1 .\" 2 .\" CDDL HEADER START 3 .\" 4 .\" The contents of this file are subject to the terms of the 5 .\" Common Development and Distribution License (the "License"). 6 .\" You may not use this file except in compliance with the License. 7 .\" 8 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 .\" or http://www.opensolaris.org/os/licensing. 10 .\" See the License for the specific language governing permissions 11 .\" and limitations under the License. 12 .\" 13 .\" When distributing Covered Code, include this CDDL HEADER in each 14 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 .\" If applicable, add the following below this CDDL HEADER, with the 16 .\" fields enclosed by brackets "[]" replaced with your own identifying 17 .\" information: Portions Copyright [yyyy] [name of copyright owner] 18 .\" 19 .\" CDDL HEADER END 20 .\" 21 .\" 22 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved 23 .\" Copyright 2014 Nexenta Systems, Inc. All rights reserved. 24 .\" Copyright 2016 Jason King. 25 .\" 26 .Dd December 16, 2016 27 .Dt SHARE_NFS 1M 28 .Os 29 .Sh NAME 30 .Nm share_nfs 31 .Nd make local NFS file systems available for mounting by remote systems 32 .Sh SYNOPSIS 33 .Nm share 34 .Op Fl d Ar description 35 .Op Fl F Sy nfs 36 .Op Fl o Ar specific_options 37 .Ar pathname 38 .Sh DESCRIPTION 39 The 40 .Nm share 41 utility makes local file systems available for mounting by remote systems. It 42 starts the 43 .Xr nfsd 1M 44 and 45 .Xr mountd 1M 46 daemons if they are not already running. 47 .Pp 48 If no argument is specified, then 49 .Nm share 50 displays all file systems currently shared, including NFS file systems and file 51 systems shared through other distributed file system packages. 52 .Sh OPTIONS 53 The following options are supported: 54 .Bl -tag -width "indented" 55 .It Fl d Ar description 56 Provide a comment that describes the file system to be shared. 57 .It Fl F Sy nfs 58 Share NFS file system type. 59 .It Fl o Ar specific_options 60 Specify 61 .Ar specific_options 62 in a comma-separated list of keywords and attribute-value-assertions for 63 interpretation by the file-system-type-specific command. If 64 .Ar specific_options 65 is not specified, then by default sharing is read-write to all clients. 66 .Ar specific_options 67 can be any combination of the following: 68 .Bl -tag -width "indented" 69 .It Sy aclok 70 Allows the NFS server to do access control for NFS Version 2 clients (running 71 SunOS 2.4 or earlier). When 72 .Sy aclok 73 is set on the server, maximal access is given to all clients. For example, with 74 .Sy aclok 75 set, if anyone has read permissions, then everyone does. If 76 .Sy aclok 77 is not set, minimal access is given to all clients. 78 .It Sy anon Ns = Ns Ar uid 79 Set 80 .Ar uid 81 to be the effective user ID of unknown users. By default, unknown users are 82 given the effective user ID UID_NOBODY. If uid is set to -1, access is denied. 83 .It Ar charset Ns = Ns Ar access_list 84 Where 85 .Ar charset 86 is one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw, iso8859-1, iso8859-2, 87 iso8859-5, iso8859-6, iso8859-7, iso8859-8, iso8859-9, iso8859-13, iso8859-15, 88 koi8-r. 89 .Pp 90 Clients that match the 91 .Ar access_list 92 for one of these properties will be assumed to be using that character set and 93 file and path names will be converted to UTF-8 for the server. 94 .It Sy gidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ... 95 Where 96 .Ar mapping 97 is: 98 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list 99 .Pp 100 Allows remapping the group ID (gid) in the incoming request to some other gid. 101 This effectively changes the identity of the user in the request to that of 102 some other local user. 103 .Pp 104 For clients where the gid in the incoming request is 105 .Ar clnt 106 and the client matches the 107 .Ar access_list Ns 108 , change the group ID to 109 .Ar srv Ns . If 110 .Ar clnt 111 is asterisk (*), all groups are mapped by this rule. If 112 .Ar clnt 113 is omitted, all unknown groups are mapped by this rule. If 114 .Ar srv 115 is set to -1, access is denied. If 116 .Ar srv 117 is omitted, the gid is mapped to UID_NOBODY. 