# Manage NFS networking using the CLI Using the CLI, you can: * [Configure the NFS global settings](#configure-the-nfs-global-settings) * [Configure the NFS cluster level](#configure-the-nfs-cluster-level) * [Integrate the NFS and Kerberos service](#integrate-the-nfs-and-kerberos-service) * [Configure the NFS export level (permissions)](#configure-the-nfs-export-level-permissions) ## Configure the NFS global settings A persistent cluster-wide configuration filesystem (`config-fs`) is required for the internal operations of Kerberos and NFS file-locking (V4 and V3). Use the following command line to set the NFS configuration on the configuration filesystem: `weka nfs global-config set [--mountd-port mountd-port] [--config-fs config-fs] [--lockmgr-port lockmgr-port] [--statmon-port statmon-port] [--notify-port notify-port] [--acl acl] [--extended-stats extended-stats] [--default-acl-type default-acl-type] [--default-supported-versions default-supported-versions]... [--enable-auth-types enable-auth-types]... [--no-restart]` **Before you begin** * To support NFS file-locking, ensure the system meets the prerequisites outlined in [#nfs-file-locking-support](https://docs.weka.io/additional-protocols/nfs-support/..#nfs-file-locking-support "mention"). * For the default published ports, see the [#required-ports](https://docs.weka.io/planning-and-installation/prerequisites-and-compatibility#required-ports "mention"). **Parameters**

Name	Value
`mountd-port`	Set the alternate port if the existing mountd service is not operating on the default published port. 0 means use the default published port. Default: 0
`config-fs`*	The predefined filesystem name for maintaining the persisting cluster-wide protocols' configurations. Verify that the filesystem is already created. If not, create it. For details, see #dedicated-filesystem-requirement-for-persistent-protocol-configurations
`lockmgr-port`	Set the alternate port for the NFS lock manager used in NFSv3. 0 means use the default published port. Default: `0`
`statmon-port`	Set the alternate port for the NFS status monitor used in NFSv3. 0 means use the default published port. Default: `0`
`notify-port`	Set the alternate port for notification used in NFSv3. 0 means use the default published port. Default: `0`
`acl`	Enables or disables NFSv4 ACL. Options are: `on` or `off`. Default: `on`
`default-acl-type`	Specifies the default ACL type. Options are `none`, `posix`, `nfsv4`, or `hybrid`. For details, see #access-control-list-acl-in-nfs. Default: `posix`
`default-supported-versions`	Determines the default NFS version. Possible values: `v3` , `v4`, `v3,v4` Default: `v3`
`extended-stats`	Enable or disable NFS statistics collection for each client and permission. Possible values: `on` or `off` Default: `on`
`enable-auth-types`	A comma-separated list of authentication types that can be used when setting the NFS client permissions. Possible values: `none,sys,krb5,krb5i,krb5p` Example: `krb5,krb5i,krb5p` Default: If Kerberos is not configured: `none,sys` If Kerberos is configured: `krb5`
`no-restart`	Prevents the restart of NFS-W containers when applying changes.

#### Show NFS global configuration **Command:** `weka nfs global-config show` **Example**

$ weka nfs global-config show
NFS Global Configuration
   mountd port: 0
     Config FS: .config_fs
   acl: on
   default acl type: posix
   Default Supported Versions: V3
   Enabled Auth Types: KRB5, KRB5i, KRB5p
   Default Auth Types: KRB5
   Supported Auth Types: NONE, SYS, KRB5, KRB5i, KRB5p

{% hint style="info" %} The parameters `Default Auth Types` and `Supported Auth Types` are determined internally. {% endhint %} ## **Configure the NFS cluster level** ### Create interface groups **Command:** `weka nfs interface-group add` Use the following command line to add an interface group: `weka nfs interface-group add [--subnet subnet] [--gateway gateway]` **Example** `weka nfs interface-group add nfsw NFS --subnet 255.255.255.0 --gateway 10.0.1.254` **Parameters**

