1*073ec901SMarcel Telka.\" 2*073ec901SMarcel Telka.\" CDDL HEADER START 3*073ec901SMarcel Telka.\" 4*073ec901SMarcel Telka.\" The contents of this file are subject to the terms of the 5*073ec901SMarcel Telka.\" Common Development and Distribution License (the "License"). 6*073ec901SMarcel Telka.\" You may not use this file except in compliance with the License. 7*073ec901SMarcel Telka.\" 8*073ec901SMarcel Telka.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9*073ec901SMarcel Telka.\" or http://www.opensolaris.org/os/licensing. 10*073ec901SMarcel Telka.\" See the License for the specific language governing permissions 11*073ec901SMarcel Telka.\" and limitations under the License. 12*073ec901SMarcel Telka.\" 13*073ec901SMarcel Telka.\" When distributing Covered Code, include this CDDL HEADER in each 14*073ec901SMarcel Telka.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15*073ec901SMarcel Telka.\" If applicable, add the following below this CDDL HEADER, with the 16*073ec901SMarcel Telka.\" fields enclosed by brackets "[]" replaced with your own identifying 17*073ec901SMarcel Telka.\" information: Portions Copyright [yyyy] [name of copyright owner] 18*073ec901SMarcel Telka.\" 19*073ec901SMarcel Telka.\" CDDL HEADER END 20*073ec901SMarcel Telka.\" 21*073ec901SMarcel Telka.\" 22c10c16deSRichard Lowe.\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved 23*073ec901SMarcel Telka.\" Copyright 2014 Nexenta Systems, Inc. All rights reserved. 24*073ec901SMarcel Telka.\" 25*073ec901SMarcel Telka.Dd November 10, 2014 26*073ec901SMarcel Telka.Dt SHARE_NFS 1M 27*073ec901SMarcel Telka.Os 28*073ec901SMarcel Telka.Sh NAME 29*073ec901SMarcel Telka.Nm share_nfs 30*073ec901SMarcel Telka.Nd make local NFS file systems available for mounting by remote systems 31*073ec901SMarcel Telka.Sh SYNOPSIS 32*073ec901SMarcel Telka.Nm share 33*073ec901SMarcel Telka.Op Fl d Ar description 34*073ec901SMarcel Telka.Op Fl F Sy nfs 35*073ec901SMarcel Telka.Op Fl o Ar specific_options 36*073ec901SMarcel Telka.Ar pathname 37*073ec901SMarcel Telka.Sh DESCRIPTION 38*073ec901SMarcel TelkaThe 39*073ec901SMarcel Telka.Nm share 40*073ec901SMarcel Telkautility makes local file systems available for mounting by remote systems. It 41*073ec901SMarcel Telkastarts the 42*073ec901SMarcel Telka.Xr nfsd 1M 43*073ec901SMarcel Telkaand 44*073ec901SMarcel Telka.Xr mountd 1M 45*073ec901SMarcel Telkadaemons if they are not already running. 46*073ec901SMarcel Telka.Pp 47*073ec901SMarcel TelkaIf no argument is specified, then 48*073ec901SMarcel Telka.Nm share 49*073ec901SMarcel Telkadisplays all file systems currently shared, including NFS file systems and file 50*073ec901SMarcel Telkasystems shared through other distributed file system packages. 51*073ec901SMarcel Telka.Sh OPTIONS 52c10c16deSRichard LoweThe following options are supported: 53*073ec901SMarcel Telka.Bl -tag -width "indented" 54*073ec901SMarcel Telka.It Fl d Ar description 55c10c16deSRichard LoweProvide a comment that describes the file system to be shared. 56*073ec901SMarcel Telka.It Fl F Sy nfs 57*073ec901SMarcel TelkaShare NFS file system type. 58*073ec901SMarcel Telka.It Fl o Ar specific_options 59*073ec901SMarcel TelkaSpecify 60*073ec901SMarcel Telka.Ar specific_options 61*073ec901SMarcel Telkain a comma-separated list of keywords and attribute-value-assertions for 62*073ec901SMarcel Telkainterpretation by the file-system-type-specific command. If 63*073ec901SMarcel Telka.Ar specific_options 64*073ec901SMarcel Telkais not specified, then by default sharing is read-write to all clients. 65*073ec901SMarcel Telka.Ar specific_options 66*073ec901SMarcel Telkacan be any combination of the following: 67*073ec901SMarcel Telka.Bl -tag -width "indented" 68*073ec901SMarcel Telka.It Sy aclok 69*073ec901SMarcel TelkaAllows the NFS server to do access control for NFS Version 2 clients (running 70*073ec901SMarcel TelkaSunOS 2.4 or earlier). When 71*073ec901SMarcel Telka.Sy aclok 72*073ec901SMarcel Telkais set on the server, maximal access is given to all clients. For example, with 73*073ec901SMarcel Telka.Sy aclok 74*073ec901SMarcel Telkaset, if anyone has read permissions, then everyone does. If 75*073ec901SMarcel Telka.Sy aclok 76*073ec901SMarcel Telkais not set, minimal access is given to all clients. 77*073ec901SMarcel Telka.It Sy anon Ns = Ns Ar uid 78*073ec901SMarcel TelkaSet 79*073ec901SMarcel Telka.Ar uid 80*073ec901SMarcel Telkato be the effective user ID of unknown users. By default, unknown users are 81*073ec901SMarcel Telkagiven the effective user ID UID_NOBODY. If uid is set to -1, access is denied. 