CBFS Connect
CBFS Filter
PCAP Filter
CBFS Sync
CBFS Vault
NFS SDK
CBFS Shell
DAV SDK
Cloud Files SDK
SFTP
AES
DAV
S3
NFS
Azure
Connect to NFSServer on Linux and macOS
Introduction
The NFSServer component is compatible with any NFS client-side implementation that supports NFSv4.0. In this guide, we will show how to connect to the server-side component using an NFS client hosted on both Linux (Ubuntu 24.04) and macOS (Big Sur 11.7.10).
NFSServer Configuration
In this guide, all parties are located in the common domain example.com. The machine hosting the NFSServer component will be named nfs-server.example.com. The client-side machine will be named nfs-client.example.com.
For sections regarding Kerberos authentication, the machine hosting the KDC will be named kdc.example.com. Additionally, it is assumed the server has been set up according to the guide here.
On all systems, the host files will contain entries for each entity, pointing to their respective IP addresses to ensure proper DNS name resolution. Assuming all of the noted steps are taken care of, the NFSServer will be configured as follows:
// For system authentication sections
component.SecurityMechanism = "sys";
component.StartListening();
// For kerberos authentication sections
component.SecurityMechanism = "krb5,krb5i,krb5p";
component.KeytabFile = "C:\keytabs\server.keytab";
component.StartListening();
Linux
First, it is assumed that the relevant NFS client-side packages are installed on the system. For Ubuntu 24.04, this involves installing the nfs-common package. If the server supports Kerberos, this would also involve installing the krb5-user and sssd-krb5 packages.
System Authentication
Connecting to the NFSServer component is straightforward with only system authentication enabled. Assuming you wish to mount the local directory /mnt/mynfs, you can simply connect to the component using the following command:
sudo mount -o 'vers=4,minorversion=0,port=2049' nfs-server.example.com:/ /mnt/mynfs
Note: This will mount the root directory on the server side. In /mnt/mynfs, you may still need to navigate to the appropriate directory for the user depending on the server's configuration of the share (if applicable). If you wish to mount a specific directory on the server-side share (e.g., /user/nfsdir), simply modify the command as follows:
sudo mount -o 'vers=4,minorversion=0,port=2049' nfs-server.example.com:/user/nfsdir /mnt/mynfs
Kerberos Authentication
Additional steps are required to connect to a server that supports Kerberos authentication. For this example, we assume the user principal nfs/nfs-client.example.com already exists in the KDC database (whether that is hosted on Windows or Linux). Assuming the client-side machine has installed the relevant packages and is configured to communicate with the KDC, you will need to extract the key into the local keytab:
$ sudo kadmin -p {user}/admin@EXAMPLE.COM -q "ktadd -kt /etc/krb5.keytab nfs/nfs-client.example.com@EXAMPLE.COM"
Authenticating as principal {user}/admin with password.
Password for {user}/admin@EXAMPLE.COM:
Entry for principal nfs/nfs-client.example.com@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/nfs-client.example.com@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
The keytab file now contains the relevant entry needed to connect to an existing service principal (assuming one is hosted by the KDC). After doing so, you may need to run kinit to ensure that the ticket cache contains an entry for the recently created user principal. For example:
kinit -kt /etc/krb5.keytab nfs/nfs-client.example.com@EXAMPLE.COM
The klist command can be used to verify the correct ticket is in use. After doing so, you can connect to the NFSServer component as follows:
sudo mount -o 'vers=4,minorversion=0,port=2049,sec=krb5' nfs-server.example.com:/ /mnt/mynfs
Note: The 'sec' command line option is set to krb5 above, indicating Kerberos is only performing user authentication. You may also set this to krb5i to enable integrity protection or to krb5p to enable data encryption (this is the most secure option).
Additionally, in the case of 'sec=krb5', the server-side will need to enable both krb5 and krb5i. Even when 'sec=krb5' is specified, the client-side implementation will typically use krb5i during certain operations (toward the beginning of the connection when establishing the client ID).
macOS
NFS and Kerberos are (typically) natively supported on macOS, and this will be assumed in this example.
System Authentication
Connecting to the NFSServer component is straightforward with only system authentication enabled. Assuming you wish to mount the local directory /Volumes/mynfs, you can simply connect to the component using the following command:
sudo mount -o "vers=4.0,port=2049" nfs-server.example.com:/ /Volumes/mynfs
Note: This will mount the root directory on the server side. In /Volumes/mynfs, you may still need to navigate to the appropriate directory for the user depending on the server's configuration of the share (if applicable). If you wish to mount a specific directory on the server-side share (e.g., /user/nfsdir), simply modify the command as follows:
sudo mount -o "vers=4.0,port=2049" nfs-server.example.com:/user/nfsdir /Volumes/mynfs
Kerberos Authentication
Additional steps are required to connect to a server that supports Kerberos authentication. For this example, we assume the user principal nfs/nfs-client.example.com already exists in the KDC database (whether that is hosted on Windows or Linux). Assuming the client-side machine has installed the relevant packages and is configured to communicate with the KDC, you will need to extract the key into the local keytab:
ktutil --keytab=/etc/krb5.keytab add -p nfs/nfs-client.example.com@EXAMPLE.COM -w {password} -e aes256-cts-hmac-sha1-96 -V 1
The keytab file now contains the relevant entry needed to connect to an existing service principal (assuming one is hosted by the KDC). After doing so, you may need to run kinit to ensure that the ticket cache contains an entry for the recently created user principal. For example:
kinit --keytab=/etc/krb5.keytab -f nfs/nfs-client.example.com@EXAMPLE.COM
The klist command can be used to verify the correct ticket is in use. After doing so, you can connect to the NFSServer component as follows:
sudo mount -o 'vers=4.0,port=2049,sec=krb5' nfs-server.example.com:/ /Volumes/mynfs
Note: The 'sec' command line option is set to krb5 above, indicating Kerberos is only performing user authentication. You may also set this to krb5i to enable integrity protection or to krb5p to enable data encryption (this is the most secure option).
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@callback.com.