Name	Value
`name`*	Unique interface group name.
`type`*	Group type. Can only be `NFS`.
`subnet`	The valid subnet mask in the 255.255.0.0 format. Default: `255.255.255.255`
`gateway`	Gateway valid IP. Default: `255.255.255.255`

### Set interface group ports **Commands:** `weka nfs interface-group port add` `weka nfs interface-group port remove` Use the following command lines to add or remove an interface group port: `weka nfs interface-group port add

` `weka nfs interface-group port remove

` **Example** The following command line adds the interface `enp2s0` on the Frontend container-id `3` to the interface group named `nfsw`. `weka nfs interface-group port add nfsw 3 enp2s0` **Parameters**

Name	Value
`name`*	Interface group name.
`container-id`*	Valid frontend container ID on which the port resides. You can obtain the container ID by running the `weka cluster container` command.
`port`*	Valid port's device. Maximum 14 characters. Example: `eth1`.

### Set interface group IPs **Commands:** `weka nfs interface-group ip-range add` `weka nfs interface-group ip-range remove` Use the following command lines to add or remove an interface group IP: `weka nfs interface-group ip-range add ` `weka nfs interface-group ip-range remove ` **Example** The following command line adds IPs in the range `10.0.1.101` to `10.0.1.118` to the interface group named `nfsw`. `weka nfs interface-group ip-range add nfsw 10.0.1.101-118` **Parameters**

Name	Value
`name`*	Interface group name
`ips`*	Valid IP range

### Configure the service mountd port The mountd service receives requests from clients to mount to the NFS server. It is possible to set it explicitly rather than have it randomly selected on each server startup. This allows an easier setup of the firewalls to allow that port. Use the following command lines to set and view the mountd configuration: `weka nfs global-config set --mountd-port ` `weka nfs global-config show` ### Configure user group resolution NFS-W can authenticate more than 16 user groups, but it requires the external resolution of the user's groups, which means associating users with their respective group-IDs outside of the NFS protocol. **Procedure** 1. **Configure interface groups:** * See [Create interface groups](#create-interface-groups). 2. **Configure NFS client permissions:** * See [Set the NFS client permissions](#manage-nfs-client-permissions). 3. **Set up servers for group-IDs retrieval:** * Configure relevant servers to retrieve user group-IDs information.\ This task is specific to NFS-W and does not involve WEKA management. See the following procedure.

Set up the servers to retrieve user's group-IDs information

For the servers that are part of the interface group, set the servers to retrieve the user's group-IDs information in any method that is part of the environment. You can also set the group resolution by joining the AD and Kerberos domains or using LDAP with a read-only user. Configure the `sssd` on the server to serve as a group IDs provider. For example, you can configure the `sssd` directly using LDAP or as a proxy to a different `nss` group IDs provider. **Example: set `sssd` directly for `nss` services using LDAP with a read-only user** ``` [sssd] services = nss config_file_version = 2 domains = LDAP [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com # The DN used to search the ldap directory with. ldap_default_bind_dn = cn=ro_admin,ou=groups,dc=example,dc=com # The password of the bind DN. ldap_default_authtok = password ``` If you use another method than the `sssd` but with a different provider, configure an `sssd proxy` on each relevant server. The proxy is used for the WEKA container to resolve the groups by any method defined on the server. To configure `sssd proxy` on a server, use the following: ``` # install sssd yum install sssd # set up a proxy for WEKA in /etc/sssd/sssd.conf [sssd] services = nss config_file_version = 2 domains = proxy_for_weka [nss] [domain/proxy_for_weka] id_provider = proxy auth_provider = none # the name of the nss lib to be proxied, e.g., ldap, nis, winbind, vas4, etc. proxy_lib_name = ldap ``` All users must be present and resolved in the method used in the `sssd` for the group's resolution. In the above example, using an LDAP-only provider, local users (such as a local root) absent in LDAP do not receive their groups resolved and are denied. For such users or applications, add the LDAP user.