118 .Pp 119 The particular 120 .Ar mapping Ns s 121 are separated in the 122 .Sy gidmap Ns = 123 option by tilde (~) and are evaluated in the specified order until a match is 124 found. Both 125 .Sy root Ns = 126 and 127 .Sy root_mapping Ns = 128 options (if specified) are evaluated before the 129 .Sy gidmap Ns = 130 option. The 131 .Sy gidmap Ns = 132 option is skipped in the case where the client matches the 133 .Sy root Ns = 134 option. 135 .Pp 136 The 137 .Sy gidmap Ns = 138 option is evaluated before the 139 .Sy anon Ns = 140 option. 141 .Pp 142 This option is supported only for AUTH_SYS. 143 .It Sy index Ns = Ns Ar file 144 Load 145 .Ar file 146 rather than a listing of the directory containing this file when the 147 directory is referenced by an NFS URL. 148 .It Sy log Ns Oo = Ns Ar tag Oc 149 Enables NFS server logging for the specified file system. The optional 150 .Ar tag 151 determines the location of the related log files. The 152 .Ar tag 153 is defined in 154 .Pa /etc/nfs/nfslog.conf . 155 If no 156 .Ar tag 157 is specified, the default values associated with the global tag in 158 .Pa /etc/nfs/nfslog.conf 159 are used. Support of NFS server logging is only available for NFS Version 2 and 160 Version 3 requests. 161 .It Sy noaclfab 162 By default, the NFS server will fabricate POSIX-draft style ACLs in response 163 to ACL requests from NFS Version 2 or Version 3 clients accessing shared 164 file systems that do not support POSIX-draft ACLs (such as ZFS). 165 Specifying 166 .Sy noaclfab 167 disables this behavior. 168 .It Sy none Ns = Ns Ar access_list 169 Access is not allowed to any client that matches the access list. The exception 170 is when the access list is an asterisk (*), in which case 171 .Sy ro 172 or 173 .Sy rw 174 can override 175 .Sy none . 176 .It Sy nosub 177 Prevents clients from mounting subdirectories of shared directories. For 178 example, if 179 .Pa /export 180 is shared with the 181 .Sy nosub 182 option on server 183 .Qq fooey 184 then a NFS client cannot do: 185 .Bd -literal -offset indent 186 mount -F nfs fooey:/export/home/mnt 187 .Ed 188 .Pp 189 NFS Version 4 does not use the MOUNT protocol. The 190 .Sy nosub 191 option only applies to NFS Version 2 and Version 3 requests. 192 .It Sy nosuid 193 By default, clients are allowed to create files on the shared file system with 194 the setuid or setgid mode enabled. Specifying 195 .Sy nosuid 196 causes the server file system to silently ignore any attempt to enable the 197 setuid or setgid mode bits. 198 .It Sy public 199 Moves the location of the public file handle from root 200 .Pa ( / ) 201 to the exported directory for WebNFS-enabled browsers and clients. This option 202 does not enable WebNFS service; WebNFS is always on. Only one file system per 203 server may use this option. Any other option, including the 204 .Sy ro Ns = Ns Ar list 205 and 206 .Sy rw Ns = Ns Ar list 207 options can be included with the 208 .Sy public 209 option. 210 .It Sy ro 211 Sharing is read-only to all clients. 212 .It Sy ro Ns = Ns Ar access_list 213 Sharing is read-only to the clients listed in 214 .Ar access_list ; 215 overrides the 216 .Sy rw 217 suboption for the clients specified. See 218 .Sx access_list 219 below. 220 .It Sy root Ns = Ns Ar access_list 221 Only root users from the hosts specified in 222 .Ar access_list 223 have root access. See 224 .Sx access_list 225 below. By default, no host has root access, so root users are mapped to an 226 anonymous user ID (see the 227 .Sy anon Ns = Ns Ar uid 228 option described above). Netgroups can be used if the file system shared is 229 using UNIX authentication (AUTH_SYS). 