Export of home directories with NFSv4 and Kerberos - permission issues

[francisaugusto]

Hi,
I manage to mount nfsv4 shares served by TrueNAS Scale on an Ubuntu client. Kerberos works for authentication and mounting, and the permissions are correctly identified.
The idea is to export a home folder on my pool with several user directories.
`Home` is owned by root:root. I used the default NFSv4_HOME ACL. The user directories are owned by the respective users.
But I have this issue:
- If I use maproot user/group = root, It mounts well, I can access the folder, but the users can access each other's folders, and new files created by them are owned by root.
- If I don't use maproot at all, I can access the main folder, but can't even `cd` to the user's folder. A simple `ls` gives me a "permission denied".

I've tried other things, such as creating child datasets with their own permissions, owned by the users, but it also didn't work.

Any tips on how to successfully manage this? I wanted to try other nfs export options, such as secure,root_squash,no_all_squash, but I don't think it is possible via GUI.

 

[francisaugusto]

Ok, I set up an Ubuntu machine for NFS server, so that I could test a bit more. What I realize is that the problem are mostly because the DNS domain I use internally doesn't match my realm. Using the `Local-Realms` option on `/etc/idmapd.conf` fixes this, and then everything works fine.

Unfortunately, it seems that it isn't possible to adjust this option on TrueNAS. I submitted a feature request.

 

[KrisBee]

Was it a late change from ganseha nfs sereer to standard nfs-kernel-server in the latest SCALE RELEASE? It feels like it, with no way to set linux type nfs export options via the GUI. May be there's few use cases for it, but you couldn't run the nfs server in pure NFSv4 mode with no rpc.bind if you wanted to either.

Did you try adding a post-init script to SCALE use the `/etc/idmapd.conf` as wanted?

 

[francisaugusto]

Was it a late change from ganseha nfs sereer to standard nfs-kernel-server in the latest SCALE RELEASE? It feels like it, with no way to set linux type nfs export options via the GUI. May be there's few use cases for it, but you couldn't run the nfs server in pure NFSv4 mode with no rpc.bind if you wanted to either.

Did you try adding a post-init script to SCALE use the `/etc/idmapd.conf` as wanted?

Thanks @KrisBee . I can try that, but at the same time, I wonder if this idmapd.conf is used at all, since it doesn't change a bit no matter what I change in GUI. But if that's the case, it is certainly worth a try.