Skip to main content

Worksheet for gathering NFS configuration information

The NFS configuration worksheet enables you to collect the required information to set up NFS access for clients.

You should complete one or both sections of the worksheet depending on the decision you made about where to provision storage:

Adding storage capacity to an NFS-enabled SVM

See the command man pages for details about the parameters.

Configuring NFS access to an SVM

Parameters for creating an SVM

You supply these values with the vserver create command if you are creating a new SVM.

FieldDescriptionYour value
-vserverA name you supply for the new SVM that is either a fully qualified domain name (FQDN) or follows another convention that enforces unique SVM names across a cluster. 
-aggregateThe name of an aggregate in the cluster with sufficient space for new NFS storage capacity. 
-rootvolumeA unique name you supply for the SVM root volume. 
-rootvolume-security-styleUse the UNIX security style for the SVM.unix
-languageUse the default language setting in this workflow.C.UTF-8
ipspaceIPspaces are distinct IP address spaces in which (storage virtual machines (SVMs)) reside. 

Parameters for creating an NFS server

You supply these values with the vserver nfs create command when you create a new NFS server and specify supported NFS versions.

If you are enabling NFSv4 or later, you should use LDAP for improved security.

FieldDescriptionYour value
-v3, -v4.0, -v4.1, -v4.1-pnfsEnable NFS versions as needed.
Note
v4.2 is also supported in ONTAP 9.8 and later when v4.1 is enabled .
 
-v4-id-domainID mapping domain name. 
-v4-numeric-idsSupport for numeric owner IDs (enabled or disabled). 

Parameters for creating a LIF

You supply these values with the network interface create command when you are creating LIFs.

If you are using Kerberos, you should enable Kerberos on multiple LIFs.

FieldDescriptionYour value
-lifA name you supply for the new LIF. 
-roleUse the data LIF role in this workflow.data
-data-protocolUse only the NFS protocol in this workflow.nfs
-home-nodeThe node to which the LIF returns when the network interface revert command is run on the LIF. 
-home-portThe port or interface group to which the LIF returns when the network interface revert command is run on the LIF. 
-addressThe IPv4 or IPv6 address on the cluster that will be used for data access by the new LIF. 
-netmaskThe network mask and gateway for the LIF. 
-subnetA pool of IP addresses. Used instead of -address and -netmask to assign addresses and netmasks automatically. 
-firewall-policyUse the default data firewall policy in this workflow.data

Parameters for DNS host name resolution

You supply these values with the vserver services name-service dns create command when you are configuring DNS.

FieldDescriptionYour value
-domainsUp to five DNS domain names. 
-name-serversUp to three IP addresses for each DNS name server. 

Name service information

Parameters for creating local users

You supply these values if you are creating local users by using the vserver services name-service unix-user create command. If you are configuring local users by loading a file containing UNIX users from a uniform resource identifier (URI), you do not need to specify these values manually.

 User name (-user)User ID (-id)Group ID (-primary-gid)Full name (-full-name)
Examplejohnm123100John Miller
1    
2    
3    
...    
n    

Parameters for creating local groups

You supply these values if you are creating local groups by using the vserver services name-service unix-group create command. If you are configuring local groups by loading a file containing UNIX groups from a URI, you do not need to specify these values manually.

 Group name (-name)Group ID (-id)
ExampleEngineering100
1  
2  
3  
...  
n  

Parameters for NIS

You supply these values with the vserver services name-service nis-domain create command.

Note
Starting in Lenovo Data ONTAP 9.4, the field -nis-servers replaces the field -servers. This new field can take either a hostname or an IP address for the NIS server.
FieldDescriptionYour value
-domainThe NIS domain that the SVM will use for name lookups. 
-activeThe active NIS domain server. true or false
-nis-serversA comma-separated list of IP addresses and hostnames for the NIS servers used by the domain configuration. 

Parameters for LDAP

You supply these values with the vserver services name-service ldap client create command.

You will also need a self-signed root CA certificate .pem file.

Note
Starting in Lenovo Data ONTAP 9.4, the field -ldap-servers replaces the field -servers. This new field can take either a hostname or an IP address for the LDAP server.
FieldDescriptionYour value
-vserverThe name of the SVM for which you want to create an LDAP client configuration. 
-client-configThe name you assign for the new LDAP client configuration. 
-ldap-serversA comma-separated list of IP addresses and hostnames for the LDAP servers. 
-query-timeoutUse the default 3 seconds for this workflow.3
-min-bind-levelThe minimum bind authentication level. The default is anonymous . Must be set to sasl if signing and sealing is configured. 
-preferred-ad-serversOne or more preferred Active Directory servers by IP address in a comma-delimited list. 
-ad-domainThe Active Directory domain. 
-schemaThe schema template to use. You can use a default or custom schema. 
-portUse the default LDAP server port 389 for this workflow.389
-bind-dnThe Bind user distinguished name. 
-base-dnThe base distinguished name. The default is "" (root). 
-base-scopeUse the default base search scope subnet for this workflow.subnet
-session-securityEnables LDAP signing or signing and sealing. The default is none . 
-use-start-tlsEnables LDAP over TLS. The default is false . 