230 .It Sy root_mapping Ns = Ns Ar uid 231 For a client that is allowed root access, map the root UID to the specified 232 user id. 233 .It Sy rw 234 Sharing is read-write to all clients. 235 .It Sy rw Ns = Ns Ar access_list 236 Sharing is read-write to the clients listed in 237 .Ar access_list ; 238 overrides the 239 .Sy ro 240 suboption for the clients specified. See 241 .Sx access_list 242 below. 243 .It Sy sec Ns = Ns Ar mode Ns Oo : Ns Ar mode Oc Ns ... 244 Sharing uses one or more of the specified security modes. The 245 .Ar mode 246 in the 247 .Sy sec Ns = Ns Ar mode 248 option must be a mode name supported on the client. If the 249 .Sy sec Ns = 250 option is not specified, the default security mode used is AUTH_SYS. Multiple 251 .Sy sec Ns = 252 options can be specified on the command line, although each mode can appear 253 only once. The security modes are defined in 254 .Xr nfssec 5 . 255 .Pp 256 Each 257 .Sy sec Ns = 258 option specifies modes that apply to any subsequent 259 .Sy window Ns = , 260 .Sy rw , 261 .Sy ro , 262 .Sy rw Ns = , 263 .Sy ro Ns = , 264 and 265 .Sy root Ns = 266 options that are provided before another 267 .Sy sec Ns = 268 option. 269 Each additional 270 .Sy sec Ns = 271 resets the security mode context, so that more 272 .Sy window Ns = , 273 .Sy rw , 274 .Sy ro , 275 .Sy rw Ns = , 276 .Sy ro Ns = , 277 and 278 .Sy root Ns = 279 options can be supplied for additional modes. 280 .It Sy sec Ns = Ns Sy none 281 If the option 282 .Sy sec Ns = Ns Sy none 283 is specified when the client uses AUTH_NONE, or if the client uses a security 284 mode that is not one that the file system is shared with, then the credential 285 of each NFS request is treated as unauthenticated. See the 286 .Sy anon Ns = Ns Ar uid 287 option for a description of how unauthenticated requests are handled. 288 .It Sy secure 289 This option has been deprecated in favor of the 290 .Sy sec Ns = Ns Sy dh 291 option. 292 .It Sy uidmap Ns = Ns Ar mapping Ns Oo ~ Ns Ar mapping Oc Ns ... 293 Where 294 .Ar mapping 295 is: 296 .Oo Ar clnt Oc : Ns Oo Ar srv Oc : Ns Ar access_list 297 .Pp 298 Allows remapping the user ID (uid) in the incoming request to some other uid. 299 This effectively changes the identity of the user in the request to that of 300 some other local user. 301 .Pp 302 For clients where the uid in the incoming request is 303 .Ar clnt 304 and the client matches the 305 .Ar access_list Ns 306 , change the user ID to 307 .Ar srv Ns . If 308 .Ar clnt 309 is asterisk (*), all users are mapped by this rule. If 310 .Ar clnt 311 is omitted, all unknown users are mapped by this rule. If 312 .Ar srv 313 is set to -1, access is denied. If 314 .Ar srv 315 is omitted, the uid is mapped to UID_NOBODY. 316 .Pp 317 The particular 318 .Ar mapping Ns s 319 are separated in the 320 .Sy uidmap Ns = 321 option by tilde (~) and are evaluated in the specified order until a match is 322 found. Both 323 .Sy root Ns = 324 and 325 .Sy root_mapping Ns = 326 options (if specified) are evaluated before the 327 .Sy uidmap Ns = 328 option. The 329 .Sy uidmap Ns = 330 option is skipped in the case where the client matches the 331 .Sy root Ns = 332 option. 333 .Pp 334 The 335 .Sy uidmap Ns = 336 option is evaluated before the 337 .Sy anon Ns = 338 option. 339 .Pp 340 This option is supported only for AUTH_SYS. 341 .It Sy window Ns = Ns Ar value 342 When sharing with 343 .Sy sec Ns = Ns Sy dh , 344 set the maximum life time (in seconds) of the RPC request's credential (in the 345 authentication header) that the NFS server allows. If a credential arrives with 346 a life time larger than what is allowed, the NFS server rejects the request. The 347 default value is 30000 seconds (8.3 hours). 