## Integrate the NFS and Kerberos service Integrating the NFS and Kerberos service is critical to setting up a secure network communication process. This procedure involves defining the Key Distribution Center (KDC) details, administrative credentials, and other parameters to ensure a robust and secure authentication process. **Before you begin** * Ensure a configuration filesystem is set. See [#configure-the-nfs-global-settings](#configure-the-nfs-global-settings "mention"). * Ensure the NFS cluster is configured and running. see [#configure-the-nfs-cluster-level](#configure-the-nfs-cluster-level "mention"). * For Active Directory (AD) integration, obtain the required information from the AD administrator. (WEKA handles the generation of the keytab file.) * For MIT integration, ensure the following: * Obtain the required information from the MIT Key Distribution Center (KDC) and OpenLDAP administrators. * A pre-generated keytab file in base64[^1] format stored in an accessible location is required. {% hint style="info" %} In all KDC and LDAP parameters, use the FQDN format. The hostname part of the FQDN is restricted to a maximum of 20 characters. {% endhint %} ### Set the Kerberos service **Command:** `weka nfs kerberos service setup` Use the following command to set up NFS Kerberos Service information: `weka nfs kerberos service setup

[--kdc-secondary-server kdc-secondary-server][--force] [--restart]` **Example** {% code overflow="wrap" %} ``` weka nfs kerberos service setup WEKA-REALM kdc.primary.weka.io kdc.admin.weka.io --kdc-secondary-server kdc.secondary.weka.io ``` {% endcode %} **Parameters**

Name	Value
`kdc-realm-name`*	Specifies the realm (domain) used by Kerberos.
`kdc-primary-server`*	Identifies the server hosting the primary Key Distribution Center service.
`kdc-admin-server`*	Identifies the server hosting the administrative Key Distribution Center service.
`kdc-secondary-server`	Identifies the server hosting the secondary Key Distribution Center service.
`force`	When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered.
`restart`	When used, the command restarts the NFS-W containers after the changes are applied.

#### Show NFS Kerberos service setup information **Command:** `weka nfs kerberos service show` **Example** {% code fullWidth="true" %} ```bash $ weka nfs kerberos service show REALM NAME PRIMARY SERVER SECONDARY SERVER ADMIN SERVER GENERATION ID SERVICE STATUS TEST.WEKALAB.IO Zeus.test.wekalab.io Zeus.test.wekalab.io 1 CONFIGURED ``` {% endcode %} ### Integrate Kerberos with AD Integrating Kerberos with AD involves the following: 1. [Register Kerberos with AD](#integrate-kerberos-with-a-d) 2. [Set up Kerberos to use AD LDAP](#set-up-kerberos-to-use-a-d-ldap) #### Register Kerberos with AD **Command:** `weka nfs kerberos registration setup-ad` Use the following command to register the Kerberos with Microsoft Active Directory: `weka nfs kerberos registration setup-ad

[realm-admin-passwd] [--base-ou base-ou] [--force] [--restart]` **Example** {% code overflow="wrap" %} ``` weka nfs kerberos registration setup-ad myservicename.test.example.com myrealmadmin ``` {% endcode %} **Parameters**

Name	Value
`nfs-service-name`*	This refers to the complete domain name for a specific NFS server.
`realm-admin-name`*	The username of an administrator who has access to the LDAP directory. This user manages the KDC within a realm.
`realm-admin-passwd`	This parameter is for the password of the administrative user who manages the KDC within a realm. It’s not stored in the configuration for security reasons. If it’s not provided during setup, the system asks for it. The entered password isn’t shown on the screen to protect privacy and security.
`base-ou`	LDAP base OU for account creation. This allows admins to create a defined path such as `OU=Weka,OU=Servers` instead of using the default `CN=Computers` container.
`force`	When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered.
`restart`	When used, the command restarts the NFS-W containers after the changes are applied.

