1 .\" 2 .\" CDDL HEADER START 3 .\" 4 .\" The contents of this file are subject to the terms of the 5 .\" Common Development and Distribution License (the "License"). 6 .\" You may not use this file except in compliance with the License. 7 .\" 8 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 .\" or http://www.opensolaris.org/os/licensing. 10 .\" See the License for the specific language governing permissions 11 .\" and limitations under the License. 12 .\" 13 .\" When distributing Covered Code, include this CDDL HEADER in each 14 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 .\" If applicable, add the following below this CDDL HEADER, with the 16 .\" fields enclosed by brackets "[]" replaced with your own identifying 17 .\" information: Portions Copyright [yyyy] [name of copyright owner] 18 .\" 19 .\" CDDL HEADER END 20 .\" 21 .\" 22 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved 23 .\" Copyright 2014 Nexenta Systems, Inc. All rights reserved. 24 .\" Copyright 2016 Jason King. 25 .\" 26 .Dd March 23, 2017 27 .Dt SHARE_NFS 1M 28 .Os 29 .Sh NAME 30 .Nm share_nfs 31 .Nd make local NFS file systems available for mounting by remote systems 32 .Sh SYNOPSIS 33 .Nm share 34 .Op Fl d Ar description 35 .Op Fl F Sy nfs 36 .Op Fl o Ar specific_options 37 .Ar pathname 38 .Sh DESCRIPTION 39 The 40 .Nm share 41 utility makes local file systems available for mounting by remote systems. 42 It starts the 43 .Xr nfsd 1M 44 and 45 .Xr mountd 1M 46 daemons if they are not already running. 47 .Pp 48 If no argument is specified, then 49 .Nm share 50 displays all file systems currently shared, including NFS file systems and file 51 systems shared through other distributed file system packages. 52 .Sh OPTIONS 53 The following options are supported: 54 .Bl -tag -width "indented" 55 .It Fl d Ar description 56 Provide a comment that describes the file system to be shared. 57 .It Fl F Sy nfs 58 Share NFS file system type. 59 .It Fl o Ar specific_options 60 Specify 61 .Ar specific_options 62 in a comma-separated list of keywords and attribute-value-assertions for 63 interpretation by the file-system-type-specific command. 64 If 65 .Ar specific_options 66 is not specified, then by default sharing is read-write to all clients. 67 .Ar specific_options 68 can be any combination of the following: 69 .Bl -tag -width "indented" 70 .It Sy aclok 71 Allows the NFS server to do access control for NFS Version 2 clients (running 72 SunOS 2.4 or earlier). 73 When 74 .Sy aclok 75 is set on the server, maximal access is given to all clients. 76 For example, with 77 .Sy aclok 78 set, if anyone has read permissions, then everyone does. 79 If 80 .Sy aclok 81 is not set, minimal access is given to all clients. 82 .It Sy anon Ns = Ns Ar uid 83 Set 84 .Ar uid 85 to be the effective user ID of unknown users. 86 By default, unknown users are given the effective user ID UID_NOBODY. 87 If uid is set to -1, access is denied. 88 .It Ar charset Ns = Ns Ar access_list 89 Where 90 .Ar charset 91 is one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw, iso8859-1, iso8859-2, 92 iso8859-5, iso8859-6, iso8859-7, iso8859-8, iso8859-9, iso8859-13, iso8859-15, 93 koi8-r. 94 .Pp 95 Clients that match the 96 .Ar access_list 97 for one of these properties will be assumed to be using that character set and 98 file and path names will be converted to UTF-8 for the server. 99 .It Sy gidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ... 100 Where 101 .Ar mapping 102 is: 103 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list 104 .Pp 105 Allows remapping the group ID (gid) in the incoming request to some other gid. 106 This effectively changes the identity of the user in the request to that of 107 some other local user. 108 .Pp 109 For clients where the gid in the incoming request is 110 .Ar clnt 111 and the client matches the 112 .Ar access_list , 113 change the group ID to 114 .Ar srv . 