348 .El 349 .El 350 .Ss access_list 351 The 352 .Ar access_list 353 argument is a colon-separated list whose components may be any number of the 354 following: 355 .Bl -tag -width "indented" 356 .It Sy hostname 357 The name of a host. With a server configured for DNS or LDAP naming in the 358 nsswitch 359 .Sy hosts 360 entry, any hostname must be represented as a fully qualified DNS or LDAP name. 361 .It Sy netgroup 362 A netgroup contains a number of hostnames. With a server configured for DNS or 363 LDAP naming in the nsswitch 364 .Sy hosts 365 entry, any hostname in a netgroup must be represented as a fully qualified DNS 366 or LDAP name. 367 .It Sy domain name suffix 368 To use domain membership the server must use DNS or LDAP to resolve hostnames to 369 IP addresses; that is, the 370 .Sy hosts 371 entry in the 372 .Pa /etc/nsswitch.conf 373 must specify 374 .Sy dns 375 or 376 .Sy ldap 377 ahead of 378 .Sy nis 379 or 380 .Sy nisplus , 381 since only DNS and LDAP return the full domain name of the host. Other name 382 services like NIS or NIS+ cannot be used to resolve hostnames on the server 383 because when mapping an IP address to a hostname they do not return domain 384 information. For example, 385 .Bd -literal -offset indent 386 NIS or NIS+ 172.16.45.9 --> "myhost" 387 .Ed 388 .Pp 389 and 390 .Bd -literal -offset indent 391 DNS or LDAP 172.16.45.9 --> "myhost.mydomain.mycompany.com" 392 .Ed 393 .Pp 394 The domain name suffix is distinguished from hostnames and netgroups by a 395 prefixed dot. For example, 396 .Bd -literal -offset indent 397 rw=.mydomain.mycompany.com 398 .Ed 399 .Pp 400 A single dot can be used to match a hostname with no suffix. For example, 401 .Bd -literal -offset indent 402 rw=. 403 .Ed 404 .Pp 405 matches 406 .Qq mydomain 407 but not 408 .Qq mydomain.mycompany.com . 409 This feature can be used to match hosts resolved through NIS and NIS+ rather 410 than DNS and LDAP. 411 .It Sy network 412 The network or subnet component is preceded by an at-sign (@). It can be either 413 a name or a dotted address. If a name, it is converted to a dotted address by 414 .Xr getnetbyname 3SOCKET . 415 For example, 416 .Bd -literal -offset indent 417 =@mynet 418 .Ed 419 .Pp 420 would be equivalent to: 421 .Bd -literal -offset indent 422 =@172.16 or =@172.16.0.0 423 .Ed 424 .Pp 425 The network prefix assumes an octet-aligned netmask determined from the zeroth 426 octet in the low-order part of the address up to and including the high-order 427 octet, if you want to specify a single IP address (see below). In the case 428 where network prefixes are not byte-aligned, the syntax allows a mask length to 429 be specified explicitly following a slash (/) delimiter. For example, 430 .Bd -literal -offset indent 431 =@theothernet/17 or =@172.16.132/22 432 .Ed 433 .Pp 434 where the mask is the number of leftmost contiguous significant bits in the 435 corresponding IP address. 436 .Pp 437 When specifying individual IP addresses, use the same @ notation described 438 above, without a netmask specification. For example: 439 .Bd -literal -offset indent 440 =@172.16.132.14 441 .Ed 442 .Pp 443 Multiple, individual IP addresses would be specified, for example, as: 444 .Bd -literal -offset indent 445 root=@172.16.132.20:@172.16.134.20 446 .Ed 447 .El 448 .Pp 449 A prefixed minus sign (-) denies access to that component of 450 .Ar access_list . 451 The list is searched sequentially until a match is found that either grants or 452 denies access, or until the end of the list is reached. For example, if host 453 .Qq terra 454 is in the 455 .Qq engineering 456 netgroup, then 457 .Bd -literal -offset indent 458 rw=-terra:engineering 459 .Ed 460 .Pp 461 denies access to 462 .Qq terra 463 but 464 .Bd -literal -offset indent 465 rw=engineering:-terra 466 .Ed 467 .Pp 468 grants access to 469 .Qq terra . 470 .Sh OPERANDS 471 The following operands are supported: 472 .Bl -tag -width "pathname" 473 .It Sy pathname 474 The pathname of the file system to be shared. 