NFS Share Authorized Networks Not Being Enforced

[b1ackb3ar]

Greetings community,

What seems trivial has turned into a real headache and frustration - I cannot get the NFS shares to enforce their configured authorized networks. I'm looking to only allow specific hosts to mount each of the NFS shares.

TrueNAS Server
Version: TrueNAS-12.0-U8.1 (edit: added this)

*NOTE: vault is my pool

zfs list | grep vault

Code:

vault                    940G  9.49T      140K  /mnt/vault
vault/dataset1           140K  9.49T      140K  /mnt/vault/dataset1
vault/dataset2           151K  9.49T      151K  /mnt/vault/dataset2
vault/dataset3          4.30M  9.49T     4.30M  /mnt/vault/dataset3

/etc/exports:

Code:

V4: / -sec=sys
/mnt/vault/dataset1 -maproot="root":"wheel" -sec=sys 10.0.0.2
/mnt/vault/dataset2 -maproot="root":"wheel" -sec=sys 10.0.0.120
/mnt/vault/dataset3 -maproot="root":"wheel" -sec=sys 10.0.1.16

NFS Client

showmount -e <truenas_ip>

Code:

Export list for <truenas_ip>:
/mnt/vault/dataset1      10.0.0.2
/mnt/vault/dataset2      10.0.0.120
/mnt/vault/dataset3      10.0.1.16

However, I'm able to mount any of the datasets from a supposed unauthorized client, say IP 10.0.0.10.

What gives? What am I missing to enforce network / host authorization correctly?

 

[Nick2253]

Are you actually able to browse the directories? When I try, I'm able to mount a restricted share from anywhere, but I'm unable to view the share's contents or access anything.

EDIT: Actually, I slightly take that back. I'm unable to access any files (read or write), but I am able to browse the folder structure if I know what the directories are. For example, if I cd /mnt/test/dir1, if dir1 exists, I'm able to change into that directory. However, if dir1 does not exist, then I get a "No such file or directory" error.

EDIT2: This appears to have something to do with NFSv4. If I clear the checkbox for "Enable NFSv4" in the Services --> NFS settings, then I get the expected behavior: any attempts to mount the share from a non-authorized device are met with "mount.nfs: access denied by server while mounting ..."

 

[b1ackb3ar]

Are you actually able to browse the directories? When I try, I'm able to mount a restricted share from anywhere, but I'm unable to view the share's contents or access anything.

EDIT: Actually, I slightly take that back. I'm unable to access any files (read or write), but I am able to browse the folder structure if I know what the directories are. For example, if I cd /mnt/test/dir1, if dir1 exists, I'm able to change into that directory. However, if dir1 does not exist, then I get a "No such file or directory" error.

EDIT2: This appears to have something to do with NFSv4. If I clear the checkbox for "Enable NFSv4" in the Services --> NFS settings, then I get the expected behavior: any attempts to mount the share from a non-authorized device are met with "mount.nfs: access denied by server while mounting ..."

Huh, you're exactly right about it doing something with NFSv4. If someone could shed light on that, I would greatly appreciative! For now, I'm disabling NFSv4 in the GUI and it is working as expected.

 

[b1ackb3ar]

So also, apparently you cannot change the Authorized Networks when NFSv4 is disabled. I had to re-enable NFSv4, change the authorized networks/IPs, then turn NFSv4 back off. That seems really odd...