115 If 116 .Ar clnt 117 is asterisk (*), all groups are mapped by this rule. 118 If 119 .Ar clnt 120 is omitted, all unknown groups are mapped by this rule. 121 If 122 .Ar srv 123 is set to -1, access is denied. 124 If 125 .Ar srv 126 is omitted, the gid is mapped to UID_NOBODY. 127 .Pp 128 The particular 129 .Ar mapping Ns s 130 are separated in the 131 .Sy gidmap Ns = 132 option by tilde (~) and are evaluated in the specified order until a match is 133 found. 134 Both 135 .Sy root Ns = 136 and 137 .Sy root_mapping Ns = 138 options (if specified) are evaluated before the 139 .Sy gidmap Ns = 140 option. 141 The 142 .Sy gidmap Ns = 143 option is skipped in the case where the client matches the 144 .Sy root Ns = 145 option. 146 .Pp 147 The 148 .Sy gidmap Ns = 149 option is evaluated before the 150 .Sy anon Ns = 151 option. 152 .Pp 153 This option is supported only for AUTH_SYS. 154 .It Sy index Ns = Ns Ar file 155 Load 156 .Ar file 157 rather than a listing of the directory containing this file when the 158 directory is referenced by an NFS URL. 159 .It Sy log Ns Oo = Ns Ar tag Oc 160 Enables NFS server logging for the specified file system. 161 The optional 162 .Ar tag 163 determines the location of the related log files. 164 The 165 .Ar tag 166 is defined in 167 .Pa /etc/nfs/nfslog.conf . 168 If no 169 .Ar tag 170 is specified, the default values associated with the global tag in 171 .Pa /etc/nfs/nfslog.conf 172 are used. 173 Support of NFS server logging is only available for NFS Version 2 and 174 Version 3 requests. 175 .It Sy noaclfab 176 By default, the NFS server will fabricate POSIX-draft style ACLs in response 177 to ACL requests from NFS Version 2 or Version 3 clients accessing shared 178 file systems that do not support POSIX-draft ACLs (such as ZFS). 179 Specifying 180 .Sy noaclfab 181 disables this behavior. 182 .It Sy none Ns = Ns Ar access_list 183 Access is not allowed to any client that matches the access list. 184 The exception is when the access list is an asterisk (*), in which case 185 .Sy ro 186 or 187 .Sy rw 188 can override 189 .Sy none . 190 .It Sy nosub 191 Prevents clients from mounting subdirectories of shared directories. 192 For example, if 193 .Pa /export 194 is shared with the 195 .Sy nosub 196 option on server 197 .Qq fooey 198 then a NFS client cannot do: 199 .Bd -literal -offset indent 200 mount -F nfs fooey:/export/home/mnt 201 .Ed 202 .Pp 203 NFS Version 4 does not use the MOUNT protocol. 204 The 205 .Sy nosub 206 option only applies to NFS Version 2 and Version 3 requests. 207 .It Sy nosuid 208 By default, clients are allowed to create files on the shared file system with 209 the setuid or setgid mode enabled. 210 Specifying 211 .Sy nosuid 212 causes the server file system to silently ignore any attempt to enable the 213 setuid or setgid mode bits. 214 .It Sy public 215 Moves the location of the public file handle from root 216 .Pa ( / ) 217 to the exported directory for WebNFS-enabled browsers and clients. 218 This option does not enable WebNFS service; WebNFS is always on. 219 Only one file system per server may use this option. 220 Any other option, including the 221 .Sy ro Ns = Ns Ar list 222 and 223 .Sy rw Ns = Ns Ar list 224 options can be included with the 225 .Sy public 226 option. 227 .It Sy ro 228 Sharing is read-only to all clients. 229 .It Sy ro Ns = Ns Ar access_list 230 Sharing is read-only to the clients listed in 231 .Ar access_list ; 232 overrides the 233 .Sy rw 234 suboption for the clients specified. 235 See 236 .Sx access_list 237 below. 238 .It Sy root Ns = Ns Ar access_list 239 Only root users from the hosts specified in 240 .Ar access_list 241 have root access. 242 See 243 .Sx access_list 244 below. 245 By default, no host has root access, so root users are mapped to an anonymous 246 user ID (see the 247 .Sy anon Ns = Ns Ar uid 248 option described above). 