Major permission issues with NFS shares

Status
Not open for further replies.

freenas-supero

Contributor
Joined
Jul 27, 2014
Messages
128
Hello, second thread on this forum and Im off to reading the documentation once more...

I have a quick question regarding NFS shares and permissions.

There is currently 3 shares I want to configure but I am not sure how to do this the best way possible (reducing the security issues while maximizing usability and maintainability).

Each share is based on a separate dataset. Each dataset are configured with nobody:nogroup and are RWX for all user-group-others (in other words chmod 777 = wide open)

Share 1 will be used to share media files to my network. It needs to be R-O to everybody and every computers except the VM where my media applications are running (couchpotato, etc). I cannot export the share as R-O because no-one will be able to write to it including the VM where CPis running... I thought of creating a user such as "apache" in freenas and assigning read-write-execute to this share and for everybody else R-O but freenas is asking for a password when creating the user. Why?

To summarize, I have a hard time grasping the permissions concept in freenas... Do I need to use permissions on files-folders or do I need to use share exports permissions or a mixture of both???

Any insight is greatly appreciated!
 

grep137

Dabbler
Joined
Mar 21, 2014
Messages
36
Just in case you didn't know this already (I'm a noob trying to get my CIFS and/or NFS shares working too). I read in several places that the user id and group id have to match on the server and the client (double check me on this, though).

You can find your user and group id by typing "id" on the command line in linux.

Just stumbled across this thread:
NFS mount with differing UID and GID:
http://iansramblings.com/2009/02/25/nfs-mount-with-differing-uid-and-gid/
 

freenas-supero

Contributor
Joined
Jul 27, 2014
Messages
128
Hey grep137

Not so easy to understand how permissions and shares are managed on freenas and make the best out of it..

How do you export multiple folders in a single dataset ? Seems when I do so I get strange errors in the freenas logs and it seems that the checkbox "All directories" in the dhare's config dialog box.

Tonight I will try to export and setup the first dataset properly. I will use file and folders permisions to do so. Obviously because I want R-O access from certain computers while RWX for others, Icannot use "Read-Only" when exporting the share so I am left to use files/folders permissions only..

Maybe to export several folders within a single dataset I am better off exporting the root of the dataset, then setting up the permissions for each and individual folders and files recursively??

What about if I want root user from a computer to have RWX permissions on a folder while root users from other machines will have NO access at all? Configuring at the NFS share level allows only to block/allow specific IP's which is too high level, while AFAIK files/folders permissions do not make distinction between root from a computer or another....
 

grep137

Dabbler
Joined
Mar 21, 2014
Messages
36
freenas-supero,

I wish I could help you, however, I've been so busy working that I have only had time to do a quick and simple setup, like the one shown in the videos at the links below. In a couple of months from now when I'm less busy I plan to try again. Good luck getting everything working.

FreeNAS 9.x Video Series
http://www.freenas.org/about/videos.html
 

freenas-supero

Contributor
Joined
Jul 27, 2014
Messages
128
OK I am not doing too well with this topic... Need guidance!

Today I received my main server's mobo from RMA and rebuilt my main server which is using my FreeNAS server as storage backend. I cannot setup the NFS shares properly across several systems...

Can a senior user or a dev jump in to explain quickly how to configure an export to have different access rights based on who access it and from which machine?

A dataset needs to have several NFS shares with different permissions, and I need to export NFS shares from several datasets with different permissions. Lets consider what I actually seek to achieve:

dataset1 = /mnt/zpool/storage (exported as a NFS Share)

-Under "dataset1" there are subfolders with their respective setup

/mnt/zpool/storage/backups/system-clones/workstation => Needs to be fully accessible ONLY to IP 192.168.0.200 from user ROOT (this directory will be used for cloning my workstation with clonezilla)
/mnt/zpool/storage/backups/system-clones/htpc => Needs to be accessible ONLY to IP 192.168.0.201 from user ROOT (this directory will be used for cloning my media center with clonezilla)
/mnt/zpool/storage/backups/home-backups/workstation => Needs to be fully accessible ONLY to IP 192.168.0.200 from a specific user (this directory will be used for backing up /home of my workstation with rsync)
/mnt/zpool/storage/backups/home-backups/htpc => Needs to be fully accessible ONLY to IP 192.168.0.201 from a specific user (this directory will be used for backing up /home of my media center with rsync)
/mnt/zpool/storage/backups/servers-backups => Needs to be fully accessible ONLY to IP 192.168.0.101 from users APACHE & MYSQL (this directory will be used by rsync on a remote server to backup SQL databases and website files)
/mnt/zpool/storage/it-maintenance => Needs to be RO to every IP and every user with the exception of root from IP 192.168.0.101
/mnt/zpool/storage/servers-content => Needs to be FULLY hidden (or protected) from every IP and every user again with the exception of ROOT & APACHE from IP 192.168.0.101

dataset2 = /mnt/zpool/dropbox (exported as a NFS Share)

dataset2 consist in a single folder with unique permissions. It has to be fully open (RWX) to everyone and from every IP. Simple's that! ;)

dataset3 = /mnt/zpool/media (exported as a NFS Share)

dataset3 consist in a single folder with unique permissions. It has to be RO to all users from all IP with the exception of ROOT & APACHE from 192.168.0.101

dataset4 = /mnt/zpool/pve-backup (exported as a NFS Share)

dataset4 consist in a single folder with unique permissions. It has to be accessible ONLY to ROOT from IP 192.168.0.2

My problems are:

With dataset1, how do I activate several IP access controls within the same NFS share? NFS wont let you do that...

