'\" te .\" Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. .TH share_nfs 1M "20 May 2016" "SunOS 5.11" "System Administration Commands" .SH NAME share_nfs \- make NFS shares available for mounting by remote systems .SH SYNOPSIS .LP .nf \fBshare\fR \fB-F\fR nfs [-a [\fB-o\fR \fIspecific_options\fR] [\fB-d\fR \fIdescription\fR] \fIpathname\fR [\fIsharename\fR] | [-A]] .fi .LP .nf \fBzfs set\fR share.nfs=on | off \fIfilesystem|share\fR .fi .LP .nf \fBzfs share\fR -o share.nfs=on | off \fIspecific_options\fR \fIfilesystem|filesystem%share\fR .fi .SH DESCRIPTION .sp .LP The \fBshare\fR utility defines and publishes a NFS share, which makes a local file system available for mounting by remote systems. It starts the \fBnfsd\fR(1M) and \fBmountd\fR(1M) daemons if they are not already running. .sp .LP You can use the \fBshare\fR command to create and publish a ZFS file system share, but this is considered a legacy operation. See \fBzfs\fR(1M) for information about setting the \fBshare.nfs\fR property or using the \fBzfs share\fR command to create and publish NFS shares. .SH OPTIONS .sp .LP The following options are supported: .sp .ne 2 .mk .na \fB\fB-F\fR \fBnfs\fR\fR .ad .sp .6 .RS 4n Specify the \fBNFS\fR file sharing protocol. .RE .sp .ne 2 .mk .na \fB\fB-a\fR\fR .ad .sp .6 .RS 4n Publish all defined shares. .RE .sp .ne 2 .mk .na \fB\fB-o\fR \fIspecific_options\fR\fR .ad .sp .6 .RS 4n Specify \fIspecific_options\fR in a comma-separated list of keywords and attribute-value-assertions for interpretation by the NFS protocol. By default, a share is published with read-write access to all clients, unless a specific option overrides the default access. \fIspecific_options\fR can be any combination of the following: .sp .ne 2 .mk .na \fB\fBaclok\fR\fR .ad .sp .6 .RS 4n Allows the \fBNFS\fR server to do access control for \fBNFS\fR Version 2 clients. When \fBaclok\fR is set on the server, maximal access is given to all clients. For example, with \fBaclok\fR set, if anyone has read permissions, then everyone does. If \fBaclok\fR is not set, minimal access is given to all clients. .RE .sp .ne 2 .mk .na \fB\fBanon=\fR\fIuid\fR\fR .ad .sp .6 .RS 4n Set \fIuid\fR to be the effective user \fBID\fR of unknown users. By default, unknown users are given the effective user \fBID\fR \fBUID_NOBODY\fR. If \fIuid\fR is set to \fB\(mi1\fR, access is denied. .RE .sp .ne 2 .mk .na \fB\fIcharset\fR\fR .ad .sp .6 .RS 4n All clients will be assumed to be using the specified character set (see list in following description) and file and path names will be converted to UTF-8 for the server. .RE .sp .ne 2 .mk .na \fB\fIcharset\fR=\fIaccess_list\fR\fR .ad .sp .6 .RS 4n Where \fIcharset\fR is one of: \fBcp932\fR, \fBeuc-cn\fR, \fBeuc-jp\fR, \fBeuc-jpms\fR, \fBeuc-kr\fR, \fBeuc-tw\fR, \fBiso8859-1\fR, \fBiso8859-2\fR, \fBiso8859-5\fR, \fBiso8859-6\fR, \fBiso8859-7\fR, \fBiso8859-8\fR, \fBiso8859-9\fR, \fBiso8859-13\fR, \fBiso8859-15\fR, \fBkoi8-r\fR, \fBshift_jis\fR. .sp Clients that match the \fIaccess_list\fR for one of these properties will be assumed to be using that character set and file and path names will be converted to UTF-8 for the server. .RE .sp .ne 2 .mk .na \fB\fBindex=\fR\fBfile\fR\fR .ad .sp .6 .RS 4n Load \fBfile\fR rather than a listing of the directory containing this file when the directory is referenced by an \fBNFS URL\fR. .RE .sp .ne 2 .mk .na \fB\fBlog[=\fItag\fR]\fR\fR .ad .sp .6 .RS 4n Enables \fBNFS\fR server logging for the specified file system. The optional tag determines the location of the related log files. The \fItag\fR is defined in \fB/etc/nfs/nfslog.conf\fR. If no \fItag\fR is specified, the default values associated with the \fBglobal\fR \fItag\fR in \fB/etc/nfs/nfslog.conf\fR is used. Support of NFS server logging is only available for NFS Version 2 and Version 3 requests. .RE .sp .ne 2 .mk .na \fB\fBnoaclfab\fR\fR .ad .sp .6 .RS 4n Allows NFS servers to not return fabricated ACLs to NFS clients. The default behavior for NFS servers is to fabricate ACLs. If \fBnoaclfab\fR is set, then the NFS server does not fabricate ACLs, which is the appropriate choice if the underlying filesystem does not support the POSIX Draft ACL. .RE .sp .ne 2 .mk .na \fB\fBnone\fR\fR .ad .sp .6 .RS 4n Access is disallowed to all clients. The \fBro\fR or \fBrw\fR options can override \fBnone\fR. .RE .sp .ne 2 .mk .na \fB\fBnone=\fR\fIaccess_list\fR\fR .ad .sp .6 .RS 4n Access is not allowed to any client that matches the access list. The exception is when the access list is an asterisk (\fB*\fR), in which case \fBro\fR or \fBrw\fR can override \fBnone\fR. .RE .sp .ne 2 .mk .na \fB\fBnosub\fR\fR .ad .sp .6 .RS 4n Prevents clients from mounting subdirectories of shared directories. For example, if \fB/export\fR is shared with the \fBnosub\fR option on server \fIfooey\fR then a \fBNFS\fR client cannot do: .sp .in +2 .nf mount -F nfs fooey:/export/home/mnt .fi .in -2 .sp NFS Version 4 does not use the \fBMOUNT\fR protocol. The \fBnosub\fR option only applies to NFS Version 2 and Version 3 requests. .RE .sp .ne 2 .mk .na \fB\fBnosuid\fR\fR .ad .sp .6 .RS 4n By default, clients are allowed to create files on the shared file system with the setuid or setgid mode enabled. Specifying \fBnosuid\fR causes the server file system to silently ignore any attempt to enable the setuid or setgid mode bits. .RE .sp .ne 2 .mk .na \fB\fBpublic\fR\fR .ad .sp .6 .RS 4n Moves the location of the public file handle from \fBroot\fR (\fB/\fR) to the exported directory for Web\fBNFS\fR-enabled browsers and clients. This option does not enable Web\fBNFS\fR service. Web\fBNFS\fR is always on. Only one file system per server may use this option. Any other option, including the \fB-ro=list\fR and \fB-rw=list\fR options can be included with the \fBpublic\fR option. .RE .sp .ne 2 .mk .na \fB\fBro\fR\fR .ad .sp .6 .RS 4n Share is published with read-only access to all clients. .RE .sp .ne 2 .mk .na \fB\fBro=\fR\fIaccess_list\fR\fR .ad .sp .6 .RS 4n Share is published with read-only access to the clients listed in \fIaccess_list\fR; overrides the \fBrw\fR suboption for the clients specified. See \fIaccess_list\fR below. .RE .sp .ne 2 .mk .na \fB\fBroot\fR\fR .ad .sp .6 .RS 4n Root users from all hosts have root access. .RE .sp .ne 2 .mk .na \fB\fBroot=\fR\fIaccess_list\fR\fR .ad .sp .6 .RS 4n Only root users from the hosts specified in \fIaccess_list\fR have root access. See \fIaccess_list\fR below. By default, no host has root access, so root users are mapped to an anonymous user \fBID\fR (see the \fBanon=\fR\fIuid\fR option described above). Netgroups can be used if the file system shared is using UNIX authentication (\fBAUTH_SYS\fR). .RE .sp .ne 2 .mk .na \fB\fBroot_mapping=\fIuid\fR\fR\fR .ad .sp .6 .RS 4n For a client that is allowed root access, map the root UID to the specified user id. .RE .sp .ne 2 .mk .na \fB\fBrw\fR\fR .ad .sp .6 .RS 4n Share is published with read and write access to all clients. .RE .sp .ne 2 .mk .na \fB\fBrw=\fR\fIaccess_list\fR\fR .ad .sp .6 .RS 4n Share is published with read and write access to the clients listed in \fIaccess_list\fR; overrides the \fBro\fR suboption for the clients specified. See \fIaccess_list\fR below. .RE .sp .ne 2 .mk .na \fB\fBsec=\fR\fImode\fR[\fB:\fR\fImode\fR].