249 Netgroups can be used if the file system shared is using UNIX authentication 250 (AUTH_SYS). 251 .It Sy root_mapping Ns = Ns Ar uid 252 For a client that is allowed root access, map the root UID to the specified 253 user id. 254 .It Sy rw 255 Sharing is read-write to all clients. 256 .It Sy rw Ns = Ns Ar access_list 257 Sharing is read-write to the clients listed in 258 .Ar access_list ; 259 overrides the 260 .Sy ro 261 suboption for the clients specified. 262 See 263 .Sx access_list 264 below. 265 .It Sy sec Ns = Ns Ar mode Ns Oo : Ns Ar mode Oc Ns ... 266 Sharing uses one or more of the specified security modes. 267 The 268 .Ar mode 269 in the 270 .Sy sec Ns = Ns Ar mode 271 option must be a mode name supported on the client. 272 If the 273 .Sy sec Ns = 274 option is not specified, the default security mode used is AUTH_SYS. 275 Multiple 276 .Sy sec Ns = 277 options can be specified on the command line, although each mode can appear 278 only once. 279 The security modes are defined in 280 .Xr nfssec 5 . 281 .Pp 282 Each 283 .Sy sec Ns = 284 option specifies modes that apply to any subsequent 285 .Sy window Ns = , 286 .Sy rw , 287 .Sy ro , 288 .Sy rw Ns = , 289 .Sy ro Ns = , 290 and 291 .Sy root Ns = 292 options that are provided before another 293 .Sy sec Ns = 294 option. 295 Each additional 296 .Sy sec Ns = 297 resets the security mode context, so that more 298 .Sy window Ns = , 299 .Sy rw , 300 .Sy ro , 301 .Sy rw Ns = , 302 .Sy ro Ns = , 303 and 304 .Sy root Ns = 305 options can be supplied for additional modes. 306 .It Sy sec Ns = Ns Sy none 307 If the option 308 .Sy sec Ns = Ns Sy none 309 is specified when the client uses AUTH_NONE, or if the client uses a security 310 mode that is not one that the file system is shared with, then the credential 311 of each NFS request is treated as unauthenticated. 312 See the 313 .Sy anon Ns = Ns Ar uid 314 option for a description of how unauthenticated requests are handled. 315 .It Sy secure 316 This option has been deprecated in favor of the 317 .Sy sec Ns = Ns Sy dh 318 option. 319 .It Sy uidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ... 320 Where 321 .Ar mapping 322 is: 323 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list 324 .Pp 325 Allows remapping the user ID (uid) in the incoming request to some other uid. 326 This effectively changes the identity of the user in the request to that of 327 some other local user. 328 .Pp 329 For clients where the uid in the incoming request is 330 .Ar clnt 331 and the client matches the 332 .Ar access_list , 333 change the user ID to 334 .Ar srv . 335 If 336 .Ar clnt 337 is asterisk (*), all users are mapped by this rule. 338 If 339 .Ar clnt 340 is omitted, all unknown users are mapped by this rule. 341 If 342 .Ar srv 343 is set to -1, access is denied. 344 If 345 .Ar srv 346 is omitted, the uid is mapped to UID_NOBODY. 347 .Pp 348 The particular 349 .Ar mapping Ns s 350 are separated in the 351 .Sy uidmap Ns = 352 option by tilde (~) and are evaluated in the specified order until a match is 353 found. 354 Both 355 .Sy root Ns = 356 and 357 .Sy root_mapping Ns = 358 options (if specified) are evaluated before the 359 .Sy uidmap Ns = 360 option. 361 The 362 .Sy uidmap Ns = 363 option is skipped in the case where the client matches the 364 .Sy root Ns = 365 option. 366 .Pp 367 The 368 .Sy uidmap Ns = 369 option is evaluated before the 370 .Sy anon Ns = 371 option. 372 .Pp 373 This option is supported only for AUTH_SYS. 374 .It Sy window Ns = Ns Ar value 375 When sharing with 376 .Sy sec Ns = Ns Sy dh , 377 set the maximum life time (in seconds) of the RPC request's credential (in the 378 authentication header) that the NFS server allows. 379 If a credential arrives with a life time larger than what is allowed, the NFS 380 server rejects the request. 