WebDAV Setup: Difference between revisions
No edit summary |
|||
(46 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Goals= | |||
We want to provide SSL access for users, to their home-directories, using WebDAV. Why WebDAV? Because it is well supported under Windows, OS-X, and Linux, and lowers the barriers to productivity for less-technically-inclined users: setup is minimal, and usage is drag-and-drop familiar. | |||
=Constraints= | |||
If we have user-home-dirs with restrictive permissions (0700 - no-one else can do anything), then Apache cannot traverse and serve these directories :-( One solution is to run Apache as root:root, which then permits access. | |||
=Implementation Overview= | |||
We will use two instances of Apache: | |||
*one public-facing instance which runs safely as apache:apache on ports 80 and 443. Use ProxyPass and ProxyPassReverse to talk to the second instance of Apache | |||
**this instance of apache will run chrooted in a vserver-guest environment, as a matter of security and convenience. However it could just as easily run on a "regular" non-chrooted / non-virtualized server. | |||
*a second, private instance of Apache, which runs chrooted (in a Gentoo verserver-guest) as root:root, and communicates with port 8080 internally, to the public-facing instance of Apache. This instance of apache must be handled with care, because of the potential for serious havoc as root! | |||
**autofs doesn't (yet?) work with verserver-guests, so all user-home-dirs are NFS-mounted, all the time, via /etc/fstab entries | |||
==Reference Basic DAV and LDAP Setup== | |||
===Environment=== | |||
*Gentoo Linux Vserver guest, with the host running kernel 2.6.22-vs2.2.0.6-gentoo | |||
*Apache 2.2.8 for both the public-facing and private instances of Apache. | |||
*LDAP auth working, for authenticating WebDAV users. The public-facing instance of Apache is responsible for authenticating, and any authenticated LDAP user is then permitted to access their WebDAV share (authorization = valid user). | |||
**LDAP can run on a remote machine; in our reference example, OpenLDAP happens to run in yet another vserver-guest environment. | |||
*Testing was performed using WebDAV-capable clients: | |||
**Konqueror web-browser under Linux, with syntax: '''webdavs://''<your_server>/<DAV_share>''''' | |||
**Cadaver Linux command-line DAV client | |||
**Nautilus under Linux, through the '''Connect to Server''' dialogue either found in Nautilus, or accessed from the '''Gnome > Places''' menu | |||
**Mac OS-X: '''Finder > Go > Connect to Server''' with syntax '''https://''<your_server>/<DAV_share>''''' | |||
**Windows XP: use the '''Add Network Place Wizard''' with syntax '''https://''<your_server>/<DAV_share>''''' | |||
<br> | |||
===Implementation Details=== | |||
====Private Apache Running as Root==== | |||
Apache won't run as root, normally (and, to be sure, this is a GOOD thing :-) ). In order to convince Apache to run as root, you must recompile it with a new CFLAG -DBIG_SECURITY_HOLE; set this in Gentoo's '''/etc/make.conf''' like this: | |||
CFLAGS="-march=nocona -O2 -pipe -DBIG_SECURITY_HOLE" | |||
[<font color=lime>ebuild</font> <font color=gold>R</font> ] <font color=lime>www-servers/apache-2.2.8</font> USE="<font color=red>ldap ssl</font> <font color=blue>-debug -doc </font>(<font colour-blue>-selinux</font>) <font color=blue>-sni -static -suexec -threads</font>" APACHE2_MODULES="<font color=red>actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias</font> <font color=blue>-asis -authn_alias -cern_meta -charset_lite -dumpio -log_forensic -proxy_ftp -version</font>" APACHE2_MPMS="<font color=blue>-event -itk -peruser -prefork -worker</font>" 0 kB | |||
====Private Apache Startup and Configuration Directives==== | |||
Place in '''/etc/conf.d/apache2''' for Gentoo: | |||
APACHE2_OPTS="-D DEFAULT_VHOST -D LANGUAGE -D DAV -D DAV_FS -D USERDIR" | |||
Changes needed in /etc/apache/httpd.conf: | |||
# User/Group: The name (or #number) of the user/group to run httpd as. | |||
# It is usually good practice to create a dedicated user and group for | |||
# running httpd, as with most system services. | |||
User root | |||
Group root | |||
Representative entries in '''/etc/apache2/modules.d/45_mod_dav.conf | |||
<IfDefine DAV> | <IfDefine DAV> | ||