475 .El 476 .Sh FILES 477 .Bl -tag -width "/etc/nfs/nfslog.conf" 478 .It Pa /etc/dfs/fstypes 479 list of system types, NFS by default 480 .It Pa /etc/dfs/sharetab 481 system record of shared file systems 482 .It Pa /etc/nfs/nfslogtab 483 system record of logged file systems 484 .It Pa /etc/nfs/nfslog.conf 485 logging configuration file 486 .El 487 .Sh EXIT STATUS 488 .Ex -std 489 .Sh EXAMPLES 490 .Ss Example 1 Sharing A File System With Logging Enabled 491 The following example shows the 492 .Pa /export 493 file system shared with logging enabled: 494 .Bd -literal -offset indent 495 share -o log /export 496 .Ed 497 .Pp 498 The default global logging parameters are used since no tag identifier is 499 specified. The location of the log file, as well as the necessary logging work 500 files, is specified by the global entry in 501 .Pa /etc/nfs/nfslog.conf . 502 The 503 .Xr nfslogd 1M 504 daemon runs only if at least one file system entry in 505 .Pa /etc/dfs/dfstab 506 is shared with logging enabled upon starting or rebooting the system. Simply 507 sharing a file system with logging enabled from the command line does not start 508 the 509 .Xr nfslogd 1M . 510 .Ss Example 2 Remap A User Coming From The Particular NFS Client 511 The following example remaps the user with uid 512 .Sy 100 513 at client 514 .Sy 10.0.0.1 515 to user 516 .Sy joe Ns : 517 .Bd -literal -offset indent 518 share -o uidmap=100:joe:@10.0.0.1 /export 519 .Ed 520 .Sh SEE ALSO 521 .Xr mount 1M , 522 .Xr mountd 1M , 523 .Xr nfsd 1M , 524 .Xr nfslogd 1M , 525 .Xr share 1M , 526 .Xr unshare 1M , 527 .Xr getnetbyname 3SOCKET , 528 .Xr netgroup 4 , 529 .Xr nfslog.conf 4 , 530 .Xr acl 5 , 531 .Xr attributes 5 , 532 .Xr nfssec 5 533 .Sh NOTES 534 If the 535 .Sy sec Ns = 536 option is presented at least once, all uses of the 537 .Sy window Ns = , 538 .Sy rw , 539 .Sy ro , 540 .Sy rw Ns = , 541 .Sy ro Ns = , 542 and 543 .Sy root Ns = 544 options must come after the first 545 .Sy sec Ns = 546 option. If the 547 .Sy sec Ns = 548 option is not presented, then 549 .Sy sec Ns = Ns Sy sys 550 is implied. 551 .Pp 552 If one or more explicit 553 .Sy sec Ns = 554 options are presented, 555 .Sy sys 556 must appear in one of the options mode lists for accessing using the AUTH_SYS 557 security mode to be allowed. For example: 558 .Bd -literal -offset indent 559 share -F nfs /var 560 share -F nfs -o sec=sys /var 561 .Ed 562 .Pp 563 grants read-write access to any host using AUTH_SYS, but 564 .Bd -literal -offset indent 565 share -F nfs -o sec=dh /var 566 .Ed 567 .Pp 568 grants no access to clients that use AUTH_SYS. 569 .Pp 570 Unlike previous implementations of 571 .Nm , 572 access checking for the 573 .Sy window Ns = , 574 .Sy rw , 575 .Sy ro , 576 .Sy rw Ns = , 577 and 578 .Sy ro Ns = 579 options is done per NFS request, instead of per mount request. 580 .Pp 581 Combining multiple security modes can be a security hole in situations where 582 the 583 .Sy ro Ns = 584 and 585 .Sy rw Ns = 586 options are used to control access to weaker security modes. In this example, 587 .Bd -literal -offset indent 588 share -F nfs -o sec=dh,rw,sec=sys,rw=hosta /var 589 .Ed 590 .Pp 591 an intruder can forge the IP address for 592 .Qq hosta 593 (albeit on each NFS request) to side-step the stronger controls of AUTH_DES. 594 Something like: 595 .Bd -literal -offset indent 596 share -F nfs -o sec=dh,rw,sec=sys,ro /var 597 .Ed 598 .Pp 599 is safer, because any client (intruder or legitimate) that avoids AUTH_DES only 600 gets read-only access. In general, multiple security modes per share command 601 should only be used in situations where the clients using more secure modes get 602 stronger access than clients using less secure modes. 