equivalent for root_squash/no_root_squash on FreeNAS

[mosh]

Hi,
I'd like to separate between root privileges on an NFS share, just like Linux exports does with root_squash/no_root_squash
Currently i'm using the below permissions which maps every local root to become root on the NFS file-share:

I'd like to separate by subnet/hostname, what will be the equivalent to Linux exports
Example in Linux nfs exports:

Code:

nasadmin(rw,no_root_squash,insecure,async,wdelay,no_subtree_check) \
172.19.13.0/255.255.255.0(ro,root_squash,insecure,async,wdelay,no_subtree_check)

How can i do that in FreeNAS?

Thanks,
- Moshe

 

[blanchet]

A single NFS directory can be shared several times with different options for each subnet/hostname.
The only condition is to specify either the authorized network and/or hostname, because if you leave empty both fields, the FreeNAS webUI complains Another NFS share already exports this datase for some network.

• For root_squash, use -maproot="nobody":"nobody"
• For no_root_squash, use -maproot="root":"wheel"

You can see the result in the FreeNAS shell with cat /etc/exports. For example:

Code:

/mnt/tank1/myshare -ro -maproot="nobody":"nobody" -network 172.19.13.0/24
/mnt/tank1/myshare -maproot="root":"wheel" nasadmin

This procedure has been successfully tested on FreeNAS 11.2u6, but it probably works also with older versions.

 

[mosh]

A single NFS directory can be shared several times with different options for each subnet/hostname.
The only condition is to specify either the authorized network and/or hostname, because if you leave empty both fields, the FreeNAS webUI complains Another NFS share already exports this datase for some network.

• For root_squash, use -maproot="nobody":"nobody"
• For no_root_squash, use -maproot="root":"wheel"

You can see the result in the FreeNAS shell with cat /etc/exports. For example:

Code:

/mnt/tank1/myshare -ro -maproot="nobody":"nobody" -network 172.19.13.0/24
/mnt/tank1/myshare -maproot="root":"wheel" nasadmin

This procedure has been successfully tested on FreeNAS 11.2u6, but it probably works also with older versions.

Thank you very much! i will try later on when its safe to restart nfs daemon.

 

[mosh]

Hi,
It seems that restarting the NFSd daemon via the GUI is triggering re-generating the /etc/exports file, so the exports i put there are being run-over.
Do you know how can i restart the NFSd daemon without it deleting my manually added exports?

- Moshe

 

[blanchet]

A fundamental rule of FreeNAS says

Changes done in CLI gone after reboot but changes done in webUI are persistent.

Therefore

• You must not edit manually the file /etc/exports
• You must use only the GUI to define the NFS exports.
• But you can check the settings with cat /etc/exports to be sure that the GUI does that you expect.

Indeed, seasoned sysadmins know that the rule suffers some exceptions, but it is not the case here.

 

[mosh]

A fundamental rule of FreeNAS says


Therefore

• You must not edit manually the file /etc/exports
• You must use only the GUI to define the NFS exports.
• But you can check the settings with cat /etc/exports to be sure that the GUI does that you expect.

Indeed, seasoned sysadmins know that the rule suffers some exceptions, but it is not the case here.

Thanks for the explanation,
How can I set a similar exports rules to the below via the GUI?

Code:

/mnt/nfs/vol1 -maproot="root":"wheel" nasadmin
/mnt/nfs/vol1 -ro -maproot="nobody":"nobody" -network 172.19.19.0/24
/mnt/nfs/vol1 -maproot="nobody":"nobody" -network 172.19.20.0/24

 

[blanchet]

• Try a setting in the NFS sharing GUI, apply the settings, then check the result with the CLI.
• After few tries, you will quickly understand how the GUI generates the /etc/exports
• Then create 3 NFS shares for /mnt/nfs/vol1, each share will have its own settings