NFS Services Administrator's Guide (B.11.31.03) August 2008

The NFSv4 protocol design enables NFS developers to add new operations that

are based on IETF specifications.

• Delegation

In NFSv4, the server can delegate certain responsibilities to the client. Delegation

enables a client to locally service operations, such as OPEN, CLOSE, LOCK,

LOCKU, READ, and WRITE, without immediate interactions with the server.

The server grants either a READ or a WRITE delegation to a client at OPEN. After

the delegation is granted, the client can perform all operations locally. Delegations

are disabled, by default.

Delegations can be revoked by the server. If another client requests incompatible

access to the file, the server revokes the delegation. Once the delegation is returned,

the other client can access the file.

• Built-In Security

In NFSv4, the built-in security feature enables the RPC layer to use different security

mechanisms. You can specify a different security policy for each filesystem. The

server and the clients can negotiate supported security flavors on a per filesystem

basis.

NFSv4 uses the RPCSEC_GSS framework for authentication, integrity, and privacy.

This framework enables the RPC protocols to access the Generic Security Services

Application Programming Interface (GSS-API).

The RPCSEC_GSS/GSS-API security framework is extensible. However, the new

security flavors, whenever added, must conform to the GSS-API model.

For information on how to secure your systems, see “Secure Sharing of Directories

” (page 35).

• ACLs

An Access Control List (ACL) provides stronger file security, by enabling the

owner of a file to define file permissions for the file owner, the group, and other

specific users and groups. ACL support is built into the protocol. ACLs can be

managed from an NFS client using either the setacl or the getacl command.

For more information on ACLs, see acl(1M),getacl(1M), and setacl(1M).

16 Introduction