How do I share a single directory with different permissions for each client?

[redundantly]

I've got this directory:

/mnt/tank/nvr/recordings

And I need to share it with two separate clients via NFS with different permissions:

• 192.168.2.101 with write access
• 192.168.2.212 with read-only access

The first box needs write access to the data. The second box should only have read access.

If I try to set this up with two different shares pointed at the same directory I get the following error:

The network 0.0.0.0/0 is already being shared and cannot be used twice for the same filesystem

I've seen other threads where this is called out as a bad practice and the way to do this is use separate datasets, but this isn't possible in this scenario since I need two different clients to access the exact same data with different permissions.

How do I accomplish this with FreeNAS?

 

[SweetAndLow]

The question is more about NFS than it is about freenas. You should probably just use permissions for this, that is what they are designed for.

Sent from my Nexus 5X using Tapatalk

 

[redundantly]

No, this is an issue with FreeNAS. If I could just edit /etc/exports directly and it not be replaced by other edits in the GUI or a reboot I'd be able to work it out.

The limiting factor here is how FreeNAS operates, or how I'm attempting to configure it. I'm hoping I'm missing something and it's possible to do what I need with FreeNAS.

 

[SweetAndLow]

No, this is an issue with FreeNAS. If I could just edit /etc/exports directly and it not be replaced by other edits in the GUI or a reboot I'd be able to work it out.

The limiting factor here is how FreeNAS operates, or how I'm attempting to configure it. I'm hoping I'm missing something and it's possible to do what I need with FreeNAS.

I think you are confused with how this works. You can just mount using read only client options or read/write.

Or you setup permissions correctly on the server to do what you want.

Sent from my Nexus 5X using Tapatalk

 

[Ericloewe]

IP-based authentication is not good practice. Just use proper permissions and log in.

 

[oni.kage]

IP-based authentication is not good practice. Just use proper permissions and log in.

What? IP-based authentication is literally how NFS works. Following the security model of least-privilege, it's completely reasonable to export a share to some hosts as RW and other hosts as RO. Why would I give write access to a host that doesn't need it? The issue also applies to maproot. Why would I export something to my entire network with maproot enabled when only one or two hosts needs it? That would be terrible practice. Permissions are not always a feasible solution without getting into very ugly extended ACLs. For example, if I have a backup server that has to read every file on my NAS to copy it to a backup repository. It would be a nightmare to do that with ACLs, which is why I would create a duplicate share, only for the backup server, that has maproot enabled.

This is a serious shortcoming/bug of FreeNAS and I'm amazed that it hasn't been fixed already.

 

[Ericloewe]

IP-based authentication is literally how NFS works

And it is not good practice, much like transmitting your passwords in plaintext is not. Except that the first case keeps doing it all the time.

 

[oni.kage]

And it is not good practice, much like transmitting your passwords in plaintext is not. Except that the first case keeps doing it all the time.

NFS has never been very secure, but controlling what hosts have RW and maproot access is still better than running everything wide open. I don't understand why you're defending a shortcoming of FreeNAS when every other NAS software on the market can do what we are asking for.

I'm realizing now that I made a mistake my building my new box on FreeNAS. I was expecting a polished product and I am seeing that this is not the case. I've already started preparations to wipe this system and go back to ZFS on Linux. And to think, I almost bought an iXsystems box at work recently for a heavy NFS environment. I am so glad I didn't make that mistake.