Parameters for Kerberos authentication

You supply these values with the vserver nfs kerberos realm create command. Some of the values will differ depending on whether you use Microsoft Active Directory as a Key Distribution Center (KDC) server, or MIT or other UNIX KDC server.

FieldDescriptionYour value
-vserverThe SVM that will communicate with the KDC. 
-realmThe Kerberos realm. 
-clock-skewPermitted clock skew between clients and servers. 
-kdc-ipKDC IP address. 
-kdc-portKDC port number. 
-adserver-nameMicrosoft KDC only: AD server name. 
-adserver-ipMicrosoft KDC only: AD server IP address. 
-adminserver-ipUNIX KDC only: Admin server IP address. 
-adminserver-portUNIX KDC only: Admin server port number. 
-passwordserver-ipUNIX KDC only: Password server IP address. 
-passwordserver-portUNIX KDC only: Password server port. 
-kdc-vendorKDC vendor.{ Microsoft | Other }
-commentAny desired comments. 

You supply these values with the vserver nfs kerberos interface enable command.

FieldDescriptionYour value
-vserverThe name of the SVM for which you want to create a Kerberos configuration. 
-lifThe data LIF on which you will enable Kerberos. You can enable Kerberos on multiple LIFs. 
-spnThe Service Principle Name (SPN) 
-permitted-enc-typesThe permitted encryption types for Kerberos over NFS; aes-256 is recommended, depending on client capabilities. 
-admin-usernameThe KDC administrator credentials to retrieve the SPN secret key directly from the KDC. A password is required 
-keytab-uriThe keytab file from the KDC containing the SPN key if you do not have KDC administrator credentials. 
-ouThe organizational unit (OU) under which the Microsoft Active Directory server account will be created when you enable Kerberos using a realm for Microsoft KDC. 

Adding storage capacity to an NFS-enabled SVM

Parameters for creating export policies and rules

You supply these values with the vserver export-policy create command.

FieldDescriptionYour value
-vserverThe name of the SVM that will host the new volume. 
-policynameA name you supply for a new export policy. 

You supply these values for each rule with the vserver export-policy rule create command.

FieldDescriptionYour value
-clientmatchClient match specification. 
-ruleindexPosition of export rule in the list of rules. 
-protocolUse NFS in this workflow.nfs
-roruleAuthentication method for read-only access. 
-rwruleAuthentication method for read-write access. 
-superuserAuthentication method for superuser access. 
-anonUser ID to which anonymous users are mapped. 

You must create one or more rules for each export policy.

-ruleindex-clientmatch-rorule-rwrule-superuser-anon
Examples0.0.0.0/0,@rootaccess_netgroupanykrb5sys65534
1     
2     
3     
...     
n     

Parameters for creating a volume

You supply these values with the volume create command if you are creating a volume instead of a qtree.

FieldDescriptionYour value
-vserverThe name of a new or existing SVM that will host the new volume. 
-volumeA unique descriptive name you supply for the new volume. 
-aggregateThe name of an aggregate in the cluster with sufficient space for the new NFS volume. 
-sizeAn integer you supply for the size of the new volume. 
-userName or ID of the user that is set as the owner of the volume's root. 
-groupName or ID of the group that is set as the owner of the volume's root. 
--security-styleUse the UNIX security style for this workflow.unix
-junction-pathLocation under root (/) where the new volume is to be mounted. 
-export-policyIf you are planning to use an existing export policy, you can enter its name when you create the volume. 

Parameters for creating a qtree

You supply these values with the volume qtree create command if you are creating a qtree instead of a volume.

FieldDescriptionYour value
-vserverThe name of the SVM on which the volume containing the qtree resides. 
-volumeThe name of the volume that will contain the new qtree. 
-qtreeA unique descriptive name you supply for the new qtree, 64 characters or less. 
-qtree-pathThe qtree path argument in the format /vol/volume_name/qtree_name> can be specified instead of specifying volume and qtree as separate arguments. 
-unix-permissionsOptional: The UNIX permissions for the qtree. 
-export-policyIf you are planning to use an existing export policy, you can enter its name when you create the qtree.