82*073ec901SMarcel Telka.It Ar charset Ns = Ns Ar access_list 83*073ec901SMarcel TelkaWhere 84*073ec901SMarcel Telka.Ar charset 85*073ec901SMarcel Telkais one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw, iso8859-1, iso8859-2, 86*073ec901SMarcel Telkaiso8859-5, iso8859-6, iso8859-7, iso8859-8, iso8859-9, iso8859-13, iso8859-15, 87*073ec901SMarcel Telkakoi8-r. 88*073ec901SMarcel Telka.Pp 89*073ec901SMarcel TelkaClients that match the 90*073ec901SMarcel Telka.Ar access_list 91*073ec901SMarcel Telkafor one of these properties will be assumed to be using that character set and 92*073ec901SMarcel Telkafile and path names will be converted to UTF-8 for the server. 93*073ec901SMarcel Telka.It Sy gidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ... 94*073ec901SMarcel TelkaWhere 95*073ec901SMarcel Telka.Ar mapping 96*073ec901SMarcel Telkais: 97*073ec901SMarcel Telka.Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list 98*073ec901SMarcel Telka.Pp 995cb0d679SMarcel TelkaAllows remapping the group ID (gid) in the incoming request to some other gid. 1005cb0d679SMarcel TelkaThis effectively changes the identity of the user in the request to that of 1015cb0d679SMarcel Telkasome other local user. 102*073ec901SMarcel Telka.Pp 103*073ec901SMarcel TelkaFor clients where the gid in the incoming request is 104*073ec901SMarcel Telka.Ar clnt 105*073ec901SMarcel Telkaand the client matches the 106*073ec901SMarcel Telka.Ar access_list Ns 107*073ec901SMarcel Telka, change the group ID to 108*073ec901SMarcel Telka.Ar srv Ns . If 109*073ec901SMarcel Telka.Ar clnt 110*073ec901SMarcel Telkais asterisk (*), all groups are mapped by this rule. If 111*073ec901SMarcel Telka.Ar clnt 112*073ec901SMarcel Telkais omitted, all unknown groups are mapped by this rule. If 113*073ec901SMarcel Telka.Ar srv 114*073ec901SMarcel Telkais set to -1, access is denied. If 115*073ec901SMarcel Telka.Ar srv 116*073ec901SMarcel Telkais omitted, the gid is mapped to UID_NOBODY. 117*073ec901SMarcel Telka.Pp 118*073ec901SMarcel TelkaThe particular 119*073ec901SMarcel Telka.Ar mapping Ns s 120*073ec901SMarcel Telkaare separated in the 121*073ec901SMarcel Telka.Sy gidmap Ns = 122*073ec901SMarcel Telkaoption by tilde (~) and are evaluated in the specified order until a match is 123*073ec901SMarcel Telkafound. Both 124*073ec901SMarcel Telka.Sy root Ns = 125*073ec901SMarcel Telkaand 126*073ec901SMarcel Telka.Sy root_mapping Ns = 127*073ec901SMarcel Telkaoptions (if specified) are evaluated before the 128*073ec901SMarcel Telka.Sy gidmap Ns = 129*073ec901SMarcel Telkaoption. The 130*073ec901SMarcel Telka.Sy gidmap Ns = 131*073ec901SMarcel Telkaoption is skipped in the case where the client matches the 132*073ec901SMarcel Telka.Sy root Ns = 133c10c16deSRichard Loweoption. 134*073ec901SMarcel Telka.Pp 135*073ec901SMarcel TelkaThe 136*073ec901SMarcel Telka.Sy gidmap Ns = 137*073ec901SMarcel Telkaoption is evaluated before the 138*073ec901SMarcel Telka.Sy anon Ns = 139*073ec901SMarcel Telkaoption. 140*073ec901SMarcel Telka.Pp 141*073ec901SMarcel TelkaThis option is supported only for AUTH_SYS. 142*073ec901SMarcel Telka.It Sy index Ns = Ns Ar file 143*073ec901SMarcel TelkaLoad 144*073ec901SMarcel Telka.Ar file 145*073ec901SMarcel Telkarather than a listing of the directory containing this file when the 146*073ec901SMarcel Telkadirectory is referenced by an NFS URL. 147*073ec901SMarcel Telka.It Sy log Ns Oo = Ns Ar tag Oc 148*073ec901SMarcel TelkaEnables NFS server logging for the specified file system. The optional 149*073ec901SMarcel Telka.Ar tag 150*073ec901SMarcel Telkadetermines the location of the related log files. The 151*073ec901SMarcel Telka.Ar tag 152*073ec901SMarcel Telkais defined in 153*073ec901SMarcel Telka.Pa /etc/nfs/nfslog.conf . 154*073ec901SMarcel TelkaIf no 155*073ec901SMarcel Telka.Ar tag 156*073ec901SMarcel Telkais specified, the default values associated with the global tag in 157*073ec901SMarcel Telka.Pa /etc/nfs/nfslog.conf 158*073ec901SMarcel Telkaare used. Support of NFS server logging is only available for NFS Version 2 and 159*073ec901SMarcel TelkaVersion 3 requests. 160*073ec901SMarcel Telka.It Sy none Ns = Ns Ar access_list 161*073ec901SMarcel TelkaAccess is not allowed to any client that matches the access list. The exception 162*073ec901SMarcel Telkais when the access list is an asterisk (*), in which case 163*073ec901SMarcel Telka.Sy ro 164*073ec901SMarcel Telkaor 165*073ec901SMarcel Telka.Sy rw 166*073ec901SMarcel Telkacan override 167*073ec901SMarcel Telka.Sy none . 168*073ec901SMarcel Telka.It Sy nosub 169*073ec901SMarcel TelkaPrevents clients from mounting subdirectories of shared directories. For 170*073ec901SMarcel Telkaexample, if 171*073ec901SMarcel Telka.Pa /export 172*073ec901SMarcel Telkais shared with the 173*073ec901SMarcel Telka.Sy nosub 174*073ec901SMarcel Telkaoption on server 175*073ec901SMarcel Telka.Qq fooey 176*073ec901SMarcel Telkathen a NFS client cannot do: 177*073ec901SMarcel Telka.Bd -literal -offset indent 178*073ec901SMarcel Telkamount -F nfs fooey:/export/home/mnt 179*073ec901SMarcel Telka.Ed 180*073ec901SMarcel Telka.Pp 181*073ec901SMarcel TelkaNFS Version 4 does not use the MOUNT protocol. The 182*073ec901SMarcel Telka.Sy nosub 183*073ec901SMarcel Telkaoption only applies to NFS Version 2 and Version 3 requests. 