NOOB Needing Help with NFS Share Permissions

kagbasi-wgsdac

Dabbler
Joined
Jul 2, 2023
Messages
13
Good-day Folks,

I could use some help with NFS Share permissions. Been going at this all night and I'm not making any headway, any help is greatly appreciated.

I'm testing TrueNAS-SCALE-22.12.3.1 in a virtualized environment and I have a rather simple setup. I'm running a single node XCP-ng version 8.2.1 as my hypervisor on a HP ProLiant DL360p Gen8 server with the following specs using a single ZFS Dataset:
  • Processor: Intel(R) Xeon(R) CPU E5-2640 0 @ 2.50GHz
  • Processor Count: 2 (6 cores each)
  • Memory: 768 GB (with ECC)
  • RAM Allocated to TrueNAS VM: 16 GB
  • vCPUs Allocated to TrueNAS VM: 2
  • Virtual Disk Type: Local (ext4 I believe)
  • Virtual Disk Count: 4
  • Virtual Disk Capacity: 100GB each
  • Virtual Disk Provisioning: Thin
The Problem:
I can successfully mount the NFS Share from a Linux client (Debian 12 both manually and using AutoFS), however, when I attempt to change into the directory or run the "ls" command against it, I get "Permission denied" (see screenshot below). The client is bound to my Active Directory domain and I'm seeing this issue while logged in with the local root account and with a domain account. TrueNAS is bound to the same Active Directory domain.

Snap 2023-07-05 at 05.21.34.png


I have not applied any settings in the ADVANCED OPTIONS for the NFS Share (as confirmed by the exports below) - although, I'd experimented with different combinations of Maproot User, Maproot Group, Mapall User, and Mapall Group - all of which didn't alleviate my permission denied problem:

Snap 2023-07-05 at 05.24.11.png


On the ZFS Dataset itself, I initially had permissions set to root as both Owner and Group. However, as part of my troubleshooting attempts, I changed Owner to the Service Account I'd created in Active Directory and set the Group to Domain Users.

Snap 2023-07-05 at 05.06.31.png


Finally, I initially had the NFS Share configured as version 3 (which is the default - I believe). However, I changed it to version 4 and set -fstype=nsf4 in my AutoFS configuration. Since the NFS Share is being mounted successfully, I don't think this is a contributing factor to the permission denied situation.

I'm willing to share more screenshots and/or outputs of my configuration as needed. Thank you.
 

kagbasi-wgsdac

Dabbler
Joined
Jul 2, 2023
Messages
13
Quick update,

I managed to gain access to the NFS Share by setting the ADVANCED OPTIONS "Mapall User" = Root and "Mapall Group" = Root. However, as the screenshot below reveals, any subsequent files created shows Root and both Owner and Group - and this isn't ideal in production.

Snap 2023-07-05 at 06.24.18.png


I'm sure there's a way to ensure that users who create files and folders inside the NFS Share, take on the Ownership while not altering the Group, without having to rely on the users to change the permissions manually each time.
 
Last edited:

kagbasi-wgsdac

Dabbler
Joined
Jul 2, 2023
Messages
13
Another update:

I reduced the security concern created by my previous attempt and instead of using Mapall User and Mapall Group, I switched to Maproot User and Maproot Group instead and set both to Root. The thought was that this would prevent unknown users from mounting the NFS Share but allow root, on the client OS, to successfully mount. Then I could set the group sticky bit.

First part of my plan worked, but the second part isn't - because the OS is rejecting my attempt to set the sticky bit. I'm getting "Operation not permitted" (see screenshot below):

Snap 2023-07-07 at 05.39.42.png


Gonna keep chugging along, hopefully someone can lend a hand soon and point me in the right direction.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
If you are trying to set the setgid bit on the NAS as I read from your screenshot, the error is probably due to the dataset being exported and mounted by a client. Try to unmount on the client, shutdown NFS on the NAS, then try again.
 
Joined
Jul 3, 2015
Messages
926
Can you mkdir and change permissions on that?
 

kagbasi-wgsdac

Dabbler
Joined
Jul 2, 2023
Messages
13
If you are trying to set the setgid bit on the NAS as I read from your screenshot, the error is probably due to the dataset being exported and mounted by a client. Try to unmount on the client, shutdown NFS on the NAS, then try again.
I tried your suggestion and it didn't work. Here's what I did:
  1. I shutdown the AutoFS service on the client and verified with df -h that the share was unmounted, then I shutdown the client VM.
  2. I then went to TrueNAS and turned off the NFS Service and turned it back on.
  3. From the TrueNAS CLI - with the client VM still powered off - I tried the setgid command again and still got the same error as above - "Operation not permitted"
  4. I then powered up the client VM, logged in with both domain account and local root, cd into the share and confirmed with df -h that AutoFS had automounted the share successfully.
  5. I tried the setgid command from the client, and resulted in the same error - "Operation not permitted".
Thanks for the suggestion though.
 

kagbasi-wgsdac

Dabbler
Joined
Jul 2, 2023
Messages
13
Can you mkdir and change permissions on that?

From both the client and the TrueNAS (as root) I was able to mkdir inside the share, but still unable to set the gid bit. See screenshots below:

On the Client VM
Snap 2023-07-07 at 10.05.00.png


On TrueNAS
Snap 2023-07-07 at 09.53.38.png


One thing I did notice is that the group ID isn't resolving to the name on the client (even though it's joined to the domain). May be related, but not sure at the moment. Have to run to a meeting, but welcome any additional inputs from you.
 
Top