NFS support overview

Network File System (NFS) is an access protocol that enables users to access files and folders on a network. You can create an NFS export to make file system paths on your storage system available for mounting by NFS clients.

PowerMax File supports NFSv3 and NFSv4. It also supports secure NFS with Kerberos, for strong authentication. While PowerMax File supports most of the NFSv4 and v4.1 functionality described in the relevant RFCs, directory delegation and pNFS are not supported. NFS support is enabled on a NAS server during or after creation, enabling you to create NFS-enabled file systems on that NAS server.

You can configure secure NFS when you create or modify a NAS server that supports UNIX shares. Secure NFS provides Kerberos-based user authentication, which can provide network data integrity and network data privacy. Kerberos is a distributed authentication service that is designed to provide strong authentication with secret-key cryptography. It works based on "tickets" that allow nodes communicating over a non-secure network to prove their identity in a secure manner. When configured to act as a secure NFS server, the NAS server uses the RPCSEC_GSS security framework and Kerberos authentication protocol to verify users and services.

Secure NFS supports the following security options:

• krb5: Kerberos authentication
• krb5i: Kerberos authentication and data integrity by adding a signature to each NFS packet transmitted over the network
• krb5p: Kerberos authentication, data integrity, and data privacy by encrypting the data before sending it over the network

Data encryption requires more resources for system processing and can lead to slower performance.

In a secure NFS environment, user access to NFS file systems is granted based on Kerberos principal names. However, access control to shares within a file system is based on the UNIX UID and GID, or on ACLs.

NOTE: Secure NFS supports NFS credentials with more than 16 groups, which is equivalent to the extended UNIX credentials option.

If you are implementing Secure NFS, configure the following:

• At least one NTP server must be configured on the PowerMax appliance to synchronize the date and time. It is recommended that you set up a minimum of two NTP servers per domain to avoid a single point of failure.
• A UNIX Directory Service (UDS)
• One or more DNS servers
• Either an AD or custom realm must be added for Kerberos authentication.
• A keytab file must be uploaded to your NAS server when using a custom realm in a Kerberos configuration.

Complete the following before you can create NFS exports in PowerMax:

• Create NAS servers
• Create file systems