For example, the first directory (..backups/system-clones/workstation) needs to be accessible only to root from x.x.x.200. I can set the file & folder perms to be owned and accessible only to root, but if I setup the NFS share to allow only x.x.x.200 to access it, then .201, .101 wont be able to access the NFS share at all...

Another way of doing things would be to set the entire share's content to lets say root:nogroup then set specific permissions for each folder that requires different perms. Finally allowing access to the share only to the IP's that need access. That way, root from the allowed IP's would have access to evertyhing, but specific users would have access only to their stuff.

Is it the way its done under freenas?

EDIT: I just tried setting up ownership of the dirst dataset's content to root:nogroup then deactivating RWX from others (just like I explained previously) but mounting the share on my workstation I cannot even access the content with roots account...

A tutorial is heavily needed! ;) Or I couldnt find one yet..
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
Each share is based on a separate dataset. Each dataset are configured with nobody:nogroup and are RWX for all user-group-others (in other words chmod 777 = wide open)

Share 1 will be used to share media files to my network. It needs to be R-O to everybody and every computers except the VM where my media applications are running (couchpotato, etc).

The suuuuuuper easy classic UNIX fix is to make a second export entry ("share" in FreeNAS-speak). So if your first export is "mystuff" and is exported read-only to 192.168.0.0/24, create another export called "mystuff-rw" for your VM at 192.168.1.123 and make it read-write.
 

freenas-supero

Contributor
Joined
Jul 27, 2014
Messages
128
OK following your advice to create several shares (exports) depending on what access is needed, and it seems to work OK but I am getting a access denied by server when I try to mount a share onto my workstation

/etc/exports looks like:

[root@freenas ~]# cat /etc/exports
/mnt/zpool/media 192.168.0.101 192.168.0.103
/mnt/zpool/storage/it-maintenance -ro 192.168.0.200 192.168.0.201
/mnt/zpool/media -ro 192.168.0.200 192.168.0.201
/mnt/zpool/dropbox -network 192.168.0.0/24
/mnt/zpool/storage/software-repo /mnt/zpool/storage/it-maintenance /mnt/zpool/storage/servers-content /mnt/zpool/storage/backups/ser
vers-backups 192.168.0.101 192.168.0.103
/mnt/zpool/storage/backups/system-clones/htpc /mnt/zpool/storage/backups/home-backups/htpc 192.168.0.201
/mnt/zpool/storage/backups/system-clones/workstation /mnt/zpool/storage/backups/home-backups/workstation 192.168.0.200
/mnt/zpool/pve-backups -network 192.168.0.0/24
/mnt/zpool/pve-backups 192.168.0.2

With this configuration, mounting /mnt/zpool/media as RO and /mnt/zpool/dropbox as RWX on my workstation are working just fine (the relevant entries are in bold), but trying to mount /mnt/zpool/storage/backups/home-backups/workstation I get:

[root@workstation workstation-user]# mount -t nfs 192.168.0.4:/mnt/zpool/storage/backups/home-backups/workstation /mnt/home-backup
mount.nfs: access denied by server while mounting 192.168.0.4:/mnt/zpool/storage/backups/home-backups/workstation

I also see a lot of errors in Frenas's log, see attached picture (I could never copy the console's content)..
 

Attachments

  • errors1.jpeg
    errors1.jpeg
    251 KB · Views: 584

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
Try specifying only a single mount point per export. You may need more exports but it results in less-annoying formatting in /etc/exports and may result in a more concise error message.
 

freenas-supero

Contributor
Joined
Jul 27, 2014
Messages
128
Hey jgreco,

this is what I did at first, having a single mount point per export... Then I faced this error (access denied) so I decided to try to merge some of them in a single export (provided they had the same type of access "RO" or not and the same client IP's)

Same error...
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
Don't see what's wrong offhand. I can only tell you that it works fine here.
 

freenas-supero

Contributor
Joined
Jul 27, 2014
Messages
128
Yeah its getting weirder by the minute.....

I mounted all 4 exports from the entry:

/mnt/zpool/storage/software-repo /mnt/zpool/storage/it-maintenance /mnt/zpool/storage/servers-content /mnt/zpool/storage/backups/servers-backups

to IP 192.168.0.101 without permission denied errors... Must be something on my workstation that frenas doesnt like. I will investigate and report back.

In the meantime, I tried to rsync some files from an export to another from the server with IP IP 192.168.0.101

/mnt/zpool/storage/servers-content (on freenas) is mounted under /mnt/servers-content on my remote server... Same for /mnt/zpool/storage/backups/servers-backups which is mounted under /mnt/servers-backups on the remote server.

