How to configure an NFSv4-only server

An NFS server that still answers NFSv3 keeps older RPC services in the path, including rpcbind, rpc.statd, and mount protocol handling. Switching the server to NFSv4 only narrows the service surface to the modern protocol path and avoids leaving legacy client behavior enabled by accident.

The protocol switch is controlled by the [nfsd] section in /etc/nfs.conf. Setting vers3 to n disables NFSv3, while leaving vers4 enabled keeps current NFSv4 clients working. On systemd hosts, the configuration change should be paired with masking NFSv3 helper services and a rpc.mountd override so mountd does not listen for old mount requests.

A current RHEL-family nfs-utils server with an existing export and NFSv4-capable clients is assumed. Do not make this change until old clients have been inventoried, because NFSv3 mounts, showmount-based checks, and firewall rules for rpc-bind or mountd should stop being treated as success paths after the cutover.

Related: How to install an NFS server on CentOS Stream, RHEL, and Fedora
Related: How to create an NFS export
Related: How to allow NFS server traffic through firewalld

Steps to configure an NFSv4-only server:

  1. Confirm the server already has a working export and no remaining clients require NFSv3.

    Schedule a maintenance window or notify users before changing protocol support on a shared file server. Existing NFSv3 mounts can fail after the service restart.

  2. Check the protocol versions currently exposed by the running kernel NFS server. 
    $ cat /proc/fs/nfsd/versions
+3 +4 +4.1 +4.2

    A leading plus sign means that version is enabled. A server that still shows +3 is still accepting NFSv3.

  3. Open the main NFS configuration file. 
    $ sudoedit /etc/nfs.conf
  4. Set the NFS daemon version policy in the [nfsd] section. 
    [nfsd]
vers3=n
vers4=y

    If the server must allow only one NFSv4 minor version, set the individual vers4.0, vers4.1, and vers4.2 keys instead of mixing those keys with vers4. Keep all NFSv4 minor versions enabled unless a client compatibility or security requirement says otherwise.

  5. Confirm the effective NFSv3 setting before restarting the service. 
    $ sudo nfsconf --get nfsd vers3
n

    Current nfs-utils packages include nfsconf, which reads the active /etc/nfs.conf configuration.

  6. Mask the services used by NFSv3 locking and RPC discovery. 
    $ sudo systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket

    Do not mask these services on a host that still serves NFSv3 clients or other RPC services that depend on rpcbind.

  7. Create a systemd drop-in so rpc.mountd does not listen for NFSv3 mount requests. 
    $ sudo mkdir -p /etc/systemd/system/nfs-mountd.service.d
$ sudoedit /etc/systemd/system/nfs-mountd.service.d/v4only.conf
  8. Add the mountd override. 
    [Service]
ExecStart=
ExecStart=/usr/sbin/rpc.mountd --no-tcp --no-udp

    NFSv4 clients do not use the old mount protocol to discover exports, so rpc.mountd does not need TCP or UDP listeners on a v4-only server.

  9. Reload systemd and restart the NFS services. 
    $ sudo systemctl daemon-reload
$ sudo systemctl restart nfs-mountd
$ sudo systemctl restart nfs-server
  10. If firewalld protects the server, keep only the nfs service open for NFS traffic. 
    $ sudo firewall-cmd --permanent --add-service=nfs
success
$ sudo firewall-cmd --reload
success

    Remove previously opened rpc-bind and mountd firewalld services after confirming no NFSv3 clients remain.

    Related: How to allow NFS server traffic through firewalld

  11. Verify that the running server reports NFSv3 disabled. 
    $ cat /proc/fs/nfsd/versions
-3 +4 +4.1 +4.2

    The minus sign before 3 is the server-side proof that NFSv3 is disabled. The plus signs before the NFSv4 entries show the enabled v4 protocol versions.

  12. From a client, confirm an NFSv3 mount is rejected. 
    $ sudo mount -o vers=3 files.example.net:/srv/nfs/projects /mnt/projects
mount.nfs: requested NFS version or transport protocol is not supported
  13. Mount the same export with NFSv4. 
    $ sudo mount -o vers=4 files.example.net:/srv/nfs/projects /mnt/projects

    If the server uses an NFSv4 pseudo-root, mount the path exposed to clients rather than assuming the server's internal filesystem path.

  14. Verify the client mount uses an NFSv4 filesystem type and version option. 
    $ findmnt /mnt/projects
TARGET        SOURCE                                FSTYPE OPTIONS
/mnt/projects files.example.net:/srv/nfs/projects  nfs4   rw,relatime,vers=4.2,rsize=1048576,wsize=1048576

    A failed showmount -e check is expected on a strict NFSv4 server because showmount depends on the old mount protocol path.

    Related: How to check the NFS version for a mounted export
    Related: How to manually mount an NFS export on Linux