FUSE to receive file system requests from the OS kernel or NFS client. This requires user_allow_other parameter to be set in /etc/fuse.conf configuration file if an OS user other than the root user and oracle user need to access the file system.


Users can also be configured with an Oracle password to log into Oracle client tools like SQL* Plus to execute SQL's.

If the network is not secure, the customer is advised to setup Kerberos to authenticate the user using OS NFS.


  • The Kerberos authentication is available from NFS version 4 onwards. If the OFS is exported via NFS version 3, the authentication is performed using AUTH_SYS.

  • For local node, the authentication is performed using AUTH_SYS irrespective of how the OFS is exported (NFS version 3 or NFS version 4).

This section contains the following topic:

18.2.1 Kerberos

Kerberos is the widely used security mechanism that provides all three flavors of security:

  • Authentication

  • Integrity check

  • Privacy

Kerberos uses encryption technology, Key Distribution Center(KDC), and an arbitrator to perform secure authentication on open networks. Kerberos Infrastructure consists of Kerberos software, secured authentication servers, centralized account and password store, and systems configured to authenticate through the Kerberos protocol. The OS NFS server handles the complete authentication and integrity checks by using kerberos principal name as the user name. Once the authentication is performed, the requests passed to the Oracle kernel are handled based on the user name passed through the VFS I/O request.

Topics: Configuring Kerberos Server in Linux

The steps to configure Kerberos server in a Linux system is as follows:

  1. Install Kerberos software in the Linux system.

  2. Check if the daemons are running using the following commands.
    # /sbin/chkconfig krb5kdc on
    # /sbin/chkconfig kadmin on
  3. If the daemons are not running use the following commands to start the daemons manually:
    # /etc/rc.d/init.d/krb5kdc start
    # /etc/rc.d/init.d/kadmin start
  4. Add user principal using the kadmin.local command.

    kadmin.local: addprinc <scott>