NFSv4 is a significant improvement over NFSv3. It is now a vendor-independent IETF standard. It is designed to work without the portmapper and auxiliary mounting and locking protocols. All traffic (including RPC operations) can take place over a single TCP session. NFSv4 supports two major security flavors, AUTH_SYS and RPCSEC_GSS. AUTH_SYS is standard NFS Unix authentication, which is simply based on UIDs and GIDs matching between client and server. This is the same insecure mechanism used by NFSv3/v2.

RPCSEC_GSS, on the other hand, is based on GSS-API and allows secure authentication, integrity services, and encryption. NFS clients and servers that conform to the NFSv4 standard must support the RPCSEC_GSS security flavor, and they must support Kerberos 5, LIPKEY, and SPKM-3 security triples. This means that a DAS environment will support NFSv4 with RPCSEC_GSS/Kerberos 5. In this case, Kerberos principals must be created for "nfs/servername@REALM" for both client and server. The principals must be added to the appropriate keytab, just like host principals have to be added for DAS application servers and SSO operations.

RPCSEC_GSS & NFSv4 are still relatively immature on Linux and FreeBSD. They will soon become standard offerings, since NFSv4 is part of the Linux 2.6 kernel tree. This will be a major driver for strengthening FOSS authentication, naming, and directory services.

I have only been able to test NFSv4 in AUTH_SYS mode with DAS. It worked with auto-mounted home directories and with traditional read/write NFS mounts.


Additional Resources: