Nfs – Samba sharing an NFS mount point

file-sharingnfssamba

I'm sorry if this is a repeat post, seems my first attempt failed…

A little context first.

Firstly, I have inherited one of the classic networks from hell. Amongst a number of other things, I discovered that the majority of the clients data, including a heap of compliance data, is currently stored on one up USB drives being shared via Samba to the rest of the clients (and not being backed up).

To help me sleep at night, I've thrown together a linux files server with two raid 5 arrays to put this data on, and to avoid having to remap all of the client machines thought it should be OK to unmount the USB disks, after rsyncing the data to the file serve, and nfs mounting the new mount points in their place.

This seemed to work Ok with some quick testing, however, today I discovered that my users are having terribly trouble opening files across this arrangement with the file transfer rate being very very slow.

I don't see any problem with direct nfs mounting of the disks (from my linux box) but via the samba shares it is totally unusable.

I did use the default setting in both export and mount points no will play tonight with some of the options I have found on google, but am thinking I'll have to roll back for tomorrow at least.

Should I be able to do this? I can't see why not, as I'd guess it would be the sort of thing that would be done for a NAS system anyway.

Any advice? Please?

Best Answer

nfs mount option nolock worked for me.

edit: you can add the 'nolock' to mount options in fstab, or 'mount -o nolock,remount /mount_path' to mount it on demand. I had an issue with samba creating a mount on an nfs volume and it created infinite open connections until I added this mount option.

Related Solutions

Samba mount isn’t following a symlink

smbfs is the old kernel smb implementation which is no longer actively supported. It's been replaced with the cifs kernel module instead. So try mounting it with type cifs instead of smbfs.

Also make sure that you do not have "Unix Extensions = No" in your smb.conf as this will also disable the kernel modules ability to follow symbolic links. This value defaults to yes so if it's not in your smb.conf you should be all set here.

You may also want to store your credentials in a safer spot as anyone can read /etc/fstab.

To do this do the following as root.

cd /etc/samba/
echo username=mywindowsusername > .smbpasswd
echo password=mywindowspassword >> .smbpasswd
chmod 600 .smbpasswd

Substitute your Windows username and password in the commands. No one else except root would be able to read the contents of this file.

Then modify the line in the /etc/fstab file to look like this:

//servername/sharename /mountdirectory cifs credentials=/etc/samba/.smbpasswd 0 0

Iptables – NFS client mount fails behind firewall

There are settings in sysctl that defines NFS port ranges available for connections.

sunrpc.max_resvport = 1023

sunrpc.min_resvport = 650

These settings define the highest and lowest ports to use for making RPC connections (NFS)

You can open these ports or define a different range depending on your system. You will get denies if it tries to use a port that is blocked either by a firewall or another service using that port.

Edit:

You can also increase / decrease this range. I have a server that had 460 NFS mounts defined in fstab and it would fail after 372 or so. And when I would manually mount one of the failed ones it would mount it but unmount one of the working mounts. I increased this range by 150 and they all mounted. This is not the best way to do it. automounter comes to mind but, it works.

To make the modification you will edit your /etc/sysctl.conf add a line like:

sunrpc.min_resvport = 900

To make the change permanent if you need to change them. Remember if you go above 1024 that those are "unprivileged" ports and normal system users will have access to them vs. - 1024.

Edit 2:

In your NFS mount command can you add the following.

proto=tcp - forces the mount to use TCP/IP

public - bypasses portmapper completely and contacts NFS server on port 2049 unless otherwise specified

So, mount nfs.test.com:/export /test

becomes

mount -o proto=tcp ,public nfs.test.com:/export /test

EDIT 3

OK - here we go!!! root@pressyrluck # ./nowhammies > /dev/please

This information was lifted copied swiped borrowed from Sourceforge NFS

Some of the daemons involved in sharing data via nfs are already bound to a port. portmap is always on port 111 tcp and udp. nfsd is always on port 2049 TCP and UDP (however, as of kernel 2.4.17, NFS over TCP is considered experimental and is not for use on production machines).

The other daemons, statd, mountd, lockd, and rquotad, will normally move around to the first available port they are informed of by the portmapper.

To force statd to bind to a particular port, use the -p portnum option. To force statd to respond on a particular port, additionally use the -o portnum option when starting it.

To force mountd to bind to a particular port use the -p portnum option.

For example, to have statd broadcast of port 32765 and listen on port 32766, and mountd listen on port 32767, you would type:

# statd -p 32765 -o 32766
# mountd -p 3276

lockd is started by the kernel when it is needed. Therefore you need to pass module options (if you have it built as a module) or kernel options to force lockd to listen and respond only on certain ports.

If you are using loadable modules and you would like to specify these options in your /etc/modules.conf file add a line like this to the file:

options lockd nlm_udpport=32768 nlm_tcpport=32768

For the sake of this discussion lets describe a network and setup a firewall to protect our nfs server. Our nfs server is 192.168.0.42 our client is 192.168.0.45 only. As in the example above, statd has been started so that it only binds to port 32765 for incoming requests and it must answer on port 32766. mountd is forced to bind to port 32767. lockd's module parameters have been set to bind to 32768. nfsd is, of course, on port 2049 and the portmapper is on port 111.

We are not using quotas.

iptables -A INPUT -f -j ACCEPT -s 192.168.0.45
iptables -A INPUT -s 192.168.0.45 -d 0/0 32765:32768 -p 6 -j ACCEPT
iptables -A INPUT -s 192.168.0.45 -d 0/0 32765:32768 -p 17 -j ACCEPT
iptables -A INPUT -s 192.168.0.45 -d 0/0 2049 -p 17 -j ACCEPT
iptables -A INPUT -s 192.168.0.45 -d 0/0 2049 -p 6 -j ACCEPT
iptables -A INPUT -s 192.168.0.45 -d 0/0 111 -p 6 -j ACCEPT
iptables -A INPUT -s 192.168.0.45 -d 0/0 111 -p 17 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p 6 -j DENY --syn --log-level 5
iptables -A INPUT -s 0/0 -d 0/0 -p 17 -j DENY --log-level 5

The first line says to accept all packet fragments (except the first packet fragment which will be treated as a normal packet). In theory no packet will pass through until it is reassembled, and it won't be reassembled unless the first packet fragment is passed. Of course there are attacks that can be generated by overloading a machine with packet fragments. But NFS won't work correctly unless you let fragments through. See Section 7, “Troubleshooting” for details.

The other lines allow specific connections from any port on our client host to the specific ports we have made available on our server. This means that if, say, 192.158.0.46 attempts to contact the NFS server it will not be able to mount or see what mounts are available.

With the new port pinning capabilities it is obviously much easier to control what hosts are allowed to mount your NFS shares. It is worth mentioning that NFS is not an encrypted protocol and anyone on the same physical network could sniff the traffic and reassemble the information being passed back and forth.

Best Answer

Related Solutions

Samba mount isn’t following a symlink

Iptables – NFS client mount fails behind firewall

Related Topic