Mount a SCITAS provided NFS share

We provide a /export filesystem on GPFS designed to host folders accessible through the NFS protocol on your local machine as long as you are inside the EPFL network.

Our systems use Kerberos to secure NFS mounts. This means authentication and data integrity are handled through Kerberos tickets.

You can access it using the address nfs.hpc.epfl.ch.

As long as you have access to a /work/<lab> folder on our clusters, you automatically get access to an /export/<lab_share> folder as well. <lab> and <lab_share> usually have identical names.

These /export/<lab> folders are exposed as both nfs and smb shares.

Tip

If you want to access your share with macOS or Windows on your personal workstation, we would advise to use Samba instead.

Please refer to this procedure for this purpose.

Warning

The following procedure requires a root access to your machine

1. Install the following packages

Debian/UbuntuRedhat

sudo apt install nfs-common krb5-user nfs4-acl-tools

dnf install nfs-utils krb5-workstation nfs4-acl-tools

2. Configure Kerberos on the workstation

• Edit the Kerberos configuration file:

sudo vim /etc/krb5.conf

• Put in the following configuration:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = INTRANET.EPFL.CH
 dns_lookup_realm = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}
 spake_preauth_groups = edwards25519
 dns_canonicalize_hostname = fallback
 qualify_shortname = ""
 default_ccache_name = KEYRING:persistent:%{uid} 

[realms]
 INTRANET.EPFL.CH = {
  kdc = intranet.epfl.ch:88
  admin_server = ad1.intranet.epfl.ch:749
 }

[domain_realm]
 .intranet.epfl.ch = INTRANET.EPFL.CH

3. Create a Kerberos ticket

• Create the ticket:

kinit

You Gaspar password will be asked

• Verify:

klist

• Example:

fgagnepain@snicksdeb ~ $ kinit
Password for fgagnepain@INTRANET.EPFL.CH: 
fgagnepain@snicksdeb ~ $ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: fgagnepain@INTRANET.EPFL.CH

Valid starting       Expires              Service principal
01/15/2026 14:48:13  01/16/2026 00:48:13  krbtgt/INTRANET.EPFL.CH@INTRANET.EPFL.CH
 renew until 01/22/2026 14:47:57

4. Add your machine to EPFL's Active Directory

You need to ask your IT manager to add your machine into the EPFL Active Directory.

5. Start the rpc-gssd service

sudo systemctl start rpc-gssd

• Verification:

sudo systemctl status rpc-gssd

6. Mount your NFS share

sudo mount -t nfs4 nfs.hpc.epfl.ch:<lab_share> /path/to/mount

7. ID mapping

If you followed the procedure correctly, you are now able to browse your NFS share like on this example below:

fgagnepain@snicksdeb ~ $ ls -l /home/fgagnepain/mnt/scitas-ge/fgagnepain/
total 1
drwxrws---+ 3 nobody nogroup 4096 Jun 25  2024 dir_test
drwxrwx---+ 2 nobody nogroup 4096 Jun 25  2024 dir_test3
-rw-rw-r--  1 nobody nogroup    0 Jan 26 11:32 ploptest
-rwxrwx---+ 1 nobody nogroup    0 May  8  2024 test2
-rw-r--r--  1 nobody nogroup    0 Jun 25  2024 test6

But as you can see there is a minor issue with user and group names appearing as nobody and nogroup respectively.

This does not block you from using the your share but is a bit inconvenient for readability.

To remedy this, you would have to install sssd:

Debian/UbuntuRedhat

sudo apt install sssd

dnf install sssd

Then put this configuration in your /etc/sssd/sssd.conf file (You may have to create it):

[sssd]
services = nss, pam
domains = INTRANET.EPFL.CH

[domain/INTRANET.EPFL.CH]
id_provider = ad
auth_provider = none
chpass_provider = none

# AD servers
ad_server = ad1.intranet.epfl.ch
ad_domain = INTRANET.EPFL.CH

# Format user and group names as INTRANET\<user|group>
use_fully_qualified_names = True
full_name_format = %3$s\%1$s 

# Kerberos
krb5_realm = INTRANET.EPFL.CH

# AD generated UID/GID
ldap_id_mapping = True

# Home directory local
override_homedir = /home/%u
fallback_homedir = /home/%u
default_shell = /bin/bash

Finally restart the sssd service:

systemctl restart sssd.service

Browse your share again:

fgagnepain@snicksdeb ~ $ ls -l /home/fgagnepain/mnt/scitas-ge/fgagnepain/
total 1
drwxrws---+ 3 INTRANET\fgagnepain INTRANET\scitas-ge-staffu 4096 Jun 25  2024 dir_test
drwxrwx---+ 2 INTRANET\fgagnepain INTRANET\scitas-ge-staffu 4096 Jun 25  2024 dir_test3
-rw-r--r--  1 INTRANET\fgagnepain INTRANET\scitas-ge-staffu    0 Jan 29 14:48 jed2
-rw-rw-r--+ 1 INTRANET\fgagnepain INTRANET\scitas-ge-staffu    0 Jan 29 14:46 plop_plop
-rw-rw-r--  1 INTRANET\fgagnepain INTRANET\scitas-ge-staffu    0 Jan 26 11:32 ploptest
-rwxrwx---+ 1 INTRANET\fgagnepain INTRANET\scitas-ge-staffu    0 May  8  2024 test2
-rw-r--r--  1 INTRANET\fgagnepain INTRANET\scitas-ge-staffu    0 Jun 25  2024 test6

Much better.

We like to keep the INTRANET\ in front of names to emphasize the fact that you are working in an AD authenticated NFS share.

Plus if permissions changes are needed, this particular name format will have to be used.

8. Permission changes

Unfortunately, the traditional UNIX permission system cannot be used on a NFS share.

You would have to use the NFSv4 permission system instead

• Read ACLs through the nfs4_getfacl command
• Modify ACLs with the nfs4_setfacl command

Please consult the man page for more details: man nfs4_acl