184*073ec901SMarcel Telka.It Sy nosuid 185*073ec901SMarcel TelkaBy default, clients are allowed to create files on the shared file system with 186*073ec901SMarcel Telkathe setuid or setgid mode enabled. Specifying 187*073ec901SMarcel Telka.Sy nosuid 188*073ec901SMarcel Telkacauses the server file system to silently ignore any attempt to enable the 189*073ec901SMarcel Telkasetuid or setgid mode bits. 190*073ec901SMarcel Telka.It Sy public 191*073ec901SMarcel TelkaMoves the location of the public file handle from root 192*073ec901SMarcel Telka.Pa ( / ) 193*073ec901SMarcel Telkato the exported directory for WebNFS-enabled browsers and clients. This option 194*073ec901SMarcel Telkadoes not enable WebNFS service; WebNFS is always on. Only one file system per 195*073ec901SMarcel Telkaserver may use this option. Any other option, including the 196*073ec901SMarcel Telka.Sy ro Ns = Ns Ar list 197*073ec901SMarcel Telkaand 198*073ec901SMarcel Telka.Sy rw Ns = Ns Ar list 199*073ec901SMarcel Telkaoptions can be included with the 200*073ec901SMarcel Telka.Sy public 201*073ec901SMarcel Telkaoption. 202*073ec901SMarcel Telka.It Sy ro 203c10c16deSRichard LoweSharing is read-only to all clients. 204*073ec901SMarcel Telka.It Sy ro Ns = Ns Ar access_list 205*073ec901SMarcel TelkaSharing is read-only to the clients listed in 206*073ec901SMarcel Telka.Ar access_list ; 207*073ec901SMarcel Telkaoverrides the 208*073ec901SMarcel Telka.Sy rw 209*073ec901SMarcel Telkasuboption for the clients specified. See 210*073ec901SMarcel Telka.Sx access_list 211*073ec901SMarcel Telkabelow. 212*073ec901SMarcel Telka.It Sy root Ns = Ns Ar access_list 213*073ec901SMarcel TelkaOnly root users from the hosts specified in 214*073ec901SMarcel Telka.Ar access_list 215*073ec901SMarcel Telkahave root access. See 216*073ec901SMarcel Telka.Sx access_list 217*073ec901SMarcel Telkabelow. By default, no host has root access, so root users are mapped to an 218*073ec901SMarcel Telkaanonymous user ID (see the 219*073ec901SMarcel Telka.Sy anon Ns = Ns Ar uid 220*073ec901SMarcel Telkaoption described above). Netgroups can be used if the file system shared is 221*073ec901SMarcel Telkausing UNIX authentication (AUTH_SYS). 222*073ec901SMarcel Telka.It Sy root_mapping Ns = Ns Ar uid 223c10c16deSRichard LoweFor a client that is allowed root access, map the root UID to the specified 224c10c16deSRichard Loweuser id. 225*073ec901SMarcel Telka.It Sy rw 226c10c16deSRichard LoweSharing is read-write to all clients. 227*073ec901SMarcel Telka.It Sy rw Ns = Ns Ar access_list 228*073ec901SMarcel TelkaSharing is read-write to the clients listed in 229*073ec901SMarcel Telka.Ar access_list ; 230*073ec901SMarcel Telkaoverrides the 231*073ec901SMarcel Telka.Sy ro 232*073ec901SMarcel Telkasuboption for the clients specified. See 233*073ec901SMarcel Telka.Sx access_list 234*073ec901SMarcel Telkabelow. 235*073ec901SMarcel Telka.It Sy sec Ns = Ns Ar mode Ns Oo : Ns Ar mode Oc Ns ... 236*073ec901SMarcel TelkaSharing uses one or more of the specified security modes. The 237*073ec901SMarcel Telka.Ar mode 238*073ec901SMarcel Telkain the 239*073ec901SMarcel Telka.Sy sec Ns = Ns Ar mode 240*073ec901SMarcel Telkaoption must be a mode name supported on the client. If the 241*073ec901SMarcel Telka.Sy sec Ns = 242*073ec901SMarcel Telkaoption is not specified, the default security mode used is AUTH_SYS. Multiple 243*073ec901SMarcel Telka.Sy sec Ns = 244*073ec901SMarcel Telkaoptions can be specified on the command line, although each mode can appear 245*073ec901SMarcel Telkaonly once. The security modes are defined in 246*073ec901SMarcel Telka.Xr nfssec 5 . 247*073ec901SMarcel Telka.Pp 248*073ec901SMarcel TelkaEach 249*073ec901SMarcel Telka.Sy sec Ns = 250*073ec901SMarcel Telkaoption specifies modes that apply to any subsequent 251*073ec901SMarcel Telka.Sy window Ns = , 252*073ec901SMarcel Telka.Sy rw , 253*073ec901SMarcel Telka.Sy ro , 254*073ec901SMarcel Telka.Sy rw Ns = , 255*073ec901SMarcel Telka.Sy ro Ns = , 256*073ec901SMarcel Telkaand 257*073ec901SMarcel Telka.Sy root Ns = 258*073ec901SMarcel Telkaoptions that are provided before another 259*073ec901SMarcel Telka.Sy sec Ns = 260*073ec901SMarcel Telkaoption. 261*073ec901SMarcel TelkaEach additional 262*073ec901SMarcel Telka.Sy sec Ns = 263*073ec901SMarcel Telkaresets the security mode context, so that more 264*073ec901SMarcel Telka.Sy window Ns = , 265*073ec901SMarcel Telka.Sy rw , 266*073ec901SMarcel Telka.Sy ro , 267*073ec901SMarcel Telka.Sy rw Ns = , 268*073ec901SMarcel Telka.Sy ro Ns = , 269*073ec901SMarcel Telkaand 270*073ec901SMarcel Telka.Sy root Ns = 271*073ec901SMarcel Telkaoptions can be supplied for additional modes. 