381 The default value is 30000 seconds (8.3 hours). 382 .El 383 .El 384 .Ss access_list 385 The 386 .Ar access_list 387 argument is a colon-separated list whose components may be any number of the 388 following: 389 .Bl -tag -width "indented" 390 .It Sy hostname 391 The name of a host. 392 With a server configured for DNS or LDAP naming in the nsswitch 393 .Sy hosts 394 entry, any hostname must be represented as a fully qualified DNS or LDAP name. 395 .It Sy netgroup 396 A netgroup contains a number of hostnames. 397 With a server configured for DNS or LDAP naming in the nsswitch 398 .Sy hosts 399 entry, any hostname in a netgroup must be represented as a fully qualified DNS 400 or LDAP name. 401 .It Sy domain name suffix 402 To use domain membership the server must use DNS or LDAP to resolve hostnames to 403 IP addresses; that is, the 404 .Sy hosts 405 entry in the 406 .Pa /etc/nsswitch.conf 407 must specify 408 .Sy dns 409 or 410 .Sy ldap 411 ahead of 412 .Sy nis 413 since only DNS and LDAP return the full domain name of the host. 414 Other name services like NIS cannot be used to resolve hostnames on the server 415 because when mapping an IP address to a hostname they do not return domain 416 information. 417 For example, 418 .Bd -literal -offset indent 419 NIS 172.16.45.9 --> "myhost" 420 .Ed 421 .Pp 422 and 423 .Bd -literal -offset indent 424 DNS or LDAP 172.16.45.9 --> "myhost.mydomain.mycompany.com" 425 .Ed 426 .Pp 427 The domain name suffix is distinguished from hostnames and netgroups by a 428 prefixed dot. 429 For example, 430 .Bd -literal -offset indent 431 rw=.mydomain.mycompany.com 432 .Ed 433 .Pp 434 A single dot can be used to match a hostname with no suffix. 435 For example, 436 .Bd -literal -offset indent 437 rw=. 438 .Ed 439 .Pp 440 matches 441 .Qq mydomain 442 but not 443 .Qq mydomain.mycompany.com . 444 This feature can be used to match hosts resolved through NIS rather 445 than DNS and LDAP. 446 .It Sy network 447 The network or subnet component is preceded by an at-sign (@). 448 It can be either a name or a dotted address. 449 If a name, it is converted to a dotted address by 450 .Xr getnetbyname 3SOCKET . 451 For example, 452 .Bd -literal -offset indent 453 =@mynet 454 .Ed 455 .Pp 456 would be equivalent to: 457 .Bd -literal -offset indent 458 =@172.16 or =@172.16.0.0 459 .Ed 460 .Pp 461 The network prefix assumes an octet-aligned netmask determined from the zeroth 462 octet in the low-order part of the address up to and including the high-order 463 octet, if you want to specify a single IP address (see below). 464 In the case where network prefixes are not byte-aligned, the syntax allows a 465 mask length to be specified explicitly following a slash (/) delimiter. 466 For example, 467 .Bd -literal -offset indent 468 =@theothernet/17 or =@172.16.132/22 469 .Ed 470 .Pp 471 where the mask is the number of leftmost contiguous significant bits in the 472 corresponding IP address. 473 .Pp 474 When specifying individual IP addresses, use the same @ notation described 475 above, without a netmask specification. 476 For example: 477 .Bd -literal -offset indent 478 =@172.16.132.14 479 .Ed 480 .Pp 481 Multiple, individual IP addresses would be specified, for example, as: 482 .Bd -literal -offset indent 483 root=@172.16.132.20:@172.16.134.20 484 .Ed 485 .El 486 .Pp 487 A prefixed minus sign (-) denies access to that component of 488 .Ar access_list . 489 The list is searched sequentially until a match is found that either grants or 490 denies access, or until the end of the list is reached. 491 For example, if host 492 .Qq terra 493 is in the 494 .Qq engineering 495 netgroup, then 496 .Bd -literal -offset indent 497 rw=-terra:engineering 498 .Ed 499 .Pp 500 denies access to 501 .Qq terra 502 but 503 .Bd -literal -offset indent 504 rw=engineering:-terra 505 .Ed 506 .Pp 507 grants access to 508 .Qq terra . 