Line 6: | Line 45: | ||
<IfModule dav_fs_module> | <IfModule dav_fs_module> | ||
<IfModule alias_module> | <IfModule alias_module> | ||
# | |||
# Distributed authoring and versioning (WebDAV) | |||
# | |||
DavLockDB "/var/lib/dav/lockdb" | DavLockDB "/var/lib/dav/lockdb" | ||
UserDir /home/* | |||
<Directory /home/> | |||
<Directory / | |||
Dav On | Dav On | ||
DAVMinTimeout 600 | DAVMinTimeout 600 | ||
# | # so we can ~see~ PHP, rather than interpret/execute | ||
ForceType text/plain | ForceType text/plain | ||
DavDepthInfinity On | DavDepthInfinity On | ||
Options Indexes FollowSymLinks MultiViews | Options Indexes FollowSymLinks MultiViews | ||
# | # don't give an .htaccess any any cred :-) | ||
AllowOverride None | AllowOverride None | ||
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
</Directory> | </Directory> | ||
</IfModule> | </IfModule> | ||
</IfModule> | </IfModule> | ||
</IfModule> | </IfModule> | ||
# | # | ||
Line 71: | Line 83: | ||
BrowserMatch "MS FrontPage" redirect-carefully | BrowserMatch "MS FrontPage" redirect-carefully | ||
BrowserMatch "^WebDrive" redirect-carefully | BrowserMatch "^WebDrive" redirect-carefully | ||
BrowserMatch "^WebDAVFS/1.[ | BrowserMatch "^WebDAVFS/1.[012345]" redirect-carefully | ||
BrowserMatch "^gnome-vfs/1.0" redirect-carefully | BrowserMatch "^gnome-vfs/1.0" redirect-carefully | ||
BrowserMatch "^XML Spy" redirect-carefully | BrowserMatch "^XML Spy" redirect-carefully | ||
Line 77: | Line 89: | ||
</IfModule> | </IfModule> | ||
</IfDefine> | |||
Representative entries in '''/etc/apache2/vhosts.d/00_default_vhost.conf | |||
# Virtual Hosts | |||
# | |||
# If you want to maintain multiple domains/hostnames on your | |||
# machine you can setup VirtualHost containers for them. Most configurations | |||
# use only name-based virtual hosts so the server doesn't need to worry about | |||
# IP addresses. This is indicated by the asterisks in the directives below. | |||
# | |||
# Please see the documentation at | |||
# <URL:http://httpd.apache.org/docs/2.2/vhosts/> | |||
# for further details before you try to setup virtual hosts. | |||
# | |||
# You may use the command line option '-S' to verify your virtual host | |||
# configuration. | |||
<IfDefine DEFAULT_VHOST> | |||
# see bug #178966 why this is in here | |||
# Listen: Allows you to bind Apache to specific IP addresses and/or | |||
# ports, instead of the default. See also the <VirtualHost> | |||
# directive. | |||
# | |||
# Change this to Listen on specific IP addresses as shown below to | |||
# prevent Apache from glomming onto all bound IP addresses. | |||
# | |||
#Listen 12.34.56.78:80 | |||
Listen 8080 | |||
# Use name-based virtual hosting. | |||
NameVirtualHost *:8080 | |||
# When virtual hosts are enabled, the main host defined in the default | |||
# httpd.conf configuration will go away. We redefine it here so that it is | |||
# still available. | |||
# | |||
# If you disable this vhost by removing -D DEFAULT_VHOST from | |||
# /etc/conf.d/apache2, the first defined virtual host elsewhere will be | |||
# the default. | |||
<VirtualHost *:8080> | |||
ServerName localhost | |||
Include /etc/apache2/vhosts.d/default_vhost.include | |||
<IfModule mpm_peruser_module> | |||
ServerEnvironment root root | |||
</IfModule> | |||
</VirtualHost> | |||
</IfDefine> | </IfDefine> | ||
====Private Apache NFS Configuration==== | |||
Entry in '''/etc/fstab''' | |||
192.168.0.191:/home /home nfs rw,soft,intr 0 0 | |||
====Public-Facing Apache==== | |||
Compile with some set of Gentoo USE-flags resembling this: | |||
====Public-Facing Apache Startup Directives==== | |||
These go in '''/etc/conf.d/apache2''' for Gentoo: | |||
APACHE2_OPTS="-D DEFAULT_VHOST -D STATUS -D MANUAL -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP -D PROXY -D SSL -D SSL_DEFAULT_VHOST" | |||
Define a virtual host, in the directory '''/etc/apache2/vhosts.d/''' that resembles this example: | |||
<VirtualHost *:443> | |||
ServerName pritchard.dyndns.org:443 | |||
ProxyPass / http://192.168.0.130:8080/ | |||
ProxyPassReverse / http://192.168.0.130:8080/ | |||
<Proxy *> | |||
<IfModule authnz_ldap_module> | |||
# | |||
# don't give an .htaccess any any cred :-) | |||
AllowOverride None | |||
Order allow,deny | |||
Allow from all | |||