272*073ec901SMarcel Telka.It Sy sec Ns = Ns Sy none 273*073ec901SMarcel TelkaIf the option 274*073ec901SMarcel Telka.Sy sec Ns = Ns Sy none 275*073ec901SMarcel Telkais specified when the client uses AUTH_NONE, or if the client uses a security 276*073ec901SMarcel Telkamode that is not one that the file system is shared with, then the credential 277*073ec901SMarcel Telkaof each NFS request is treated as unauthenticated. See the 278*073ec901SMarcel Telka.Sy anon Ns = Ns Ar uid 279*073ec901SMarcel Telkaoption for a description of how unauthenticated requests are handled. 280*073ec901SMarcel Telka.It Sy secure 281*073ec901SMarcel TelkaThis option has been deprecated in favor of the 282*073ec901SMarcel Telka.Sy sec Ns = Ns Sy dh 283*073ec901SMarcel Telkaoption. 284*073ec901SMarcel Telka.It Sy uidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ... 285*073ec901SMarcel TelkaWhere 286*073ec901SMarcel Telka.Ar mapping 287*073ec901SMarcel Telkais: 288*073ec901SMarcel Telka.Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list 289*073ec901SMarcel Telka.Pp 2905cb0d679SMarcel TelkaAllows remapping the user ID (uid) in the incoming request to some other uid. 2915cb0d679SMarcel TelkaThis effectively changes the identity of the user in the request to that of 2925cb0d679SMarcel Telkasome other local user. 293*073ec901SMarcel Telka.Pp 294*073ec901SMarcel TelkaFor clients where the uid in the incoming request is 295*073ec901SMarcel Telka.Ar clnt 296*073ec901SMarcel Telkaand the client matches the 297*073ec901SMarcel Telka.Ar access_list Ns 298*073ec901SMarcel Telka, change the user ID to 299*073ec901SMarcel Telka.Ar srv Ns . If 300*073ec901SMarcel Telka.Ar clnt 301*073ec901SMarcel Telkais asterisk (*), all users are mapped by this rule. If 302*073ec901SMarcel Telka.Ar clnt 303*073ec901SMarcel Telkais omitted, all unknown users are mapped by this rule. If 304*073ec901SMarcel Telka.Ar srv 305*073ec901SMarcel Telkais set to -1, access is denied. If 306*073ec901SMarcel Telka.Ar srv 307*073ec901SMarcel Telkais omitted, the uid is mapped to UID_NOBODY. 308*073ec901SMarcel Telka.Pp 309*073ec901SMarcel TelkaThe particular 310*073ec901SMarcel Telka.Ar mapping Ns s 311*073ec901SMarcel Telkaare separated in the 312*073ec901SMarcel Telka.Sy uidmap Ns = 313*073ec901SMarcel Telkaoption by tilde (~) and are evaluated in the specified order until a match is 314*073ec901SMarcel Telkafound. Both 315*073ec901SMarcel Telka.Sy root Ns = 316c10c16deSRichard Loweand 317*073ec901SMarcel Telka.Sy root_mapping Ns = 318*073ec901SMarcel Telkaoptions (if specified) are evaluated before the 319*073ec901SMarcel Telka.Sy uidmap Ns = 320*073ec901SMarcel Telkaoption. The 321*073ec901SMarcel Telka.Sy uidmap Ns = 322*073ec901SMarcel Telkaoption is skipped in the case where the client matches the 323*073ec901SMarcel Telka.Sy root Ns = 324*073ec901SMarcel Telkaoption. 325*073ec901SMarcel Telka.Pp 326*073ec901SMarcel TelkaThe 327*073ec901SMarcel Telka.Sy uidmap Ns = 328*073ec901SMarcel Telkaoption is evaluated before the 329*073ec901SMarcel Telka.Sy anon Ns = 330*073ec901SMarcel Telkaoption. 331*073ec901SMarcel Telka.Pp 332*073ec901SMarcel TelkaThis option is supported only for AUTH_SYS. 333*073ec901SMarcel Telka.It Sy window Ns = Ns Ar value 334*073ec901SMarcel TelkaWhen sharing with 335*073ec901SMarcel Telka.Sy sec Ns = Ns Sy dh , 336*073ec901SMarcel Telkaset the maximum life time (in seconds) of the RPC request's credential (in the 337*073ec901SMarcel Telkaauthentication header) that the NFS server allows. If a credential arrives with 338*073ec901SMarcel Telkaa life time larger than what is allowed, the NFS server rejects the request. The 339*073ec901SMarcel Telkadefault value is 30000 seconds (8.3 hours). 340*073ec901SMarcel Telka.El 341*073ec901SMarcel Telka.El 342*073ec901SMarcel Telka.Ss access_list 343*073ec901SMarcel TelkaThe 344*073ec901SMarcel Telka.Ar access_list 345*073ec901SMarcel Telkaargument is a colon-separated list whose components may be any number of the 346*073ec901SMarcel Telkafollowing: 347*073ec901SMarcel Telka.Bl -tag -width "indented" 348*073ec901SMarcel Telka.It Sy hostname 349*073ec901SMarcel TelkaThe name of a host. With a server configured for DNS or LDAP naming in the 350*073ec901SMarcel Telkansswitch 351*073ec901SMarcel Telka.Sy hosts 352*073ec901SMarcel Telkaentry, any hostname must be represented as a fully qualified DNS or LDAP name. 353*073ec901SMarcel Telka.It Sy netgroup 354*073ec901SMarcel TelkaA netgroup contains a number of hostnames. With a server configured for DNS or 355*073ec901SMarcel TelkaLDAP naming in the nsswitch 356*073ec901SMarcel Telka.Sy hosts 357*073ec901SMarcel Telkaentry, any hostname in a netgroup must be represented as a fully qualified