603 .Pp 604 If 605 .Sy rw Ns = 606 and 607 .Sy ro Ns = 608 options are specified in the same 609 .Sy sec Ns = 610 clause, and a client is in both lists, the order of the two options determines 611 the access the client gets. If client 612 .Qq hosta 613 is in two netgroups, 614 .Qq group1 615 and 616 .Qq group2 , 617 in this example, the client would get read-only access: 618 .Bd -literal -offset indent 619 share -F nfs -o ro=group1,rw=group2 /var 620 .Ed 621 .Pp 622 In this example 623 .Qq hosta 624 would get read-write access: 625 .Bd -literal -offset indent 626 share -F nfs -o rw=group2,ro=group1 /var 627 .Ed 628 .Pp 629 If within a 630 .Sy sec Ns = 631 clause, both the 632 .Sy ro 633 and 634 .Sy rw Ns = 635 options are specified, for compatibility, the order of the options rule is not 636 enforced. All hosts would get read-only access, with the exception to those in 637 the read-write list. Likewise, if the 638 .Sy ro Ns = 639 and 640 .Sy rw 641 options are specified, all hosts get read-write access with the exceptions of 642 those in the read-only list. 643 .Pp 644 The 645 .Sy ro Ns = 646 and 647 .Sy rw Ns = 648 options are guaranteed to work over UDP and TCP but may not work over other 649 transport providers. 650 .Pp 651 The 652 .Sy root Ns = 653 option with AUTH_SYS is guaranteed to work over UDP and TCP but may not work 654 over other transport providers. 655 .Pp 656 The 657 .Sy root Ns = 658 option with AUTH_DES is guaranteed to work over any transport provider. 659 .Pp 660 There are no interactions between the 661 .Sy root Ns = 662 option and the 663 .Sy rw , 664 .Sy ro , 665 .Sy rw Ns = , 666 and 667 .Sy ro Ns = 668 options. Putting a host in the root list does not override the semantics of the 669 other options. The access the host gets is the same as when the 670 .Sy root Ns = 671 option is absent. For example, the following share command denies access to 672 .Qq hostb : 673 .Bd -literal -offset indent 674 share -F nfs -o ro=hosta,root=hostb /var 675 .Ed 676 .Pp 677 The following gives read-only permissions to 678 .Qq hostb : 679 .Bd -literal -offset indent 680 share -F nfs -o ro=hostb,root=hostb /var 681 .Ed 682 .Pp 683 The following gives read-write permissions to 684 .Qq hostb : 685 .Bd -literal -offset indent 686 share -F nfs -o ro=hosta,rw=hostb,root=hostb /var 687 .Ed 688 .Pp 689 If the file system being shared is a symbolic link to a valid pathname, the 690 canonical path (the path which the symbolic link follows) is shared. For 691 example, if 692 .Pa /export/foo 693 is a symbolic link to 694 .Pa /export/bar , 695 the following share command results in 696 .Pa /export/bar 697 as the shared pathname (and not 698 .Pa /export/foo ) : 699 .Bd -literal -offset indent 700 share -F nfs /export/foo 701 .Ed 702 .Pp 703 An NFS mount of 704 .Lk server:/export/foo 705 results in 706 .Lk server:/export/bar 707 really being mounted. 708 .Pp 709 This line in the 710 .Pa /etc/dfs/dfstab 711 file shares the 712 .Pa /disk 713 file system read-only at boot time: 714 .Bd -literal -offset indent 715 share -F nfs -o ro /disk 716 .Ed 717 .Pp 718 The same command entered from the command line does not share the 719 .Pa /disk 720 file system unless there is at least one file system entry in the 721 .Pa /etc/dfs/dfstab 722 file. The 723 .Xr mountd 1M 724 and 725 .Xr nfsd 1M 726 daemons only run if there is a file system entry in 727 .Pa /etc/dfs/dfstab 728 when starting or rebooting the system. 729 .Pp 730 The 731 .Xr mountd 1M 732 process allows the processing of a path name the contains a symbolic link. 733 This allows the processing of paths that are not themselves explicitly shared 734 with 735 .Nm . 736 For example, 737 .Pa /export/foo 738 might be a symbolic link that refers to 739 .Pa /export/bar 740 which has been specifically shared. When the client mounts 741 .Pa /export/foo 742 the mountd processing follows the symbolic link and responds with the 743 .Pa /export/bar . 744 The NFS Version 4 protocol does not use the mountd processing and the client's 745 use of 746 .Pa /export/foo 747 does not work as it does with NFS Version 2 and Version 3 and the client 748 receives an error when attempting to mount 749 .Pa /export/foo .