509 .Sh OPERANDS 510 The following operands are supported: 511 .Bl -tag -width "pathname" 512 .It Sy pathname 513 The pathname of the file system to be shared. 514 .El 515 .Sh FILES 516 .Bl -tag -width "/etc/nfs/nfslog.conf" 517 .It Pa /etc/dfs/fstypes 518 list of system types, NFS by default 519 .It Pa /etc/dfs/sharetab 520 system record of shared file systems 521 .It Pa /etc/nfs/nfslogtab 522 system record of logged file systems 523 .It Pa /etc/nfs/nfslog.conf 524 logging configuration file 525 .El 526 .Sh EXIT STATUS 527 .Ex -std 528 .Sh EXAMPLES 529 .Ss Example 1 Sharing A File System With Logging Enabled 530 The following example shows the 531 .Pa /export 532 file system shared with logging enabled: 533 .Bd -literal -offset indent 534 share -o log /export 535 .Ed 536 .Pp 537 The default global logging parameters are used since no tag identifier is 538 specified. 539 The location of the log file, as well as the necessary logging work 540 files, is specified by the global entry in 541 .Pa /etc/nfs/nfslog.conf . 542 The 543 .Xr nfslogd 1M 544 daemon runs only if at least one file system entry in 545 .Pa /etc/dfs/dfstab 546 is shared with logging enabled upon starting or rebooting the system. 547 Simply sharing a file system with logging enabled from the command line does not 548 start the 549 .Xr nfslogd 1M . 550 .Ss Example 2 Remap A User Coming From The Particular NFS Client 551 The following example remaps the user with uid 552 .Sy 100 553 at client 554 .Sy 10.0.0.1 555 to user 556 .Sy joe : 557 .Bd -literal -offset indent 558 share -o uidmap=100:joe:@10.0.0.1 /export 559 .Ed 560 .Sh SEE ALSO 561 .Xr mount 1M , 562 .Xr mountd 1M , 563 .Xr nfsd 1M , 564 .Xr nfslogd 1M , 565 .Xr share 1M , 566 .Xr unshare 1M , 567 .Xr getnetbyname 3SOCKET , 568 .Xr netgroup 4 , 569 .Xr nfslog.conf 4 , 570 .Xr acl 5 , 571 .Xr attributes 5 , 572 .Xr nfssec 5 573 .Sh NOTES 574 If the 575 .Sy sec Ns = 576 option is presented at least once, all uses of the 577 .Sy window Ns = , 578 .Sy rw , 579 .Sy ro , 580 .Sy rw Ns = , 581 .Sy ro Ns = , 582 and 583 .Sy root Ns = 584 options must come after the first 585 .Sy sec Ns = 586 option. 587 If the 588 .Sy sec Ns = 589 option is not presented, then 590 .Sy sec Ns = Ns Sy sys 591 is implied. 592 .Pp 593 If one or more explicit 594 .Sy sec Ns = 595 options are presented, 596 .Sy sys 597 must appear in one of the options mode lists for accessing using the AUTH_SYS 598 security mode to be allowed. 599 For example: 600 .Bd -literal -offset indent 601 share -F nfs /var 602 share -F nfs -o sec=sys /var 603 .Ed 604 .Pp 605 grants read-write access to any host using AUTH_SYS, but 606 .Bd -literal -offset indent 607 share -F nfs -o sec=dh /var 608 .Ed 609 .Pp 610 grants no access to clients that use AUTH_SYS. 611 .Pp 612 Unlike previous implementations of 613 .Nm , 614 access checking for the 615 .Sy window Ns = , 616 .Sy rw , 617 .Sy ro , 618 .Sy rw Ns = , 619 and 620 .Sy ro Ns = 621 options is done per NFS request, instead of per mount request. 622 .Pp 623 Combining multiple security modes can be a security hole in situations where 624 the 625 .Sy ro Ns = 626 and 627 .Sy rw Ns = 628 options are used to control access to weaker security modes. 629 In this example, 630 .Bd -literal -offset indent 631 share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var 632 .Ed 633 .Pp 634 an intruder can forge the IP address for 635 .Qq hosta 636 (albeit on each NFS request) to side-step the stronger controls of AUTH_DES. 637 Something like: 638 .Bd -literal -offset indent 639 share -F nfs -o sec=dh,rw,sec=sys,ro /var 640 .Ed 641 .Pp 642 is safer, because any client (intruder or legitimate) that avoids AUTH_DES only 643 gets read-only access. 644 In general, multiple security modes per share command should only be used in 645 situations where the clients using more secure modes get stronger access than 646 clients using less secure modes. 