DNS 358*073ec901SMarcel Telkaor LDAP name. 359*073ec901SMarcel Telka.It Sy domain name suffix 360*073ec901SMarcel TelkaTo use domain membership the server must use DNS or LDAP to resolve hostnames to 361*073ec901SMarcel TelkaIP addresses; that is, the 362*073ec901SMarcel Telka.Sy hosts 363*073ec901SMarcel Telkaentry in the 364*073ec901SMarcel Telka.Pa /etc/nsswitch.conf 365*073ec901SMarcel Telkamust specify 366*073ec901SMarcel Telka.Sy dns 367*073ec901SMarcel Telkaor 368*073ec901SMarcel Telka.Sy ldap 369*073ec901SMarcel Telkaahead of 370*073ec901SMarcel Telka.Sy nis 371*073ec901SMarcel Telkaor 372*073ec901SMarcel Telka.Sy nisplus , 373*073ec901SMarcel Telkasince only DNS and LDAP return the full domain name of the host. Other name 374*073ec901SMarcel Telkaservices like NIS or NIS+ cannot be used to resolve hostnames on the server 375*073ec901SMarcel Telkabecause when mapping an IP address to a hostname they do not return domain 376*073ec901SMarcel Telkainformation. For example, 377*073ec901SMarcel Telka.Bd -literal -offset indent 378*073ec901SMarcel TelkaNIS or NIS+ 172.16.45.9 --> "myhost" 379*073ec901SMarcel Telka.Ed 380*073ec901SMarcel Telka.Pp 381*073ec901SMarcel Telkaand 382*073ec901SMarcel Telka.Bd -literal -offset indent 383*073ec901SMarcel TelkaDNS or LDAP 172.16.45.9 --> "myhost.mydomain.mycompany.com" 384*073ec901SMarcel Telka.Ed 385*073ec901SMarcel Telka.Pp 386c10c16deSRichard LoweThe domain name suffix is distinguished from hostnames and netgroups by a 387c10c16deSRichard Loweprefixed dot. For example, 388*073ec901SMarcel Telka.Bd -literal -offset indent 389*073ec901SMarcel Telkarw=.mydomain.mycompany.com 390*073ec901SMarcel Telka.Ed 391*073ec901SMarcel Telka.Pp 392c10c16deSRichard LoweA single dot can be used to match a hostname with no suffix. For example, 393*073ec901SMarcel Telka.Bd -literal -offset indent 394*073ec901SMarcel Telkarw=. 395*073ec901SMarcel Telka.Ed 396*073ec901SMarcel Telka.Pp 397*073ec901SMarcel Telkamatches 398*073ec901SMarcel Telka.Qq mydomain 399*073ec901SMarcel Telkabut not 400*073ec901SMarcel Telka.Qq mydomain.mycompany.com . 401*073ec901SMarcel TelkaThis feature can be used to match hosts resolved through NIS and NIS+ rather 402*073ec901SMarcel Telkathan DNS and LDAP. 403*073ec901SMarcel Telka.It Sy network 404*073ec901SMarcel TelkaThe network or subnet component is preceded by an at-sign (@). It can be either 405*073ec901SMarcel Telkaa name or a dotted address. If a name, it is converted to a dotted address by 406*073ec901SMarcel Telka.Xr getnetbyname 3SOCKET . 407*073ec901SMarcel TelkaFor example, 408*073ec901SMarcel Telka.Bd -literal -offset indent 409*073ec901SMarcel Telka=@mynet 410*073ec901SMarcel Telka.Ed 411*073ec901SMarcel Telka.Pp 412c10c16deSRichard Lowewould be equivalent to: 413*073ec901SMarcel Telka.Bd -literal -offset indent 414*073ec901SMarcel Telka=@172.16 or =@172.16.0.0 415*073ec901SMarcel Telka.Ed 416*073ec901SMarcel Telka.Pp 417c10c16deSRichard LoweThe network prefix assumes an octet-aligned netmask determined from the zeroth 418c10c16deSRichard Loweoctet in the low-order part of the address up to and including the high-order 419c10c16deSRichard Loweoctet, if you want to specify a single IP address (see below). In the case 420c10c16deSRichard Lowewhere network prefixes are not byte-aligned, the syntax allows a mask length to 421*073ec901SMarcel Telkabe specified explicitly following a slash (/) delimiter. For example, 422*073ec901SMarcel Telka.Bd -literal -offset indent 423*073ec901SMarcel Telka=@theothernet/17 or =@172.16.132/22 424*073ec901SMarcel Telka.Ed 425*073ec901SMarcel Telka.Pp 426*073ec901SMarcel Telkawhere the mask is the number of leftmost contiguous significant bits in the 427*073ec901SMarcel Telkacorresponding IP address. 428*073ec901SMarcel Telka.Pp 429*073ec901SMarcel TelkaWhen specifying individual IP addresses, use the same @ notation described 430*073ec901SMarcel Telkaabove, without a netmask specification. For example: 431*073ec901SMarcel Telka.Bd -literal -offset indent 432c10c16deSRichard Lowe=@172.16.132.14 433*073ec901SMarcel Telka.Ed 434*073ec901SMarcel Telka.Pp 435c10c16deSRichard LoweMultiple, individual IP addresses would be specified, for example, as: 436*073ec901SMarcel Telka.Bd -literal -offset indent 437c10c16deSRichard Loweroot=@172.16.132.20:@172.16.134.20 438*073ec901SMarcel Telka.Ed 439*073ec901SMarcel Telka.El 440*073ec901SMarcel Telka.Pp 441*073ec901SMarcel TelkaA prefixed minus sign (-) denies access to that component of 442*073ec901SMarcel Telka.Ar access_list . 