How to Set Up NFS Server and Client on Debian 12

NFS (Network File System) lets clients mount remote directories over the network so they behave like local file systems. Debian 12 (Bookworm) ships a modern NFS stack: NFSv2 is disabled, while NFSv3 and NFSv4 (including 4.1 / 4.2) are supported. NFSv4.2 adds ACLs, server-side copy, sparse files, reservations, and other features on top of v4.

This guide walks through a typical lab or small-network setup: Debian 12 NFS server, Debian/Ubuntu-style client, /etc/exports tuning, UFW, manual mounts, and fstab persistence. Replace example addresses (10.70.5.221, 10.70.5.170, 10.70.5.0/24) with your server IP, client IP, and trusted subnet.

Related posts

Prerequisites

Two Debian 12 hosts (or one server and a mixed Linux client), fully patched, with sudo
Reliable L3 connectivity between client and server (latency and MTU matter on WAN)
Agreement on NFS version: this article assumes NFSv4.x for mounts (vers=4.2 in typical mount output)

1. Update the system

On server and client:

1
2
sudo apt update
sudo apt upgrade -y

2. Install the NFS server (Debian 12)

1
sudo apt install -y nfs-kernel-server

nfs-kernel-server pulls in kernel NFS service support and userspace helpers.

Enable protocol versions

Check what the kernel NFS server advertises:

1
cat /proc/fs/nfsd/versions

Typical Debian 12 output:

1
-2 +3 +4 +4.1 +4.2

-2 means NFSv2 off; +4.2 means NFSv4.2 is available.

Ensure `/etc/exports` exists

If systemctl status nfs-server logs “can’t open /etc/exports for reading”, create an empty file once (the package normally ships a template):

1
2
sudo install -m 644 /dev/null /etc/exports
# or: sudo touch /etc/exports

Then define real exports (next section) and run exportfs -arv.

Start and enable NFS

1
2
sudo systemctl enable --now nfs-server
sudo systemctl status nfs-server

Supporting pieces (rpcbind, rpc.mountd, nfsd, lock/stat helpers, idmapd where used) are managed via dependencies; you rarely start them by hand on a current Debian NFS server.

Tuning (thread count, host exports, etc.) can go in /etc/default/nfs-kernel-server and /etc/nfs.conf when you outgrow defaults.

3. Firewall (UFW)

If UFW is active on the server, allow NFS-related traffic from trusted clients only whenever possible.

NFSv4 primarily needs TCP 2049:

1
2
sudo ufw allow from 10.70.5.0/24 to any port nfs comment 'NFS v4'
sudo ufw status verbose

The ufw allow nfs shortcut is convenient but broad; prefer allow from … to any port nfs (or 2049/tcp) so only your subnet reaches the export.

NFSv3 also uses RPC services (rpcbind, mountd, status, etc.), often on dynamic or multiple ports—if you must support v3 through a firewall, you will usually pin RPC ports in /etc/nfs.conf and open those explicitly, or standardize on v4-only behind UFW.

4. Create export directories and permissions

Create mount points for two example shares (general files and backups):

1
2
sudo mkdir -p /mnt/nfs_shares/files /mnt/nfs_shares/backup
sudo ls -la /mnt/nfs_shares

Who owns the files?

With root_squash (default), root on the client is mapped to an unprivileged user on the server—often nobody. Many tutorials set chown nobody:nogroup so world-like access works for simple labs.
With no_all_squash, non-root UIDs from the client map to the same numeric UID on the server, which is useful when UIDs match (LDAP, matching local accounts, dedicated backup user). Misaligned UIDs cause “permission denied” or wrong ownership.
For production, prefer consistent identity (SSSD/LDAP) or explicit anonuid / anongid with all_squash for heavily locked-down shares.

Example for a simple open lab share:

1
2
sudo chown -R nobody:nogroup /mnt/nfs_shares
sudo chmod -R 755 /mnt/nfs_shares

Tighten chmod for anything beyond a test network.

5. Configure `/etc/exports`

Syntax:

1
directory   client1(option1,option2,...) client2(...)

Edit:

1
sudo nano /etc/exports

Example (adjust IPs and subnets):

1
2
/mnt/nfs_shares/files   10.70.5.170(rw,sync,no_subtree_check)
/mnt/nfs_shares/backup  10.70.5.0/24(rw,sync,no_subtree_check,no_all_squash,root_squash)

Option	Meaning
rw / ro	Read-write or read-only
sync	Commit server writes before replying (safer, slower than async)
no_subtree_check	Avoids subtle issues when files under an export are renamed (common recommendation)
root_squash	Map client root to unprivileged user (default, keep unless you know you need `no_root_squash`)
all_squash	Map all users to anonymous UID/GID (often paired with `anonuid` / `anongid`)
no_all_squash	Do not squash non-root UIDs; they must exist on the server (numeric match)

Apply exports:

1
2
sudo exportfs -arv
sudo exportfs -s

-a export all, -r re-read /etc/exports, -v verbose.

6. Debian / Ubuntu client: packages and discovery

On the client:

1
sudo apt install -y nfs-common nfs4-acl-tools

RHEL-family equivalent (if your client is Rocky/Alma/Fedora):

1
sudo dnf install -y nfs-utils nfs4-acl-tools

List exports the server offers:

1
showmount -e 10.70.5.221

Example:

1
2
3
Export list for 10.70.5.221:
/mnt/nfs_shares/backup 10.70.5.0/24
/mnt/nfs_shares/files  10.70.5.170

If this fails, fix routing, firewall, or exports ACLs before mounting.

7. Mount shares

Create mount points:

1
mkdir -p ~/backups ~/nfs_files

Mount (NFSv4 is selected automatically on current kernels when the server supports it):

1
2
sudo mount -t nfs -o vers=4.2 10.70.5.221:/mnt/nfs_shares/backup ~/backups
sudo mount -t nfs -o vers=4.2 10.70.5.221:/mnt/nfs_shares/files ~/nfs_files

Verify:

1
2
3
findmnt -t nfs,nfs4
# or
mount | grep ' type nfs'

8. Persist mounts in `/etc/fstab`

Use absolute paths and _netdev so systemd waits for the network before mounting:

1
2
10.70.5.221:/mnt/nfs_shares/backup  /home/ubuntu/backups   nfs4   _netdev,defaults  0  0
10.70.5.221:/mnt/nfs_shares/files   /home/ubuntu/nfs_files nfs4 _netdev,defaults  0  0

Edit safely:

1
2
sudo cp -a /etc/fstab /etc/fstab.bak
sudo nano /etc/fstab

Test fstab without rebooting:

1
sudo mount -a

Optional mount options: noatime, nfsvers=4.2, timeo=600, soft vs hard (understand data integrity trade-offs before using soft).

9. Functional test

On the server:

1
sudo touch /mnt/nfs_shares/files/file_on_server.txt

On the client:

1
ls ~/nfs_files/

On the client, create a file:

1
touch ~/nfs_files/file_on_client.txt

On the server:

1
ls /mnt/nfs_shares/files/

10. Unmount

Use the client’s mountpoint paths (not the server’s export paths):

1
2
sudo umount ~/nfs_files
sudo umount ~/backups

You cannot unmount a busy mount: leave the directory (cd ~) and stop processes using the files.

If fstab still references the mount, comment those lines out or use umount after mount -a tests.

Troubleshooting

Symptom	Checks
`showmount: RPC: Unable to receive`	Server down, firewall, wrong IP, or RPC blocked (especially for v3)
`Permission denied` on create/write	Export rw, directory ownership/modes, `root_squash` / UID mapping
Wrong user shown as owner	NFSv4 idmap / numeric UID mismatch; align identities or use all_squash with fixed anon IDs
Stale file handle	Server export path renamed; remount client
Export not visible	`exportfs -s`, typos in `/etc/exports`, client IP not in allow list

Server logs:

1
journalctl -u nfs-server -u rpcbind --no-pager -n 50

Security reminders

Export only to known hosts or subnets; never use * on untrusted networks.
Avoid no_root_squash unless you fully trust the client root.
Prefer NFSv4 + Kerberos (sec=krb5p) in sensitive environments; sec=sys (this article) sends UIDs/GIDs without strong authentication between nodes.
Combine NFS with VLANs, VPN, or private RFC1918 addressing so shares are not exposed on the public Internet.

Conclusion

On Debian 12, nfs-kernel-server and a clear /etc/exports give you NFSv4.2-capable exports; nfs-common on clients, _netdev in fstab, and tight firewall rules complete a maintainable small-network deployment. Match this guide’s placeholders to your IPs, verify ownership against your identity strategy, then harden exports and mount options before production workloads.