Worksheet for gathering NFS configuration information

Contributors

The NFS configuration worksheet enables you to collect the required information to set up NFS access for clients.

You should complete one or both sections of the worksheet depending on the decision you made about where to provision storage:

See the command man pages for details about the parameters.

Configure NFS access to an SVM

Parameters for creating an SVM

You supply these values with the vserver create command if you are creating a new SVM.

Field Description Your value

-vserver

A name you supply for the new SVM that is either a fully qualified domain name (FQDN) or follows another convention that enforces unique SVM names across a cluster.

-aggregate

The name of an aggregate in the cluster with sufficient space for new NFS storage capacity.

-rootvolume

A unique name you supply for the SVM root volume.

-rootvolume-security-style

Use the UNIX security style for the SVM.

unix

-language

Use the default language setting in this workflow.

C.UTF-8

ipspace

IPspaces are distinct IP address spaces in which (storage virtual machines (SVMs)) reside.

Parameters for creating an NFS server

You supply these values with the vserver nfs create command when you create a new NFS server and specify supported NFS versions.

If you are enabling NFSv4 or later, you should use LDAP for improved security.

Field Description Your value

-v3, -v4.0, -v4.1, -v4.1-pnfs

Enable NFS versions as needed.

Note

v4.2 is also supported in ONTAP 9.8 and later when v4.1 is enabled .

-v4-id-domain

ID mapping domain name.

-v4-numeric-ids

Support for numeric owner IDs (enabled or disabled).

Parameters for creating a LIF

You supply these values with the network interface create command when you are creating LIFs.

If you are using Kerberos, you should enable Kerberos on multiple LIFs.

Field Description Your value

-lif

A name you supply for the new LIF.

-role

Use the data LIF role in this workflow.

data

-data-protocol

Use only the NFS protocol in this workflow.

nfs

-home-node

The node to which the LIF returns when the network interface revert command is run on the LIF.

-home-port

The port or interface group to which the LIF returns when the network interface revert command is run on the LIF.

-address

The IPv4 or IPv6 address on the cluster that will be used for data access by the new LIF.

-netmask

The network mask and gateway for the LIF.

-subnet

A pool of IP addresses. Used instead of -address and -netmask to assign addresses and netmasks automatically.

-firewall-policy

Use the default data firewall policy in this workflow.

data

Parameters for DNS host name resolution

You supply these values with the vserver services name-service dns create command when you are configuring DNS.

Field Description Your value

-domains

Up to five DNS domain names.

-name-servers

Up to three IP addresses for each DNS name server.

Name service information

Parameters for creating local users

You supply these values if you are creating local users by using the vserver services name-service unix-user create command. If you are configuring local users by loading a file containing UNIX users from a uniform resource identifier (URI), you do not need to specify these values manually.

User name (-user) User ID (-id) Group ID (-primary-gid) Full name (-full-name)

Example

johnm

123

100

John Miller

1

2

3

…​

n

Parameters for creating local groups

You supply these values if you are creating local groups by using the vserver services name-service unix-group create command. If you are configuring local groups by loading a file containing UNIX groups from a URI, you do not need to specify these values manually.

Group name (-name) Group ID (-id)

Example

Engineering

100

1

2

3

…​

n

Parameters for NIS

You supply these values with the vserver services name-service nis-domain create command.

Note

Starting in ONTAP 9.2, the field -nis-servers replaces the field -servers. This new field can take either a hostname or an IP address for the NIS server.

Field Description Your value

-domain

The NIS domain that the SVM will use for name lookups.

-active

The active NIS domain server.

true or false

-servers

ONTAP 9.0, 9.1: One or more IP addresses of NIS servers used by the NIS domain configuration.

-nis-servers

ONTAP 9.2: A comma-separated list of IP addresses and hostnames for the NIS servers used by the domain configuration.

Parameters for LDAP

You supply these values with the vserver services name-service ldap client create command.

You will also need a self-signed root CA certificate .pem file.

Note

Starting in ONTAP 9.2, the field -ldap-servers replaces the field -servers. This new field can take either a hostname or an IP address for the LDAP server.

Field Description Your value

-vserver

The name of the SVM for which you want to create an LDAP client configuration.

-client-config

The name you assign for the new LDAP client configuration.

-servers

ONTAP 9.0, 9.1: One or more LDAP servers by IP address in a comma-separated list.

-ldap-servers

ONTAP 9.2: A comma-separated list of IP addresses and hostnames for the LDAP servers.

-query-timeout

Use the default 3 seconds for this workflow.

3

-min-bind-level

The minimum bind authentication level. The default is anonymous. Must be set to sasl if signing and sealing is configured.