443*073ec901SMarcel TelkaThe list is searched sequentially until a match is found that either grants or 444*073ec901SMarcel Telkadenies access, or until the end of the list is reached. For example, if host 445*073ec901SMarcel Telka.Qq terra 446*073ec901SMarcel Telkais in the 447*073ec901SMarcel Telka.Qq engineering 448*073ec901SMarcel Telkanetgroup, then 449*073ec901SMarcel Telka.Bd -literal -offset indent 450c10c16deSRichard Lowerw=-terra:engineering 451*073ec901SMarcel Telka.Ed 452*073ec901SMarcel Telka.Pp 453*073ec901SMarcel Telkadenies access to 454*073ec901SMarcel Telka.Qq terra 455*073ec901SMarcel Telkabut 456*073ec901SMarcel Telka.Bd -literal -offset indent 457c10c16deSRichard Lowerw=engineering:-terra 458*073ec901SMarcel Telka.Ed 459*073ec901SMarcel Telka.Pp 460*073ec901SMarcel Telkagrants access to 461*073ec901SMarcel Telka.Qq terra . 462*073ec901SMarcel Telka.Sh OPERANDS 463c10c16deSRichard LoweThe following operands are supported: 464*073ec901SMarcel Telka.Bl -tag -width "pathname" 465*073ec901SMarcel Telka.It Sy pathname 466c10c16deSRichard LoweThe pathname of the file system to be shared. 467*073ec901SMarcel Telka.El 468*073ec901SMarcel Telka.Sh FILES 469*073ec901SMarcel Telka.Bl -tag -width "/etc/nfs/nfslog.conf" 470*073ec901SMarcel Telka.It Pa /etc/dfs/fstypes 471*073ec901SMarcel Telkalist of system types, NFS by default 472*073ec901SMarcel Telka.It Pa /etc/dfs/sharetab 473*073ec901SMarcel Telkasystem record of shared file systems 474*073ec901SMarcel Telka.It Pa /etc/nfs/nfslogtab 475*073ec901SMarcel Telkasystem record of logged file systems 476*073ec901SMarcel Telka.It Pa /etc/nfs/nfslog.conf 477*073ec901SMarcel Telkalogging configuration file 478*073ec901SMarcel Telka.El 479*073ec901SMarcel Telka.Sh EXIT STATUS 480*073ec901SMarcel Telka.Ex -std 481*073ec901SMarcel Telka.Sh EXAMPLES 482*073ec901SMarcel Telka.Ss Example 1 Sharing A File System With Logging Enabled 483*073ec901SMarcel TelkaThe following example shows the 484*073ec901SMarcel Telka.Pa /export 485*073ec901SMarcel Telkafile system shared with logging enabled: 486*073ec901SMarcel Telka.Bd -literal -offset indent 487*073ec901SMarcel Telkashare -o log /export 488*073ec901SMarcel Telka.Ed 489*073ec901SMarcel Telka.Pp 490c10c16deSRichard LoweThe default global logging parameters are used since no tag identifier is 491c10c16deSRichard Lowespecified. The location of the log file, as well as the necessary logging work 492*073ec901SMarcel Telkafiles, is specified by the global entry in 493*073ec901SMarcel Telka.Pa /etc/nfs/nfslog.conf . 494*073ec901SMarcel TelkaThe 495*073ec901SMarcel Telka.Xr nfslogd 1M 496*073ec901SMarcel Telkadaemon runs only if at least one file system entry in 497*073ec901SMarcel Telka.Pa /etc/dfs/dfstab 498*073ec901SMarcel Telkais shared with logging enabled upon starting or rebooting the system. Simply 499*073ec901SMarcel Telkasharing a file system with logging enabled from the command line does not start 500*073ec901SMarcel Telkathe 501*073ec901SMarcel Telka.Xr nfslogd 1M . 502*073ec901SMarcel Telka.Ss Example 2 Remap A User Coming From The Particular NFS Client 503*073ec901SMarcel TelkaThe following example remaps the user with uid 504*073ec901SMarcel Telka.Sy 100 505*073ec901SMarcel Telkaat client 506*073ec901SMarcel Telka.Sy 10.0.0.1 507*073ec901SMarcel Telkato user 508*073ec901SMarcel Telka.Sy joe Ns : 509*073ec901SMarcel Telka.Bd -literal -offset indent 510*073ec901SMarcel Telkashare -o uidmap=100:joe:@10.0.0.1 /export 511*073ec901SMarcel Telka.Ed 512*073ec901SMarcel Telka.Sh SEE ALSO 513*073ec901SMarcel Telka.Xr mount 1M , 514*073ec901SMarcel Telka.Xr mountd 1M , 515*073ec901SMarcel Telka.Xr nfsd 1M , 516*073ec901SMarcel Telka.Xr nfslogd 1M , 517*073ec901SMarcel Telka.Xr share 1M , 518*073ec901SMarcel Telka.Xr unshare 1M , 519*073ec901SMarcel Telka.Xr getnetbyname 3SOCKET , 520*073ec901SMarcel Telka.Xr nfslog.conf 4 , 521*073ec901SMarcel Telka.Xr netgroup 4 , 522*073ec901SMarcel Telka.Xr attributes 5 , 523*073ec901SMarcel Telka.Xr nfssec 5 524*073ec901SMarcel Telka.Sh NOTES 525*073ec901SMarcel TelkaIf the 526*073ec901SMarcel Telka.Sy sec Ns = 527*073ec901SMarcel Telkaoption is presented at least once, all uses of the 528*073ec901SMarcel Telka.Sy window Ns = , 529*073ec901SMarcel Telka.Sy rw , 530*073ec901SMarcel Telka.Sy ro , 531*073ec901SMarcel Telka.Sy rw Ns = , 532*073ec901SMarcel Telka.Sy ro Ns = , 533*073ec901SMarcel Telkaand 534*073ec901SMarcel Telka.Sy root Ns = 535*073ec901SMarcel Telkaoptions must come after the first 536*073ec901SMarcel Telka.Sy sec Ns = 537*073ec901SMarcel Telkaoption. If the 538*073ec901SMarcel Telka.Sy sec Ns = 539*073ec901SMarcel Telkaoption is not presented, then 540*073ec901SMarcel Telka.Sy sec Ns = Ns Sy sys 541*073ec901SMarcel Telkais implied. 