# Do basic password authentication in the clear | |||
AuthType Basic | |||
# LDAP Authentication & Authorization is final; do not check other databases | |||
AuthzLDAPAuthoritative on | |||
# Name which will appear in the browser's user/pass dialogue (realm) | |||
AuthName "Webdav - Restricted Access" | |||
AuthBasicProvider ldap | |||
AuthLDAPURL ldap://192.168.0.110:389/ou=users,dc=whiterock?uid?one | |||
AuthLDAPBindDN "cn=Reader,dc=whiterock" | |||
AuthLDAPBindPassword <super_secret> | |||
# Use only one of the following possible sections. | |||
# Explicitly list the permitted users, ~after~ authentication has succeeded. | |||
# Effectively a 2nd gate, at the authourization phase. | |||
# Add as many as desired. | |||
require ldap-user <your_permitted_user_list> | |||
# There will be times when it's sufficient for an authenticated-user to be | |||
# authourized and granted access; it they're good in LDAP, they're OK by me. | |||
# In this case, any LDAP valid user is fine; apache won't restrict further. | |||
# require valid-user | |||
</IfModule> | |||
</Proxy> | |||
</VirtualHost> | |||
<br> | |||
===Testing=== | |||
*Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization | |||
**change the <Limit> </Limit> containers above, to <LimitExcept> </LimitExcept> | |||
**anyone, anywhere can now browse your DAV share!! Don't put valuable stuff in your DAV-root, just test-files | |||
*Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output: | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W''' | |||
Enter LDAP Password: '''''ultra_secret''''' | |||
*in a dedicated console-window, you can watch what Apache thinks of your DAV and http connection-attempts: | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tail -f /var/log/apache2/error_log''' | |||
*to test-connect: | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''cadaver http://localhost/''<your_DAV_share>''''' | |||
*Connection-attempt results: | |||
**Apache status code 200 or 207 is what you're after: things are good | |||
**Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving | |||
***check compile options | |||
***check apache startup directives | |||
***check /etc/apache2/modules.d/45_mod_dav.conf | |||
***take authentication / authourization out of the picture (disable) until you can clear this fundamental DAV protocol issue | |||
**Apache status codes 401 and 403 are common with authentication/authourization problems | |||
<br> | |||
<br> | |||
<br> | |||
==Reference DAV, LDAP and AutoFS== | |||
To make WebDAV really useful, we want to have our user authenticate, get authourized, then access their home-directory. | |||
<s>===Setup Automounting=== | |||
Walk before running (with scissors :-) ) - get AutoFS (automounting) working first, independently of any other complexity: | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -pv nfs-utils autofs''' | |||
Edit the master autofs file to look like: | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/autofs/auto.master''' | |||
'''/home /etc/autofs/auto.home''' | |||
Now that we've referred autofs to use the auto.home file, we'd better create it; just one line: | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/autofs/auto.home''' | |||
'''* -rw,soft,intr 192.168.0.192:/home/&''' | |||
Now, fire up the services, and then check that portmap and automount are running (with '''ps aux''' for example) | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''/etc/init.d/nfsmount start''' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''/etc/init.d/autofs start''' | |||
Verify that you can automount something - typically by changing to a directory such as '''/home/gordonp''' and performing an '''ls'''. You should see all the stuff you'd normally see in that home-dir. | |||
Make these seervices stick between reboots: | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''rc-update add nfsmount default''' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''rc-update add autofs default''' | |||
</s> |
Latest revision as of 17:03, 27 May 2008
Goals
We want to provide SSL access for users, to their home-directories, using WebDAV. Why WebDAV? Because it is well supported under Windows, OS-X, and Linux, and lowers the barriers to productivity for less-technically-inclined users: setup is minimal, and usage is drag-and-drop familiar.
