NFS Shares Open to Everyone Despite Permissions

[kranzel]

Hi Everyone,

Okay, I am completely lost here and am hoping someone can help me out.

I am trying to get NFS sharing up and running, however, once I set my shares up, anyone is able to access them with full access. It is very confusing to me.

Here is my setup.

I created a user called "Bob" in Freenas. "Bob" is the same user account I am using on my Mac client and I ensured the UID is the same on Freenas and Mac OS. The passwords for "Bob" on both systems are also the same.

I have created a ZFS volume ladled "ZFSRAID". It is located at "/mnt/ZFSRAID". On the Freenas GUI I set the owner of this volume to "Bob" and the group to "Wheel". "Bob" and "Wheel" have read, write, and execute permissions. "Other" has no permissions.

I then turned on NFS in services, and set the number of servers to 6.

I then went into "Unix Shares" in the Freenas GUI and set the following parameters
Comment: RaidZ NFS Share
Volume Path: /mnt/ZFSRAID
Authorized Network or IP Addresses: n/a
All Directories: Unchecked
Read Only: Unchecked
Quiet: Unchecked
Maproot User: N/A
Maproot Group: N/A
Mapall User: N/A
Mapall Group: N/A

I then SSH into my Freenas box and confirmed using ls -la on the "ZFSRAID" volume and confined that "Bob" and "Wheel" are set as Read, Write, Execute and "Other" has nothing.

I then went into my Mac OS X client as "Bob" and as a test ran the connect to server option with the following command "nfs://serverip/mnt/ZFSRAID". The mount succeeded and I could modify all the files as I would expect.

I then created a second user on my Mac called "Test". I logged into test and did "nfs://serverip/mnt/ZFSRAID" and the volume mounted. I was also able to edit, add, delete new and existing content in the volume. This I did not expect.

I am primarily a windows user and normally in windows I would create a share, open it to everyone, then lock down the individual files/folders through local permissions. Which is what I thought I had replicated with the settings above in NFS/Freenas. Can someone help me out?

O yes, I am using Freenas 8.0 Release.

Thanks.

 

[ProtoSD]

kranzel, there are some problems with permissions that have (hopefully) been fixed in 8.01 beta 4. Give that a try. I believe if you are upgrading from 8.0 to 8.01b4 you need to make a CD and upgrade from that. Hope that helps!

Here's a link to the release announcement/notes:

http://forums.freenas.org/showthread.php?1021-FreeNAS-8.0.1-BETA4

 

[kranzel]

Thanks, I will give that a try tonight and report back.

 

[kranzel]

Okay, so I have now updated to 8.0.1 BETA4.

I backed up my config and installed the new version. I then restored my config and everything looked good, except I could not access anything form either the "Bob" account or the "Test" account. Furthermore, a new, really weird issue has come up. I cannot create new shares.

If I use the GUI and try to add a Apple, Windows, or Unix share, the appropriate screen comes up, I enter all the info and select "ok". The screen flashes, no errors appear, but the newly created share is not visible from either the GUI sidebar or in the "Shares" view along the top.

I thought perhaps the issue might be with the config import. So I set everything back to factory, imported my ZFS volume, recreated my accounts and setup my settings from scratch. Same problem, i cannot create any shares.

I ssh into the system and confirmed that all permissions look fine.

Any ideas?

 

[ProtoSD]

Have you checked that the appropriate services are turned on on the sidebar under Services -> Control Services ?

 

[kranzel]

Hi,

Yeah, I confirmed the services are turned on and even rebooted after enabling them for good measure as I know this needed for ssh in 8.0 release.

It is very weird.

Thanks for the suggestion though. Any attempt to help is appreciated.

Any other ideas?

 

[kranzel]

Okay, so I got around the new issue. I am not sure if this is a bug or not but I reinstalled the 8.0.1 Beta4 and did not import my previous config. I was able to set all the settings up and the shares worked as they did in version 8.0. Then, out of curiosity, I reloaded my config and the same problem as mentioned above occurred. I restored the system to factory defaults but it still failed to work properly. So, I reinstalled 9.0.1 Beta4 again, DID NOT import config and everything is working. It appears that importing my config from 8.0 messes 8.0.1 Beta4 up something crazy like. Again, not sure if this is a bug or just me.

So, the above issue aside, now that 8.0.1 Beta 4 is running, I am having the exact same issue that started this thread. I also followed the exact same setup as mentioned above. One thing I did notice however, on my Mac, it says I am connected as "NFS" for the user. I have no idea what that is. I am not prompted for credentials, it just connects as this "NFS" item. Normally for Samba or AFP shares it would show "Bob" as the connected user.

Again, any help would be appreciated.

 

[kranzel]

Okay, so everything is working now.

For those who care, after upgrading to 8.0.1 Beta4, I also wiped my keychain on OS X, removed all auto mounts.

Rebooted my Mac, mapped my NFS share and was prompted for my credentials. Entered the correct ones and everything worked.

Tried as my guest account and it still has access. Wiped out kyechain and auto mounts. Logged off and back in and voila, no access.

I can also say the SMB shares, which I had as backups, just shot through the roof in terms of speed performance. I was getting around 10-20MB a second if I was lucky, which is why I was trying out NFS, but now, I easily sustain 60-70MB a second.

Good job Freenas coders, your work is really starting to show.

 

[physicsguy]

But it is disturbing that you had to do that. Keychain shouldn't make "Test" user equivalent to "Bob." Maybe it is an OS X bug? Any explanations?

 

[kranzel]

I agree. If I had to guess, and this is only a guess, MAC OS X seems to connect using some sort of default access called NFS. I suspect that when I logged into one account and mapped with user NFS it carried the permissions to any user who used the NFS account.

By wiping the keychain, it removed these creds and forced new authentication.

Again, this is only a guess on my part.

Sorry for the late response.