542*073ec901SMarcel Telka.Pp 543*073ec901SMarcel TelkaIf one or more explicit 544*073ec901SMarcel Telka.Sy sec Ns = 545*073ec901SMarcel Telkaoptions are presented, 546*073ec901SMarcel Telka.Sy sys 547*073ec901SMarcel Telkamust appear in one of the options mode lists for accessing using the AUTH_SYS 548c10c16deSRichard Lowesecurity mode to be allowed. For example: 549*073ec901SMarcel Telka.Bd -literal -offset indent 550*073ec901SMarcel Telkashare -F nfs /var 551*073ec901SMarcel Telkashare -F nfs -o sec=sys /var 552*073ec901SMarcel Telka.Ed 553*073ec901SMarcel Telka.Pp 554*073ec901SMarcel Telkagrants read-write access to any host using AUTH_SYS, but 555*073ec901SMarcel Telka.Bd -literal -offset indent 556*073ec901SMarcel Telkashare -F nfs -o sec=dh /var 557*073ec901SMarcel Telka.Ed 558*073ec901SMarcel Telka.Pp 559*073ec901SMarcel Telkagrants no access to clients that use AUTH_SYS. 560*073ec901SMarcel Telka.Pp 561*073ec901SMarcel TelkaUnlike previous implementations of 562*073ec901SMarcel Telka.Nm , 563*073ec901SMarcel Telkaaccess checking for the 564*073ec901SMarcel Telka.Sy window Ns = , 565*073ec901SMarcel Telka.Sy rw , 566*073ec901SMarcel Telka.Sy ro , 567*073ec901SMarcel Telka.Sy rw Ns = , 568*073ec901SMarcel Telkaand 569*073ec901SMarcel Telka.Sy ro Ns = 570*073ec901SMarcel Telkaoptions is done per NFS request, instead of per mount request. 571*073ec901SMarcel Telka.Pp 572c10c16deSRichard LoweCombining multiple security modes can be a security hole in situations where 573*073ec901SMarcel Telkathe 574*073ec901SMarcel Telka.Sy ro Ns = 575*073ec901SMarcel Telkaand 576*073ec901SMarcel Telka.Sy rw Ns = 577*073ec901SMarcel Telkaoptions are used to control access to weaker security modes. In this example, 578*073ec901SMarcel Telka.Bd -literal -offset indent 579*073ec901SMarcel Telkashare -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var 580*073ec901SMarcel Telka.Ed 581*073ec901SMarcel Telka.Pp 582*073ec901SMarcel Telkaan intruder can forge the IP address for 583*073ec901SMarcel Telka.Qq hosta 584*073ec901SMarcel Telka(albeit on each NFS request) to side-step the stronger controls of AUTH_DES. 585*073ec901SMarcel TelkaSomething like: 586*073ec901SMarcel Telka.Bd -literal -offset indent 587*073ec901SMarcel Telkashare -F nfs -o sec=dh,rw,sec=sys,ro /var 588*073ec901SMarcel Telka.Ed 589*073ec901SMarcel Telka.Pp 590*073ec901SMarcel Telkais safer, because any client (intruder or legitimate) that avoids AUTH_DES only 591*073ec901SMarcel Telkagets read-only access. In general, multiple security modes per share command 592*073ec901SMarcel Telkashould only be used in situations where the clients using more secure modes get 593*073ec901SMarcel Telkastronger access than clients using less secure modes. 594*073ec901SMarcel Telka.Pp 595*073ec901SMarcel TelkaIf 596*073ec901SMarcel Telka.Sy rw Ns = 597*073ec901SMarcel Telkaand 598*073ec901SMarcel Telka.Sy ro Ns = 599*073ec901SMarcel Telkaoptions are specified in the same 600*073ec901SMarcel Telka.Sy sec Ns = 601c10c16deSRichard Loweclause, and a client is in both lists, the order of the two options determines 602*073ec901SMarcel Telkathe access the client gets. If client 603*073ec901SMarcel Telka.Qq hosta 604*073ec901SMarcel Telkais in two netgroups, 605*073ec901SMarcel Telka.Qq group1 606*073ec901SMarcel Telkaand 607*073ec901SMarcel Telka.Qq group2 , 608*073ec901SMarcel Telkain this example, the client would get read-only access: 609*073ec901SMarcel Telka.Bd -literal -offset indent 610*073ec901SMarcel Telkashare -F nfs -o ro=group1,rw=group2 /var 611*073ec901SMarcel Telka.Ed 612*073ec901SMarcel Telka.Pp 613*073ec901SMarcel TelkaIn this example 614*073ec901SMarcel Telka.Qq hosta 615*073ec901SMarcel Telkawould get read-write access: 616*073ec901SMarcel Telka.Bd -literal -offset indent 617*073ec901SMarcel Telkashare -F nfs -o rw=group2,ro=group1 /var 618*073ec901SMarcel Telka.Ed 619*073ec901SMarcel Telka.Pp 620*073ec901SMarcel TelkaIf within a 621*073ec901SMarcel Telka.Sy sec Ns = 622*073ec901SMarcel Telkaclause, both the 623*073ec901SMarcel Telka.Sy ro 624*073ec901SMarcel Telkaand 625*073ec901SMarcel Telka.Sy rw Ns = 626*073ec901SMarcel Telkaoptions are specified, for compatibility, the order of the options rule is not 627*073ec901SMarcel Telkaenforced. All hosts would get read-only access, with the exception to those in 628*073ec901SMarcel Telkathe read-write list. Likewise, if the 629*073ec901SMarcel Telka.Sy ro Ns = 630*073ec901SMarcel Telkaand 631*073ec901SMarcel Telka.Sy rw 632*073ec901SMarcel Telkaoptions are specified, all hosts get read-write access with the exceptions of 633*073ec901SMarcel Telkathose in the read-only list. 634*073ec901SMarcel Telka.Pp 635*073ec901SMarcel TelkaThe 636*073ec901SMarcel Telka.Sy ro Ns = 637*073ec901SMarcel Telkaand 638*073ec901SMarcel Telka.Sy rw Ns = 639*073ec901SMarcel Telkaoptions are guaranteed to work over UDP and TCP but may not work over other 640*073ec901SMarcel Telkatransport providers. 641*073ec901SMarcel Telka.Pp 642*073ec901SMarcel TelkaThe 643*073ec901SMarcel Telka.Sy root Ns = 644*073ec901SMarcel Telkaoption with AUTH_SYS is guaranteed to work over UDP and TCP but may not work 645*073ec901SMarcel Telkaover other transport providers. 