647 .Pp 648 If 649 .Sy rw Ns = 650 and 651 .Sy ro Ns = 652 options are specified in the same 653 .Sy sec Ns = 654 clause, and a client is in both lists, the order of the two options determines 655 the access the client gets. 656 If client 657 .Qq hosta 658 is in two netgroups, 659 .Qq group1 660 and 661 .Qq group2 , 662 in this example, the client would get read-only access: 663 .Bd -literal -offset indent 664 share -F nfs -o ro=group1,rw=group2 /var 665 .Ed 666 .Pp 667 In this example 668 .Qq hosta 669 would get read-write access: 670 .Bd -literal -offset indent 671 share -F nfs -o rw=group2,ro=group1 /var 672 .Ed 673 .Pp 674 If within a 675 .Sy sec Ns = 676 clause, both the 677 .Sy ro 678 and 679 .Sy rw Ns = 680 options are specified, for compatibility, the order of the options rule is not 681 enforced. 682 All hosts would get read-only access, with the exception to those in the 683 read-write list. 684 Likewise, if the 685 .Sy ro Ns = 686 and 687 .Sy rw 688 options are specified, all hosts get read-write access with the exceptions of 689 those in the read-only list. 690 .Pp 691 The 692 .Sy ro Ns = 693 and 694 .Sy rw Ns = 695 options are guaranteed to work over UDP and TCP but may not work over other 696 transport providers. 697 .Pp 698 The 699 .Sy root Ns = 700 option with AUTH_SYS is guaranteed to work over UDP and TCP but may not work 701 over other transport providers. 702 .Pp 703 The 704 .Sy root Ns = 705 option with AUTH_DES is guaranteed to work over any transport provider. 706 .Pp 707 There are no interactions between the 708 .Sy root Ns = 709 option and the 710 .Sy rw , 711 .Sy ro , 712 .Sy rw Ns = , 713 and 714 .Sy ro Ns = 715 options. 716 Putting a host in the root list does not override the semantics of the other 717 options. 718 The access the host gets is the same as when the 719 .Sy root Ns = 720 option is absent. 721 For example, the following share command denies access to 722 .Qq hostb : 723 .Bd -literal -offset indent 724 share -F nfs -o ro=hosta,root=hostb /var 725 .Ed 726 .Pp 727 The following gives read-only permissions to 728 .Qq hostb : 729 .Bd -literal -offset indent 730 share -F nfs -o ro=hostb,root=hostb /var 731 .Ed 732 .Pp 733 The following gives read-write permissions to 734 .Qq hostb : 735 .Bd -literal -offset indent 736 share -F nfs -o ro=hosta,rw=hostb,root=hostb /var 737 .Ed 738 .Pp 739 If the file system being shared is a symbolic link to a valid pathname, the 740 canonical path (the path which the symbolic link follows) is shared. 741 For example, if 742 .Pa /export/foo 743 is a symbolic link to 744 .Pa /export/bar , 745 the following share command results in 746 .Pa /export/bar 747 as the shared pathname (and not 748 .Pa /export/foo ) : 749 .Bd -literal -offset indent 750 share -F nfs /export/foo 751 .Ed 752 .Pp 753 An NFS mount of 754 .Lk server:/export/foo 755 results in 756 .Lk server:/export/bar 757 really being mounted. 758 .Pp 759 This line in the 760 .Pa /etc/dfs/dfstab 761 file shares the 762 .Pa /disk 763 file system read-only at boot time: 764 .Bd -literal -offset indent 765 share -F nfs -o ro /disk 766 .Ed 767 .Pp 768 The 769 .Xr mountd 1M 770 process allows the processing of a path name that contains a symbolic link. 771 This allows the processing of paths that are not themselves explicitly shared 772 with 773 .Nm . 774 For example, 775 .Pa /export/foo 776 might be a symbolic link that refers to 777 .Pa /export/bar 778 which has been specifically shared. 779 When the client mounts 780 .Pa /export/foo 781 the mountd processing follows the symbolic link and responds with the 782 .Pa /export/bar . 783 The NFS Version 4 protocol does not use the mountd processing and the client's 784 use of 785 .Pa /export/foo 786 does not work as it does with NFS Version 2 and Version 3 and the client 787 receives an error when attempting to mount 788 .Pa /export/foo .