#### Set up Kerberos to use AD LDAP **Command:** `weka nfs ldap setup-ad` Use the following command to set up NFS configuration to use AD LDAP: `weka nfs ldap setup-ad [--force] [--no-restart]` **Example** {% code overflow="wrap" %} ``` weka nfs ldap setup-ad ``` {% endcode %} **Parameters**

Name	Value
`force`	When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered.
`no-restart`	When used, it prevents NFS-W containers from restarting to apply changes.

{% hint style="warning" %} In a successful operation, the system automatically restarts the NFS containers, leading to a temporary disruption in the IO service for connected NFS clients. However, if you want to avoid restarting the NFS-W containers, add the `--no-restart` option to the command line. {% endhint %} ### Integrate Kerberos with MIT Integrating Kerberos with MIT involves the following: 1. [Register Kerberos with MIT](#register-kerberos-with-mit) 2. [Set up Kerberos to use OpenLDAP](#set-up-kerberos-to-use-openldap) #### Register Kerberos with MIT **Command:** `weka nfs kerberos registration setup-mit` Use the following command to register the Kerberos with MIT KDC: `weka nfs kerberos registration setup-mit

[--force] [--restart]` {% hint style="info" %} To register the Kerberos service with MIT, a pre-generated [keytab file](#user-content-fn-2)[^2] , stored in an accessible location, is required. {% endhint %} **Example** {% code overflow="wrap" %} ``` weka nfs kerberos registration setup-mit myservicename.test.example.com myservicename.keytab ``` {% endcode %} **Parameters**

Name	Value
`nfs-service-name`*	Fully Qualified Domain Name (FQDN) for the NFS Service. This refers to the complete domain name for a specific NFS server. The hostname part of the FQDN is restricted to a maximum of 20 characters.
`keytab-file`*	The path to the pre-generated keytab file containing the keys for the NFS service’s unique identity in base64 format.
`force`	When used, it forces the action to proceed without further confirmation. Typically used when the service is configured.
`restart`	When used, the command restarts the NFS-W containers after the changes are applied.

#### Set up Kerberos to use OpenLDAP **Command:** `weka nfs ldap setup-openldap` Use the following command to set up Kerberos to use OpenLDAP: `weka nfs ldap setup-openldap

[reader-user-password] [--base-dn base-dn] [--ldap-port-number ldap-port-number][--force] [--no-restart]` **Example** {% code overflow="wrap" %} ``` weka nfs ldap setup-openldap myldapserver.test.example.com, myldapdomain.example.com, cn=readonly-user,dc=test,dc=example,dc=com ``` {% endcode %} **Parameters**

Name	Value
`server-name`*	Specifies the server hosting the Lightweight Directory Access Protocol service.
`ldap-domain`*	Defines the domain the Lightweight Directory Access Protocol service will access.
`reader-user-name`*	The username of an administrative user used to generate the keytab file.
`reader-user-password`	The administrative user's password. (It is maintained in a configuration file.)
`base-dn`	The base Distinguished Name (DN) for the Lightweight Directory Access Protocol directory tree.
`ldap-port-number`	The port number on which the Lightweight Directory Access Protocol server listens. Default: 389
`force`	When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered.
`no-restart`	When used, it prevents NFS-W containers from restarting to apply changes.

{% hint style="warning" %} In a successful operation, the system automatically restarts the NFS containers, leading to a temporary disruption in the IO service for connected NFS clients. However, if you want to avoid restarting the NFS-W containers, add the `--no-restart` option to the command line. {% endhint %} ### Show Kerberos LDAP setup information **Command:** `weka nfs ldap show` **Example** {% code fullWidth="true" %} ```bash $ weka nfs ldap show SERVER TYPE LDAP DOMAIN SERVER NAME SERVER PORT BASE DN READER NAME READER PASSWORD GENERATION ID SETUP STATUS ActiveDirectory test.wekalab.io 0 1 CONFIGURED ``` {% endcode %} ### Clear the Kerberos LDAP configuration **Command:** `weka nfs ldap reset` Use the following command to clear the NFS LDAP configuration: `weka nfs ldap reset [--force] [--no-restart]` **Parameters**

Name	Value
`force`	When used, it forces the action to proceed without further confirmation. Typically used when the service is configured.
`no-restart`	When used, it prevents NFS-W containers from restarting to apply changes.