646*073ec901SMarcel Telka.Pp 647*073ec901SMarcel TelkaThe 648*073ec901SMarcel Telka.Sy root Ns = 649*073ec901SMarcel Telkaoption with AUTH_DES is guaranteed to work over any transport provider. 650*073ec901SMarcel Telka.Pp 651*073ec901SMarcel TelkaThere are no interactions between the 652*073ec901SMarcel Telka.Sy root Ns = 653*073ec901SMarcel Telkaoption and the 654*073ec901SMarcel Telka.Sy rw , 655*073ec901SMarcel Telka.Sy ro , 656*073ec901SMarcel Telka.Sy rw Ns = , 657*073ec901SMarcel Telkaand 658*073ec901SMarcel Telka.Sy ro Ns = 659*073ec901SMarcel Telkaoptions. Putting a host in the root list does not override the semantics of the 660*073ec901SMarcel Telkaother options. The access the host gets is the same as when the 661*073ec901SMarcel Telka.Sy root Ns = 662*073ec901SMarcel Telkaoption is absent. For example, the following share command denies access to 663*073ec901SMarcel Telka.Qq hostb : 664*073ec901SMarcel Telka.Bd -literal -offset indent 665*073ec901SMarcel Telkashare -F nfs -o ro=hosta,root=hostb /var 666*073ec901SMarcel Telka.Ed 667*073ec901SMarcel Telka.Pp 668*073ec901SMarcel TelkaThe following gives read-only permissions to 669*073ec901SMarcel Telka.Qq hostb : 670*073ec901SMarcel Telka.Bd -literal -offset indent 671*073ec901SMarcel Telkashare -F nfs -o ro=hostb,root=hostb /var 672*073ec901SMarcel Telka.Ed 673*073ec901SMarcel Telka.Pp 674*073ec901SMarcel TelkaThe following gives read-write permissions to 675*073ec901SMarcel Telka.Qq hostb : 676*073ec901SMarcel Telka.Bd -literal -offset indent 677*073ec901SMarcel Telkashare -F nfs -o ro=hosta,rw=hostb,root=hostb /var 678*073ec901SMarcel Telka.Ed 679*073ec901SMarcel Telka.Pp 680c10c16deSRichard LoweIf the file system being shared is a symbolic link to a valid pathname, the 681*073ec901SMarcel Telkacanonical path (the path which the symbolic link follows) is shared. For 682*073ec901SMarcel Telkaexample, if 683*073ec901SMarcel Telka.Pa /export/foo 684*073ec901SMarcel Telkais a symbolic link to 685*073ec901SMarcel Telka.Pa /export/bar , 686*073ec901SMarcel Telkathe following share command results in 687*073ec901SMarcel Telka.Pa /export/bar 688*073ec901SMarcel Telkaas the shared pathname (and not 689*073ec901SMarcel Telka.Pa /export/foo ) : 690*073ec901SMarcel Telka.Bd -literal -offset indent 691*073ec901SMarcel Telkashare -F nfs /export/foo 692*073ec901SMarcel Telka.Ed 693*073ec901SMarcel Telka.Pp 694*073ec901SMarcel TelkaAn NFS mount of 695*073ec901SMarcel Telka.Lk server:/export/foo 696*073ec901SMarcel Telkaresults in 697*073ec901SMarcel Telka.Lk server:/export/bar 698*073ec901SMarcel Telkareally being mounted. 699*073ec901SMarcel Telka.Pp 700*073ec901SMarcel TelkaThis line in the 701*073ec901SMarcel Telka.Pa /etc/dfs/dfstab 702*073ec901SMarcel Telkafile shares the 703*073ec901SMarcel Telka.Pa /disk 704*073ec901SMarcel Telkafile system read-only at boot time: 705*073ec901SMarcel Telka.Bd -literal -offset indent 706*073ec901SMarcel Telkashare -F nfs -o ro /disk 707*073ec901SMarcel Telka.Ed 708*073ec901SMarcel Telka.Pp 709*073ec901SMarcel TelkaThe same command entered from the command line does not share the 710*073ec901SMarcel Telka.Pa /disk 711c10c16deSRichard Lowefile system unless there is at least one file system entry in the 712*073ec901SMarcel Telka.Pa /etc/dfs/dfstab 713*073ec901SMarcel Telkafile. The 714*073ec901SMarcel Telka.Xr mountd 1M 715*073ec901SMarcel Telkaand 716*073ec901SMarcel Telka.Xr nfsd 1M 717*073ec901SMarcel Telkadaemons only run if there is a file system entry in 718*073ec901SMarcel Telka.Pa /etc/dfs/dfstab 719*073ec901SMarcel Telkawhen starting or rebooting the system. 720*073ec901SMarcel Telka.Pp 721*073ec901SMarcel TelkaThe 722*073ec901SMarcel Telka.Xr mountd 1M 723*073ec901SMarcel Telkaprocess allows the processing of a path name the contains a symbolic link. 724*073ec901SMarcel TelkaThis allows the processing of paths that are not themselves explicitly shared 725*073ec901SMarcel Telkawith 726*073ec901SMarcel Telka.Nm . 727*073ec901SMarcel TelkaFor example, 728*073ec901SMarcel Telka.Pa /export/foo 729*073ec901SMarcel Telkamight be a symbolic link that refers to 730*073ec901SMarcel Telka.Pa /export/bar 731*073ec901SMarcel Telkawhich has been specifically shared. When the client mounts 732*073ec901SMarcel Telka.Pa /export/foo 733*073ec901SMarcel Telkathe mountd processing follows the symbolic link and responds with the 734*073ec901SMarcel Telka.Pa /export/bar . 735*073ec901SMarcel TelkaThe NFS Version 4 protocol does not use the mountd processing and the client's 736*073ec901SMarcel Telkause of 737*073ec901SMarcel Telka.Pa /export/foo 738*073ec901SMarcel Telkadoes not work as it does with NFS Version 2 and Version 3 and the client 739*073ec901SMarcel Telkareceives an error when attempting to mount 740*073ec901SMarcel Telka.Pa /export/foo . 741