NFS share, multiple users, different access rights

[Okeur]

Hello gentlemen and gentlegirls,

I'm having an issue configuring my NFS share between multiple users, on multiple VM (all Linux) with different access rights.

Here is what I would like to implement:

1. User A in VM A needs to access share A in RW
2. User B in VM B needs to access share B in RW
3. User A needs to access share B in RW
4. User B needs to access share A in RO

First question : Is NFS designed for this kind of needs or am I in the wrong direction ? (not the band though)
Second question :

1. I have set up both shares with TrueNas, and make these shares the home folder of the users I created in Truenas.
2. So in truenas I created user A and made his home directory share-A, same goes for user B and share-B. I have created also the corresponding groups, and in group-B I have user A and B, and in group-A I have only user A.
3. I have also matched the UID et GID of the users in my VMs with the users in TrueNas (so user A has ID 1001 in both the VM and truenas)
4. Unfortunately when I mount share-B in VM-A, the user A always fall in the "others" group, it seems not to be part of the group B and have the corresponding rights (the rights you set up in the user panel in TrueNas).
5. 
   
6. Any idea why ?

Eventually my needs are the following, in case you know a different/better way to do it:

1. User A is a mediaserver
2. User B is an external user I somehow trust but not totally
3. The mediaserver needs an access to the media files (share A) + an access to the Share B because the user B can upload some media. But I do not want to grant user B RW access to the media library, and I do want the mediaserver to be able to see what user B has uploaded so it appears in the mediaserver immediately. (It's a kind of temporary share where user B can upload what he wants to be available in the media library without me interfering)
4. I need user B to be able to download some media (not from the WebUI, in SFTP for example) and thus have RO access to the share-A.
5. If there is a better way to do this than the NFS share, feel free to comment.

Thanks if you can help and happy new year !

 

[ChrisRJ]

Is there a particular reason for not using SMB? Yes, historically NFS would be the natural choice for a Linux client. But today and with how I understand your requirements, SMB might be the better option.

 

[KrisBee]

@Okeur IIRC you can use the same path in more than one NFS share definition. So you could create an NFS share which is read-only for the IP address used by your VM-B and then create a second NFS share for the same path which is RW for the IP of VM-A. A possible alternative is to enforce read-only accces on the linux client (VM-B) by mounting the share read-ony or at location which provides read-only access. But if your physical user B has root access then this cannot be enforced. Better to do it on the server side.

As in your case "user A" is a program which may run in linux with a specific non-root user/group id, then any matching account on TrueNAS should NOT be using a home directory or login or sudo, etc. Nor does the physical user B need a home directory or login in TrueNAS becuase you are better creating individual datasets in your pool to hold the two sets of data your have mentioned. For NFS shares these datasets should be created with the share type "generic" and then edit the permissions are required.

As said already, SMB may be a better option as you have greater control over how different users can access a single dataset. For example, a dataset can be owned by a specific user/group with RW accces and then RO access can be granted to another user, or group, on the same dataset.

 

[Okeur]

Hmmm ok thank you for the advice and let me try this !

 

[Okeur]

Ok it took me a bit but I managed what I wanted to do through SMB share.

Thank you for the suggestion. At the beginning I wrongly thought that SMB, since it's labeled as a Windows share, what strictly limited to Windows. But in fact it works well with Linux too, and this was my mistake.

So if a newbie like I is coping with the same issue, go with SMB, the share parameters are far more granular than with NFS and it's working well.

Thanks for your help.