Constraints
If we have user-home-dirs with restrictive permissions (0700 - no-one else can do anything), then Apache cannot traverse and serve these directories :-( One solution is to run Apache as root:root, which then permits access.
Implementation Overview
We will use two instances of Apache:
- one public-facing instance which runs safely as apache:apache on ports 80 and 443. Use ProxyPass and ProxyPassReverse to talk to the second instance of Apache
- this instance of apache will run chrooted in a vserver-guest environment, as a matter of security and convenience. However it could just as easily run on a "regular" non-chrooted / non-virtualized server.
- a second, private instance of Apache, which runs chrooted (in a Gentoo verserver-guest) as root:root, and communicates with port 8080 internally, to the public-facing instance of Apache. This instance of apache must be handled with care, because of the potential for serious havoc as root!
- autofs doesn't (yet?) work with verserver-guests, so all user-home-dirs are NFS-mounted, all the time, via /etc/fstab entries
Reference Basic DAV and LDAP Setup
Environment
- Gentoo Linux Vserver guest, with the host running kernel 2.6.22-vs2.2.0.6-gentoo
- Apache 2.2.8 for both the public-facing and private instances of Apache.
- LDAP auth working, for authenticating WebDAV users. The public-facing instance of Apache is responsible for authenticating, and any authenticated LDAP user is then permitted to access their WebDAV share (authorization = valid user).
- LDAP can run on a remote machine; in our reference example, OpenLDAP happens to run in yet another vserver-guest environment.
- Testing was performed using WebDAV-capable clients:
- Konqueror web-browser under Linux, with syntax: webdavs://<your_server>/<DAV_share>
- Cadaver Linux command-line DAV client
- Nautilus under Linux, through the Connect to Server dialogue either found in Nautilus, or accessed from the Gnome > Places menu
- Mac OS-X: Finder > Go > Connect to Server with syntax https://<your_server>/<DAV_share>
- Windows XP: use the Add Network Place Wizard with syntax https://<your_server>/<DAV_share>
Implementation Details
Private Apache Running as Root
Apache won't run as root, normally (and, to be sure, this is a GOOD thing :-) ). In order to convince Apache to run as root, you must recompile it with a new CFLAG -DBIG_SECURITY_HOLE; set this in Gentoo's /etc/make.conf like this:
CFLAGS="-march=nocona -O2 -pipe -DBIG_SECURITY_HOLE"
[ebuild R ] www-servers/apache-2.2.8 USE="ldap ssl -debug -doc (-selinux) -sni -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias -asis -authn_alias -cern_meta -charset_lite -dumpio -log_forensic -proxy_ftp -version" APACHE2_MPMS="-event -itk -peruser -prefork -worker" 0 kB
Private Apache Startup and Configuration Directives
Place in /etc/conf.d/apache2 for Gentoo:
APACHE2_OPTS="-D DEFAULT_VHOST -D LANGUAGE -D DAV -D DAV_FS -D USERDIR"
Changes needed in /etc/apache/httpd.conf:
# User/Group: The name (or #number) of the user/group to run httpd as. # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. User root Group root
Representative entries in /etc/apache2/modules.d/45_mod_dav.conf
<IfDefine DAV> <IfModule dav_module> <IfModule dav_fs_module> <IfModule alias_module> # # Distributed authoring and versioning (WebDAV) # DavLockDB "/var/lib/dav/lockdb" UserDir /home/* <Directory /home/> Dav On DAVMinTimeout 600 # so we can ~see~ PHP, rather than interpret/execute ForceType text/plain DavDepthInfinity On Options Indexes FollowSymLinks MultiViews # don't give an .htaccess any any cred :-) AllowOverride None Order allow,deny Allow from all </Directory> </IfModule> </IfModule> </IfModule> # # The following directives disable redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a # problem with several clients that do not appropriately handle # redirects for folders with DAV methods. # <IfModule setenvif_module> BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[012345]" redirect-carefully BrowserMatch "^gnome-vfs/1.0" redirect-carefully BrowserMatch "^XML Spy" redirect-carefully BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully </IfModule> </IfDefine>
Representative entries in /etc/apache2/vhosts.d/00_default_vhost.conf
