Exporting filesystems to remote host using NFSv4.

User mapping

This section should be apply on server side as well as on the client side.

With NFSv4 user are identified as user@domain and not anymore with there numerical identifier, an external process (nfsuserd on FreeBSD or nfsidmap on Linux) will perform this mapping:

rc.conf
1
2

nfsuserd_enable="YES"
nfsuserd_flags="-domain example.com"

If nfsuserd is not able to map the user to the uid:gid using the resolution mechanisms defined in /etc/nsswitch.conf, then the numerical value supposed to map to nobody:nogroup will be used, but be careful as not everyone agree on this numerical value (32767, 65534, …)

Server

The server is started at boot-time with (it is also necessary to have a user mapping running):

rc.conf
1
2

nfs_server_enable="YES"
nfsv4_server_enable="YES"

The root of the NFS tree must be specified with the V4: prefix in the exports file (this entry doesn’t export file systems):

exports
1

V4: /

File systems are next exported using entries in exports as it is done with previous version of NFS.

If a ZFS file system is to be exported by NFS, this can be done automatically by using the sharenfs property, for example:

1
2

zfs set sharenfs=on tank/home
zfs set sharenfs="-ro -maproot=root -network 134.214.146.0/24" tank/src

Delegation

Allows the server to issue Open Delegations to clients.

sysctl.conf
1
2
3

# To be enabled only if: - NFSv4-only server
#                        - files are not accessed locally
vfs.nfsd.issue_delegations=1

This can only be enabled when the file systems being exported to NFSv4 clients are not being accessed locally on the server and, if being accessed via NFS Version 2 or 3 clients, these clients cannot be using the Network Lock Manager.

Client

Once a user mapping has been applied, you only need to call the mount command to attach the remote file system:

Mount NFS remote file system
1

mount_nfs -onfsv4 nfs-server.example.com:/exported/fs /mountpoint

If nfsuserd is not able to map the user to the uid:gid using the resolution mechanisms defined in /etc/nsswitch.conf, then the numerical value supposed to map to nobody:nogroup will be used, but be careful as not everyone agree on this numerical value (32767, 65534, …)

Delegation

rc.conf
1

nfscbd_enable="YES"

If accessing NFSv4 behind a NAT, the gateway must allow the port forwarding to the NFS server, and the gateway IP address and port must be specified as the callback address:

sysctl.conf
1
2

# Example with gateway using 192.168.1.5:7745
vfs.nfs.callback_addr=192.168.1.5.30.65

For NFSv4.1 the above is note necessary as it use the the same TCP connection as the mount for the callback.