### Show Kerberos registration information **Command:** `weka nfs kerberos registration show` **Example** ```bash $ weka nfs kerberos registration show NFS SERVICE NAME NFS KDC TYPE GENERATION ID REGISTRATION STATUS nfs.test.wekalab.io ActiveDirectory 1 REGISTERED ``` ### Clear Kerberos configuration **Command:** `weka nfs kerberos reset` Use the following command to clear the NFS Kerberos service configuration: `weka nfs kerberos reset [--force] [--no-restart]` **Parameters**

Name Value

force When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered.
Use this flag only to clear the configuration created by a previous call to weka nfs kerberos service setup succeeded.
Default: False.

Name	Value
`force`	When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered. Use this flag only to clear the configuration created by a previous call to `weka nfs kerberos service setup` succeeded. Default: False.
`no-restart`	Prevents automatic restart of NFS-W containers after applying the configuration changes. Default: False. Containers restart automatically to apply changes. Important: Omitting this flag will cause a service disruption for active NFS clients during the container restart.

no-restart

Prevents automatic restart of NFS-W containers after applying the configuration changes.

Default: False. Containers restart automatically to apply changes.

Important: Omitting this flag will cause a service disruption for active NFS clients during the container restart.

### Update Kerberos configuration during maintenance mode Once the Kerberos integration with NFS is configured, there might be instances where the Kerberos setup is modified. {% hint style="warning" %} Changes to the Kerberos configuration in a production environment are rare. We recommend making any necessary updates during periods of low load from NFS clients, such as when the system are in maintenance mode. This approach helps to minimize potential disruptions to your operations. {% endhint %} Select the relevant tab to learn what to do for each scenario: {% tabs %} {% tab title="KDC" %} Use this procedure if you want to add or remove a secondary KDC server: ``` kdc-secondary-server ``` **Procedure** 1. Run the command: `weka nfs kerberos reset --no-restart --force` 2. Run the command: `weka nfs kerberos service setup ` 3. Run one of the following commands: * **For AD implementation:** `weka nfs kerberos registration setup-ad --restart` * **For MIT implementation:** `weka nfs kerberos registration setup-mit --restart` {% endtab %} {% tab title="AD" %} Use this procedure if one of the following is changed: ``` realm-admin-name realm-admin-passwd ``` **Procedure** Run the command:\ `weka nfs kerberos registration setup-ad --restart --force` {% endtab %} {% tab title="MIT" %} Use this procedure if one of the following is changed: ``` keytab-file ``` **Procedure** Run the command:\ `weka nfs kerberos registration setup-mit --restart --force` {% endtab %} {% tab title="OpenLDAP" %} Use this procedure if one of the following is changed: ``` reader-user-name reader-user-password ``` **Procedure** * For AD implementation, run the following: 1. `weka nfs ldap reset --no-restart --force` 2. `weka nfs ldap ` * For MIT implementation, run the following: 1. `weka nfs ldap reset --no-restart --force` 2. `weka nfs ldap ` {% endtab %} {% endtabs %} ### Configure NFS for LDAP with ACLs (without Kerberos) **Command:** `weka nfs ldap setup-ad-nokrb` Use the following command to configure NFS to use LDAP for ACLs only when Kerberos is not in use: `weka nfs ldap setup-ad-nokrb

[admin-user-password] [--base-ou base-ou] [--force] [--no-restart]` **Parameters**