# Virtual Hosts # # If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. Most configurations # use only name-based virtual hosts so the server doesn't need to worry about # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at # <URL:http://httpd.apache.org/docs/2.2/vhosts/> # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host # configuration. <IfDefine DEFAULT_VHOST> # see bug #178966 why this is in here # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 Listen 8080 # Use name-based virtual hosting. NameVirtualHost *:8080 # When virtual hosts are enabled, the main host defined in the default # httpd.conf configuration will go away. We redefine it here so that it is # still available. # # If you disable this vhost by removing -D DEFAULT_VHOST from # /etc/conf.d/apache2, the first defined virtual host elsewhere will be # the default. <VirtualHost *:8080> ServerName localhost Include /etc/apache2/vhosts.d/default_vhost.include <IfModule mpm_peruser_module> ServerEnvironment root root </IfModule> </VirtualHost> </IfDefine>
Private Apache NFS Configuration
Entry in /etc/fstab
192.168.0.191:/home /home nfs rw,soft,intr 0 0
Public-Facing Apache
Compile with some set of Gentoo USE-flags resembling this:
Public-Facing Apache Startup Directives
These go in /etc/conf.d/apache2 for Gentoo:
APACHE2_OPTS="-D DEFAULT_VHOST -D STATUS -D MANUAL -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP -D PROXY -D SSL -D SSL_DEFAULT_VHOST"
Define a virtual host, in the directory /etc/apache2/vhosts.d/ that resembles this example:
<VirtualHost *:443> ServerName pritchard.dyndns.org:443 ProxyPass / http://192.168.0.130:8080/ ProxyPassReverse / http://192.168.0.130:8080/ <Proxy *> <IfModule authnz_ldap_module> # # don't give an .htaccess any any cred :-) AllowOverride None Order allow,deny Allow from all # Do basic password authentication in the clear AuthType Basic # LDAP Authentication & Authorization is final; do not check other databases AuthzLDAPAuthoritative on # Name which will appear in the browser's user/pass dialogue (realm) AuthName "Webdav - Restricted Access" AuthBasicProvider ldap AuthLDAPURL ldap://192.168.0.110:389/ou=users,dc=whiterock?uid?one AuthLDAPBindDN "cn=Reader,dc=whiterock" AuthLDAPBindPassword <super_secret> # Use only one of the following possible sections. # Explicitly list the permitted users, ~after~ authentication has succeeded. # Effectively a 2nd gate, at the authourization phase. # Add as many as desired. require ldap-user <your_permitted_user_list> # There will be times when it's sufficient for an authenticated-user to be # authourized and granted access; it they're good in LDAP, they're OK by me. # In this case, any LDAP valid user is fine; apache won't restrict further. # require valid-user </IfModule> </Proxy> </VirtualHost>
Testing
- Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
- change the <Limit> </Limit> containers above, to <LimitExcept> </LimitExcept>
- anyone, anywhere can now browse your DAV share!! Don't put valuable stuff in your DAV-root, just test-files
- Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output:
hostname ~ # ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W Enter LDAP Password: ultra_secret
- in a dedicated console-window, you can watch what Apache thinks of your DAV and http connection-attempts:
hostname ~ # tail -f /var/log/apache2/error_log
- to test-connect:
hostname ~ # cadaver http://localhost/<your_DAV_share>
- Connection-attempt results:
- Apache status code 200 or 207 is what you're after: things are good
- Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving
- check compile options
- check apache startup directives
- check /etc/apache2/modules.d/45_mod_dav.conf
- take authentication / authourization out of the picture (disable) until you can clear this fundamental DAV protocol issue
- Apache status codes 401 and 403 are common with authentication/authourization problems
Reference DAV, LDAP and AutoFS
To make WebDAV really useful, we want to have our user authenticate, get authourized, then access their home-directory.
===Setup Automounting===
Walk before running (with scissors :-) ) - get AutoFS (automounting) working first, independently of any other complexity:
hostname ~ # emerge -pv nfs-utils autofs
Edit the master autofs file to look like:
hostname ~ # emacs -nw /etc/autofs/auto.master /home /etc/autofs/auto.home
Now that we've referred autofs to use the auto.home file, we'd better create it; just one line:
hostname ~ # emacs -nw /etc/autofs/auto.home * -rw,soft,intr 192.168.0.192:/home/&
Now, fire up the services, and then check that portmap and automount are running (with ps aux for example)
hostname ~ # /etc/init.d/nfsmount start hostname ~ # /etc/init.d/autofs start
Verify that you can automount something - typically by changing to a directory such as /home/gordonp and performing an ls. You should see all the stuff you'd normally see in that home-dir.
Make these seervices stick between reboots:
hostname ~ # rc-update add nfsmount default hostname ~ # rc-update add autofs default