No mount errors whatsoever. When I try to rsync files from one export to the other, all is fine until the end when rsync syncs some attibutes to the copied files then I get a ton of

rsync: chown "/mnt/servers-backups/drupal-data/styles/thumbnail/private/.ajfa_45rpm.jpg.ktclKc" failed: Operation not permitted (1)

Under freenas, /mnt/zpool/storage/servers-content and /mnt/zpool/storage/backups/servers-backups are both located within the same zpool dataset called storage. its properties are as the attached picture.

It must nbot be a readonly type of issue since I can write on the NFS shares... Also must not be a permission issue because according tot he attached image, owner of the dataset is "Nobody" and group is "Nogroup"... Also permissions are 777 on the dataset so I would expect everybody and everyone to have full access....
 

Attachments

  • errors2.jpeg
    errors2.jpeg
    23.3 KB · Views: 631

freenas-supero

Contributor
Joined
Jul 27, 2014
Messages
128
Never a computer experience has been so frustrating to me.... I really dont understand the way freenas manages permissions ...

For example, a dataset has NO owner (nobody) and NO group (nogroup) and permissions set to 777 recursively on its content. In my own words, that means everybody can do as they please with the dataset's content! The NFS is exported with write permission. Yet, when mounted on a remote machine, I cannot chown the files!!!

chown: changing ownership of `drupal-data/R-1427769-1218958963.jpeg': Operation not permitted

Files all have RWX permissions for owner, group & others.

-rwxrwxrwx 1 nfsnobody 65533 113993 Apr 12 21:42 The-First-30-Years-EP-cover.jpg
-rwxrwxrwx 1 nfsnobody 65533 68113 Apr 12 21:42 thegoodthebadthelive.jpg
-rwxrwxrwx 1 nfsnobody 65533 91534 Apr 12 21:42 the_unstoppable_force.jpg

Whats the catch here???

TEST: I tried creating a test file from the remote client on the exported filesystem. While I could create the file no problems, I cannot chown it!

Test file permissions
-rw-r--r-- 1 4294967294 65533 5 Sep 3 19:02 test

Who's owner 4294967294 ????? I was root when I created that file.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
Sorry, your own words are wrong. You cannot just do anything to anyone else's content just because the permissions are 777. Changing ownership in the UNIX model doesn't work that way. I think it can be made to work using the Windows permission model or some of the other ACL features though. However as a UNIX guy I don't have that advice at my fingertips.
 

freenas-supero

Contributor
Joined
Jul 27, 2014
Messages
128
I understand the difference between chown (change owner) and chmod (change permission bits between read-write-execute) but still with everything unlocked (for the lack of a better word), I cant chown the files.... What I want to do is stupid simple: a NFS share that I can use from a client as a big-ass storage device.... Nothing more... From my POV, Freenas should provide disk space and let the clients do as they wish with it.

Then the users can do as they want within that space.

In other words:
  • Client asks Freenas permission to mount a share
  • Permission granted (its in the allowed IP's)
  • Client mounts the share
  • Freenas shares the share
  • Client do whatever it wants within that space.

Under slackware linux, everything worked flawlessly and the setup as only to export a NFS share with ceetain options then using a root account, I could chown/chmod/whatever the files so the specific users could do what they wanted (edit, delete, read, write, execute).

I feel the freebsd way of doing things is getting in the way of my experience with linux OS'es. I literally tried everything but still I cannot reach a status where I have full ownership of a share. Is it because I am exporting several directories under a SINGLE dataset?
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
NFS and UNIX in general do not allow a non-root user to change the owner of a file. It isn't any different in Linux. Replicate what you were doing in Linux that pleased you.

It sounds like you are mapping root to nobody and are shocked that the system is doing what you told it to.
 

freenas-supero

Contributor
Joined
Jul 27, 2014
Messages
128
Sorry if I was looking to complain more than to understand, but put yourself in my shoes: no experience with freebsd or freenas whatsoever, used linux for years without such problems, and I am in a more or less tight schedule to get this running. I also have about 5 minutes a week to play with this.,.

If you work in the field then you have a LARGE advantage over me: you can keep working on it, I cant.

BTW, I rebooted both the freenas server and my centos server, seems now its working, and I also noticed, the strange errors with the "bad exports list line:" and "radix head node" are gone for now....

Maybe a memory problem? Maybe a bug in Freebsd or the nfs daemon? I dunno!

When I can sit down and take the time to understand everything that will help I am sure. I intent to keep using freenas for sure!
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
If you don't like the answers I gave you, the paid support queue is available over at iXsystems.

As for the forums, most of us posting here are not iXemployees and are simply volunteering community based support. The forum rules also specifically call out that file permissions issues are "Topics that are likely to go unanswered".

People on deadlines to get systems running should consider the benefits of buying a support contract.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Exactly what jgreco said. If time is a problem, you write a check, iX makes the problem go away. If you have a big enough problem and you want to write a big enough check, iX will even write code just to fix your problem.

There are major advantages to buying iX hardware and software support. ;)
 
Status
Not open for further replies.
Top