Parameter	Description
`server-name`*	AD server name.
`ldap-domain`*	AD domain.
`nfs-service-name`*	NFS FQDN service name. Maximum 20 characters for hostname in FQDN.
`admin-user-name`*	AD Admin Name
`admin-user-password`	AD Admin password
`base-ou`	LDAP base OU for account creation. This allows admins to create a defined path such as `OU=Weka,OU=Servers` instead of using the default `CN=Computers` container.
`force`	Force this action when Active Directory LDAP client is already setup. Default: False.
`no-restart`	Prevents automatic restart of NFS-W containers after applying the configuration changes. Default: False. Containers restart automatically to apply changes. Important: Omitting this flag will cause a service disruption for active NFS clients during the container restart.

### Set host-based LDAP resolution for NFS **Command:** `weka nfs ldap setup-onhostldap` Use this command to enable NFS group resolution through the server's local LDAP client rather than through the WEKA system directly. This approach is particularly valuable when users belong to more than 16 groups, as it leverages host-level identity providers like SSSD (System Security Services Daemon) to handle group membership lookups. `weka nfs ldap setup-onhostldap [--no-restart]`

Parameter Description

ldap-domain* Specifies the LDAP domain for the on-host LDAP client to use for user and group resolution.

Parameter	Description
`ldap-domain`*	Specifies the LDAP domain for the on-host LDAP client to use for user and group resolution.
`no-restart`	Prevents automatic restart of NFS-W containers after applying the configuration changes. Default: Containers restart automatically to apply changes. Important: Omitting this flag will cause a service disruption for active NFS clients during the container restart.

no-restart

Prevents automatic restart of NFS-W containers after applying the configuration changes.

Default: Containers restart automatically to apply changes.

Important: Omitting this flag will cause a service disruption for active NFS clients during the container restart.

## **Manage the NFS export level (permissions)** ### Define client access groups **Command:** `weka nfs client-group` Use the following command lines to add or remove a client access group: `weka nfs client-group add ` `weka nfs client-group remove ` **Parameters**

Name	Value
`name`*	Valid group name.

### Manage client access groups' rules Clients are part of groups when their IP address or DNS hostname match the rules of that group. Similar to IP routing rules, clients are matched to client groups according to the most specific matching rule. **Command:** `weka nfs rules` #### **Add DNS-based client group rules** Use the following command lines to add a rule that causes a client to be part of a client group based on its DNS hostname: `weka nfs rules add dns ` **Example** `weka nfs rules add dns client-group1 hostname.example.com` #### **Remove DNS-based client group rules** Use the following command lines to remove a rule that causes a client to be part of a client group based on its DNS hostname: `weka nfs rules remove dns ` **Example** `weka nfs rules remove dns client-group1 hostname.example.com` **Parameters**

Name	Value
`name`*	Valid client group name.
`dns`*	DNS rule with *?[] wildcard rules.

#### **Add IP-based client group rules** **Command:** `weka nfs rules` Use the following command lines to add or remove a rule which causes a client to be part of a client group based on its IP and subnet mask (both CIDR and standard subnet mask formats are supported for enhanced flexibility): `weka nfs rules add ip ` **Examples** `weka nfs rules add ip client-group1 192.168.114.0/8`\ `weka nfs rules add ip client-group2 172.16.0.0/255.255.0.0` #### **Remove IP-based client group rules** `weka nfs rules remove ip ` **Examples** `weka nfs rules remove ip client-group1 192.168.114.0/255.255.255.0`\ `weka nfs rules remove ip client-group2 172.16.0.0/16` **Parameters**

Name Value

name* Valid client group name.

ip*

Valid IP address with subnet mask.

Both CIDR and standard subnet mask formats are supported for enhanced flexibility.