-preferred-ad-servers

One or more preferred Active Directory servers by IP address in a comma-delimited list.

-ad-domain

The Active Directory domain.

-schema

The schema template to use. You can use a default or custom schema.

-port

Use the default LDAP server port 389 for this workflow.

389

-bind-dn

The Bind user distinguished name.

-base-dn

The base distinguished name. The default is "" (root).

-base-scope

Use the default base search scope subnet for this workflow.

subnet

-session-security

Enables LDAP signing or signing and sealing. The default is none.

-use-start-tls

Enables LDAP over TLS. The default is false.

Parameters for Kerberos authentication

You supply these values with the vserver nfs kerberos realm create command. Some of the values will differ depending on whether you use Microsoft Active Directory as a Key Distribution Center (KDC) server, or MIT or other UNIX KDC server.

Field Description Your value

-vserver

The SVM that will communicate with the KDC.

-realm

The Kerberos realm.

-clock-skew

Permitted clock skew between clients and servers.

-kdc-ip

KDC IP address.

-kdc-port

KDC port number.

-adserver-name

Microsoft KDC only: AD server name.

-adserver-ip

Microsoft KDC only: AD server IP address.

-adminserver-ip

UNIX KDC only: Admin server IP address.

-adminserver-port

UNIX KDC only: Admin server port number.

-passwordserver-ip

UNIX KDC only: Password server IP address.

-passwordserver-port

UNIX KDC only: Password server port.

-kdc-vendor

KDC vendor.

{ Microsoft | Other }

-comment

Any desired comments.

You supply these values with the vserver nfs kerberos interface enable command.

Field Description Your value

-vserver

The name of the SVM for which you want to create a Kerberos configuration.

-lif

The data LIF on which you will enable Kerberos. You can enable Kerberos on multiple LIFs.

-spn

The Service Principle Name (SPN)

-permitted-enc-types

The permitted encryption types for Kerberos over NFS; aes-256 is recommended, depending on client capabilities.

-admin-username

The KDC administrator credentials to retrieve the SPN secret key directly from the KDC. A password is required

-keytab-uri

The keytab file from the KDC containing the SPN key if you do not have KDC administrator credentials.

-ou

The organizational unit (OU) under which the Microsoft Active Directory server account will be created when you enable Kerberos using a realm for Microsoft KDC.

Adding storage capacity to an NFS-enabled SVM

Parameters for creating export policies and rules

You supply these values with the vserver export-policy create command.

Field Description Your value

-vserver

The name of the SVM that will host the new volume.

-policyname

A name you supply for a new export policy.

You supply these values for each rule with the vserver export-policy rule create command.

Field Description Your value

-clientmatch

Client match specification.

-ruleindex

Position of export rule in the list of rules.

-protocol

Use NFS in this workflow.

nfs

-rorule

Authentication method for read-only access.

-rwrule

Authentication method for read-write access.

-superuser

Authentication method for superuser access.

-anon

User ID to which anonymous users are mapped.

You must create one or more rules for each export policy.

-ruleindex -clientmatch -rorule -rwrule -superuser -anon

Examples

0.0.0.0/0,@rootaccess_netgroup

any

krb5

sys

65534

1

2

3

…​

n

Parameters for creating a volume

You supply these values with the volume create command if you are creating a volume instead of a qtree.

Field Description Your value

-vserver

The name of a new or existing SVM that will host the new volume.

-volume

A unique descriptive name you supply for the new volume.

-aggregate

The name of an aggregate in the cluster with sufficient space for the new NFS volume.

-size

An integer you supply for the size of the new volume.

-user

Name or ID of the user that is set as the owner of the volume’s root.

-group

Name or ID of the group that is set as the owner of the volume’s root.

--security-style

Use the UNIX security style for this workflow.

unix

-junction-path

Location under root (/) where the new volume is to be mounted.

-export-policy

If you are planning to use an existing export policy, you can enter its name when you create the volume.

Parameters for creating a qtree

You supply these values with the volume qtree create command if you are creating a qtree instead of a volume.

Field Description Your value

-vserver

The name of the SVM on which the volume containing the qtree resides.

-volume

The name of the volume that will contain the new qtree.

-qtree

A unique descriptive name you supply for the new qtree, 64 characters or less.

-qtree-path

The qtree path argument in the format /vol/volume_name/qtree_name\> can be specified instead of specifying volume and qtree as separate arguments.

-unix-permissions

Optional: The UNIX permissions for the qtree.

-export-policy

If you are planning to use an existing export policy, you can enter its name when you create the qtree.