Mapping different NFS UID based on IP

[stringman]

Is there a way to map a different NFS UID based on IP like you can in Linux?

For example, I have a CentOS server with the following /etc/exports entries:

/storage/sharedstore 192.168.0.0/24(rw,sync,no_root_squash)
/storage/sharedstore 10.128.0.0/24(ro,sync)

One subnet is able to operate as root, while another only has read-only access.

I've tried making entries on my FreeNAS installation in which one IP has --maproot="nobody" and another has --maproot="root," but the line I add manually appears to be ignored.

 

[HoneyBadger]

Looks like the formatting might be slightly different from Linux to FreeBSD. Can you post a sample of your /etc/exports and see if it lines up with the expected syntax as shown in the manpage here:

https://www.freebsd.org/cgi/man.cgi?query=exports&sektion=5&apropos=0&manpath=FreeBSD+12.0-RELEASE+and+Ports

 

[stringman]

I would like to squash root from all IPs except one, so this is ideal:

/mnt/engnfs3/export -alldirs -maproot="nobody":""
/mnt/engnfs3/export -alldirs -maproot="root":"" 10.128.3.244

I've tried to break it out by subdirectory, but that results in a "network is already being shared and cannot be used twice for the same filesystem" error.

 

[HoneyBadger]

This sounds silly, but have you tried flipping the order of the export lines? If it's a "first matching rule wins" kind of thing.

Code:

/mnt/engnfs3/export  -maproot=root 10.128.3.244
/mnt/engnfs3/export  -maproot=nobody

 

[KrisBee]

You can't have overlapping networks in exports definition, but you can have something like this:

Code:

[chris@freenas ~]$ cat /etc/exports
V4: / -sec=sys
/mnt/NasPool/topdataset/child1 -maproot="root":"wheel" -network 192.168.0.0/24
/mnt/NasPool/topdataset/child1 -ro -maproot="nobody":"nobody" -network 10.128.0.0/24
[chris@freenas ~]$

 

[stringman]

This sounds silly, but have you tried flipping the order of the export lines? If it's a "first matching rule wins" kind of thing.

Code:

/mnt/engnfs3/export  -maproot=root 10.128.3.244
/mnt/engnfs3/export  -maproot=nobody

That didn't work. It looks like I'll have to break up network entries with /30 subnets or something.

You can't have overlapping networks in exports definition, but you can have something like this:

Code:

[chris@freenas ~]$ cat /etc/exports
V4: / -sec=sys
/mnt/NasPool/topdataset/child1 -maproot="root":"wheel" -network 192.168.0.0/24
/mnt/NasPool/topdataset/child1 -ro -maproot="nobody":"nobody" -network 10.128.0.0/24
[chris@freenas ~]$

Thanks. I'll give that a shot.

 

[stringman]

I've tried this and restarted nfsd, since I don't see exportfs anywhere, but showmount still shows "/mnt/engnfs3/export Everyone," and 10.128.3.244 still maps as "nobody:"

/mnt/engnfs3/export -maproot="root":"wheel" -network 10.128.3.0/24
/mnt/engnfs3/export -maproot="nobody":"nobody" -network 10.128.0.0/24

 

[KrisBee]

Are you manually editing the exports file in FreeNAS? Does it make a difference if you define NFS shares through the WebUI and let the backend take care of the rest, all changes will then be persistent.

 

[stringman]

Are you manually editing the exports file in FreeNAS? Does it make a difference if you define NFS shares through the WebUI and let the backend take care of the rest, all changes will then be persistent.

Yes, I'm manually editing the exports file. I don't see a way to provide different mappings from different networks in the WebUI.

 

[stringman]

Once I deleted the open share from the WebUI I was able to add individual network shares with different options from the WebUI. Problem solved.