CIDR format: 1.1.1.1/16

Standard format: 1.1.1.1/255.255.0.0

### **Manage NFS client permissions** **Command:** `weka nfs permission` Use the following command lines to add NFS permissions: `weka nfs permission add [--path path] [--permission-type permission-type] [--root-squashing root-squashing] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--acl-type acl-type] [--force-acl-type force-acl-type] [--supported-versions supported-versions]... [--enable-auth-types enable-auth-types]... [--no-restart]` Use the following command lines to update NFS permissions: `weka nfs permission update [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--acl-type acl-type] [--force-acl-type force-acl-type] [--supported-versions supported-versions]... [--enable-auth-types enable-auth-types]... [--no-restart]` Use the following command lines to remove NFS permissions: `weka nfs permission remove [--path path]` **Parameters**

Name	Value	Default
`filesystem`*	Existing filesystem name. A filesystem with Required Authentication set to ON cannot be used for NFS client permissions.
`group`*	Existing client group name.
`path`	The root of the valid share path.	`/`
`root-squashing`	Toot squashing is a security feature in NFS that prevents root users on client machines from having root privileges on the NFS server. When enabled, it typically maps the root user to an anonymous UID/GID. Possible values: `on`, `off`	`off`
`permission-type`	Permission type. Possible values: `ro` (read-only), `rw` (read-write)	`rw`
`squash`	Permission squashing. Possible values: `none`, `root`, `all` The option 'all' can be used only on interface groups with `--allow-manage-gids=on`	`none`
`anon-uid`*	Anonymous user ID. Relevant only for root squashing. Possible values: `1` to `65535`.	`65534`
`anon-gid`*	Anonymous user group ID. Relevant only for root squashing. Possible values: `1` to `65535`.	`65534`
`obs-direct`	See Object-store Direct Mount. Possible values: `on`, `off`.	`on`
`manage-gids`	Sets external group IDs resolution. The list of group IDs received from the client is replaced by a list determined by an appropriate lookup on the server. Possible values: `on`, `off`.	`off`
`privileged-port`	Sets the share only to be mounted via privileged ports (1-1024), usually allowed by the root user. Possible values: `on`, `off`.	`off`
`acl-type`	Specifies the ACL type. Possible values: `none`, `posix`, `nfsv4`, and `hybrid`. For details, see #access-control-list-acl-in-nfs.	Default is determined by the NFS global configuration.
`force-acl-type`	Forces a change to the ACL type for existing permissions on the same filesystem. Possible values: `on` or `off`.	`off`
`supported-versions`	A comma-separated list of supported NFS versions. Possible values: `v3`, `v4`.	The `default-supported-versions` setting in NFS global settings determines the default NFS version.
`enable-auth-types`	A comma-separated list of NFS authentication types. Possible values are determined by the `enable-auth-types` in NFS global settings.	The `default-auth-types` in NFS global settings determine the default.
`no-restart`	Prevents NFS-W containers from restarting when applying changes.	False

### View connected NFS clients **Command:** `weka nfs clients show` Use the following command line to view insights of NFS clients connected to the NFS-W cluster in JSON output format. `weka nfs clients show [--interface-group interface-group] [--container-id container-id] [--fip floating-ip] [--fsnames fsnames]...` **Parameters**

Name	Value	Default
`interface-group`	Interface group name. A filter to show only the clients connected to the containers in the specified group.	The output shows all clients connected to any container in the NFS-W cluster regardless of the assigned interface group.
`container-id`	NFS-W container ID. A filter to show only the clients connected to the specified container ID.	The output shows all clients connected to any container in the NFS-W cluster.
`fip`	Destination floating IP address.	The output shows all clients connected to all floating IP addresses.
`fsnames`	A comma-separated list of filesystems.	All NFS exported filesystems are selected.

[^1]: A binary data in an American Standard Code for Information Interchange (ASCII) string format. [^2]: All Kerberos server machines need a keytab file, called `/etc/krb5.keytab`, to authenticate to the KDC. For details, see . --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.weka.io/additional-protocols/nfs-support/nfs-support-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.