\|.\|.\fR .ad .sp .6 .RS 4n Publishes a share by using one or more of the specified security modes. The \fImode\fR in the \fBsec=\fR\fImode\fR option must be a node name supported on the client. If the \fBsec=\fR option is not specified, the default security mode used is \fBAUTH_SYS\fR. Multiple \fBsec=\fR options can be specified on the command line, although each mode can appear only once. The security modes are defined in \fBnfssec\fR(5). .sp Each \fBsec=\fR option specifies modes that apply to any subsequent \fBwindow=, rw, ro, rw=, ro=\fR and \fBroot=\fR options that are provided before another \fBsec=\fRoption. Each additional \fBsec=\fR resets the security mode context, so that more \fBwindow=,\fR \fBrw,\fR \fBro,\fR \fBrw=,\fR \fBro=\fR and \fBroot=\fR options can be supplied for additional modes. .RE .sp .ne 2 .mk .na \fB\fBsec=\fR\fInone\fR\fR .ad .sp .6 .RS 4n If the option \fBsec=\fR\fInone\fR is specified when the client uses \fBAUTH_NONE\fR, or if the client uses a security mode that is not one that the file system is shared with, then the credential of each \fBNFS\fR request is treated as unauthenticated. See the \fBanon=\fR\fIuid\fR option for a description of how unauthenticated requests are handled. .RE .sp .ne 2 .mk .na \fB\fBsecure\fR\fR .ad .sp .6 .RS 4n This option has been deprecated in favor of the \fBsec=\fR\fIdh\fR option. .RE .sp .ne 2 .mk .na \fB\fBwindow=\fR\fIvalue\fR\fR .ad .sp .6 .RS 4n When a share is published with \fBsec=\fR\fIdh\fR, set the maximum life time (in seconds) of the \fBRPC\fR request's credential (in the authentication header) that the \fBNFS\fR server allows. If a credential arrives with a life time larger than what is allowed, the \fBNFS\fR server rejects the request. The default value is 30000 seconds (8.3 hours). .RE .RE .sp .ne 2 .mk .na \fB\fB-d\fR \fIdescription\fR\fR .ad .sp .6 .RS 4n Provide a comment that describes the file system to be shared. .RE .sp .ne 2 .mk .na \fB\fB-A\fR\fR .ad .sp .6 .RS 4n Display all defined shares. .RE .SS "\fIaccess_list\fR" .sp .LP The \fIaccess_list\fR argument is either the string "\fB*\fR" to represent all hosts or a colon-separated list whose components may be any number of the following: .sp .ne 2 .mk .na \fBhostname\fR .ad .sp .6 .RS 4n The name of a host. With a server configured for \fBDNS\fR or \fBLDAP\fR naming in the \fBnsswitch\fR \fBhosts\fR entry, any hostname must be represented as a fully qualified \fBDNS\fR or \fBLDAP\fR name. The hostname specified must be the canonical name for this host and must match the hostname returned on the reverse lookup of the incoming IP address of the NFS client. .RE .sp .ne 2 .mk .na \fBnetgroup\fR .ad .sp .6 .RS 4n A netgroup contains a number of hostnames. With a server configured for \fBDNS\fR or \fBLDAP\fR naming in the \fBnsswitch\fR \fBhosts\fR entry, any hostname in a netgroup must be represented as a fully qualified \fBDNS\fR or \fBLDAP\fR name. .RE .sp .ne 2 .mk .na \fBdomain name suffix\fR .ad .sp .6 .RS 4n To use domain membership the server must use \fBDNS\fR or \fBLDAP\fR to resolve hostnames to \fBIP\fR addresses; that is, the \fBhosts\fR entry in the \fB/etc/nsswitch.conf\fR must specify \fBdns\fR or \fBldap\fR ahead of \fBnis\fR, since only \fBDNS\fR and \fBLDAP\fR return the full domain name of the host. Other name services like \fBNIS\fR cannot be used to resolve hostnames on the server because when mapping an \fBIP\fR address to a hostname they do not return domain information. For example, .sp .in +2 .nf NIS 172.16.45.9 --> "myhost" .fi .in -2 .sp and: .sp .in +2 .nf DNS or LDAP 172.16.45.9 --> "myhost.mydomain.mycompany.com" .fi .in -2 .sp The domain name suffix is distinguished from hostnames and netgroups by a prefixed dot. For example, .sp \fBrw=.mydomain.mycompany.com\fR .sp A single dot can be used to match a hostname with no suffix. For example, .sp \fBrw=.\fR .sp matches \fBmydomain\fR but not \fBmydomain.mycompany.com\fR. This feature can be used to match hosts resolved through \fBNIS\fR rather than \fBDNS\fR and \fBLDAP\fR. .RE .sp .ne 2 .mk .na \fBnetwork\fR .ad .sp .6 .RS 4n The network or subnet component is preceded by an at-sign (\fB@\fR). It can be a name, an IPv4 or IPv6 address. If a name, it is converted to an address by getnetbyname(3C). For example, .sp \fB=@mynet\fR .sp would be equivalent to: .sp \fB=@172.16\fR or \fB=@172.16.0.0\fR .sp For an IPv4 address, the network prefix assumes an octet-aligned netmask determined from the zeroth octet in the low-order part of the address up to and including the high-order octet, if you want to specify a single IP address (see below). In the case where network prefixes are not byte-aligned, the syntax allows a mask length to be specified explicitly following a slash (\fB/\fR) delimiter. For example, .sp \fB=@theothernet/17\fR or \fB=@172.16.132/22\fR .sp \&...where the mask is the number of left most contiguous significant bits in the corresponding IP address. .sp For an IPv6 address, the address must be enclosed in a pair of square brackets. Otherwise, the first occurrence of an IPv6 colon would be interpreted as the separator between the addresses. Network mask length is specified explicitly following a slash (/) delimiter. For example, .sp .in +2 .nf =@[fe80::/10] .fi .in -2 .sp \&...where the mask is the number of left most contiguous significant bits in the corresponding IP network address. .sp When specifying individual IP addresses, use the same \fB@\fR notation described above, without a netmask specification. For example: .sp .in +2 .nf =@172.16.132.14 .fi .in -2 .sp Multiple, individual IP addresses would be specified, for example, as: .sp .in +2 .nf root=@172.16.132.20:@[fe80::209:3dff:fe00:c074] .fi .in -2 .sp .RE .sp .LP A prefixed minus sign (\fB\(mi\fR) denies access to that component of \fIaccess_list\fR. The list is searched sequentially until a match is found that either grants or denies access, or until the end of the list is reached. For example, if host \fBterra\fR is in the \fBengineering\fR netgroup, then .sp .in +2 .nf rw=-terra:engineering .fi .in -2 .sp .sp .LP denies access to \fBterra\fR but .sp .in +2 .nf rw=engineering:-terra .fi .in -2 .sp .sp .LP grants access to \fBterra\fR. .SH OPERANDS .sp .LP The following operands are supported: .sp .ne 2 .mk .na \fB\fIpathname\fR\fR .ad .sp .6 .RS 4n The pathname of the file system to be shared. .RE .SH EXAMPLES .LP \fBExample 1 \fRDefine and Publish an NFS Share .sp .LP The following example shows how to use the legacy \fBshare\fR command to define and publish the \fB/export/manuals\fR file system share. .sp .in +2 .nf # \fBshare -F NFS /export/manuals\fR .fi .in -2 .sp .sp .LP The following example shows how to use the \fBzfs set\fR command to share a ZFS file system. .sp .in +2 .nf # \fBzfs set share.nfs=on tank/data\fR .fi .in -2 .sp .sp .LP The following example shows how to create a named NFS share, \fBtank/public%pubshare\fR, with the \fBshare.nfs.public\fR option rather than setting this option on the ZFS file system, \fBtank/public\fR, because this property is not inheritable. .sp .in +2 .nf # \fBzfs create -o mountpoint=/pub tank/public\fR # \fBzfs share -o share.nfs=on -o share.nfs.public=on tank/public%pubshare\fR .fi .in -2 .sp .SH EXIT STATUS .sp .LP The following exit values are returned: .sp .ne 2 .mk .na \fB\fB0\fR\fR .ad .sp .6 .RS 4n Successful completion. .RE .sp .ne 2 .mk .na \fB\fB>0\fR\fR .ad .sp .6 .RS 4n An error occurred. .RE .SH FILES .sp .ne 2 .mk .na \fB\fB/etc/dfs/fstypes\fR\fR .ad .sp .6 .RS 4n list of system types, \fBNFS\fR by default .RE .sp .ne 2 .mk .na \fB\fB/etc/dfs/sharetab\fR\fR .ad .sp .6 .RS 4n system record of shared file systems .RE .sp .ne 2 .mk .na \fB\fB/etc/nfs/nfslogtab\fR\fR .ad .sp .6 .RS 4n system record of logged file systems .RE .sp .ne 2 .mk .na \fB\fB/etc/nfs/nfslog.conf\fR\fR .ad .sp .6 .RS 4n logging configuration file .RE .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPEATTRIBUTE VALUE _ Availabilityservice/file-system/nfs .TE .SH SEE ALSO .sp .LP \fBmount\fR(1M), \fBmountd\fR(1M), \fBnfsd\fR(1M), \fBnfslogd\fR(1M), \fBshare\fR(1M), \fBunshare\fR(1M), \fBzfs_share\fR(1M), \fBgetnetbyname\fR(3SOCKET), \fBnfslog.conf\fR(4), \fBnetgroup\fR(4), \fBattributes\fR(5), \fBnfssec\fR(5) .SH NOTES .sp .LP Creating and publishing an NFS share with the \fBshare\fR command is permanent until the share is unshared. Publishing NFS shares is managed by the following SMF service: .sp .in +2 .nf $ svcs | grep share online Mar_07 svc:/network/shares:default .fi .in -2 .sp .sp .LP If the file system being shared is a symbolic link to a valid pathname, the canonical path (the path which the symbolic link follows) are shared. For example, if \fB/export/foo\fR is a symbolic link to \fB/export/bar\fR (\fB/export/foo ->\fR \fB/export/bar\fR), the following \fBshare\fR command results in \fB/export/bar\fR as the shared pathname (and not \fB/export/foo\fR). .sp .in +2 .nf # \fBshare\fR \fB-F\fR \fBnfs /export/foo\fR .fi .in -2 .sp .sp .LP An \fBNFS\fR mount of \fBserver:/export/foo\fR results in \fBserver:/export/bar\fR really being mounted. .sp .LP The \fBmountd\fR(1M) process allows the processing of a path name the contains a symbolic link. This allows the processing of paths that are not themselves explicitly shared with \fBshare_nfs\fR. For example, \fB/export/foo\fR might be a symbolic link that refers to \fB/export/bar\fR which has been specifically shared. When the client mounts \fB/export/foo\fR the \fBmountd\fR processing follows the symbolic link and responds with the \fB/export/bar\fR. The NFS Version 4 protocol does not use the \fBmountd\fR processing and the client's use of \fB/export/foo\fR does not work as it does with NFS Version 2 and Version 3 and the client receives an error when attempting to mount \fB/export/foo\fR.