Abstract:
I am using all_squash, anonuid=3001 and anongid=3001 on my nfs export, but am only able to access files and folders belonging to both, the user 3001 and the group 3001. For folders belonging to the same group, but different users, I am getting permission denied errors on the client. When trying to access the same files and folders as user 3001 on the server, I am not getting any errors.
To my understanding, I shouldn´t have trouble accessing those files and folders. What could be the reason for it to fail anyway? Is there a solution besides setting everything to 777 with chmod?
EDIT: I believe it comes down to an interference with TrueNAS ACL. When I stripped the ACL off the dataset, I was able to access all files and folders as expected. I will have a look into that myself, but any help would still be appreciated.
Detailed information:
My NFS Server is TrueNAS Scale ElectricEel-24.10.2.1, which is debian-based. the export is configured as follows.
# Server NFS Export
"/mnt/nas/test"\
*(sec=sys,rw,anonuid=3001,anongid=3001,all_squash,no_subtree_check)
NFS clients should get squashed into user 3001 and group 3001. Those belong to the following entities on the server:
# Server User and Group 3001
root@truenas[~]# id 3001
uid=3001(share) gid=3001(share) groups=3001(share),545(builtin_users)
root@truenas[~]# getent group 3001
share:x:3001:admin,chrolish,libvirt-qemu
I created a test directory with subdirectories all belonging to a different combination of users and groups:
root@truenas[/mnt/nas/test]# ls -l
total 2
drwxrwx--- 2 admin share 3 Jun 12 15:33 admin-share_testdir
drwxrwx--- 2 chrolish share 3 Mar 18 20:12 chrolish-share_testdir
drwxrwx--- 2 share share 4 Apr 23 18:20 share-share_testdir
root@truenas[/mnt/nas/test]# ls -ln
total 2
drwxrwx--- 2 950 3001 3 Jun 12 15:33 admin-share_testdir
drwxrwx--- 2 3000 3001 3 Mar 18 20:12 chrolish-share_testdir
drwxrwx--- 2 3001 3001 4 Apr 23 18:20 share-share_testdir
To test permissions on the server side, I switched to user share and checked if access to all directories was permitted as intended.
root@truenas[/mnt/nas/test]# su share
share@truenas:/mnt/nas/test$ ls -l *
admin-share_testdir:
total 0
chrolish-share_testdir:
total 0
share-share_testdir:
total 0
All directories could be accessed by the user share!
Now to the client side. The share could be mounted successfully:
root@firestarter:~# mount -t nfs 192.168.2.10:/mnt/nas/test /mnt/test
root@firestarter:~# ls -l /mnt/test/
insgesamt 2
drwxrwx--- 2 950 3001 2 12. Jun 18:30 admin-share_testdir
drwxrwx--- 2 3000 3001 2 12. Jun 18:30 chrolish-share_testdir
drwxrwx--- 2 3001 3001 2 12. Jun 18:30 share-share_testdir
This also shows that no user or group are present on the client for the id 3001. This shouldn´t matter as we use all_squash with anonid and anongid anyway.
The problem occurs when trying to access any directory which does not match both, userid and groupid:
root@firestarter:~# ls -l /mnt/test/*
ls: Öffnen von Verzeichnis '/mnt/test/admin-share_testdir' nicht möglich: Keine Berechtigung
ls: Öffnen von Verzeichnis '/mnt/test/chrolish-share_testdir' nicht möglich: Keine Berechtigung
/mnt/test/share-share_testdir:
insgesamt 0
"Keine Berechtigung" is german for "Permission denied". Why would that be the case? Maybe the nfs options didn´t get set correctly?
So I tried creating a folder using the client:
root@firestarter:~# mkdir /mnt/test/created-from-client
root@firestarter:~# ls -l /mnt/test/
insgesamt 2
drwxrwx--- 2 950 3001 2 12. Jun 18:30 admin-share_testdir
drwxrwx--- 2 3000 3001 2 12. Jun 18:30 chrolish-share_testdir
drwxrwx--- 2 3001 3001 2 12. Jun 18:40 created-from-client
drwxrwx--- 2 3001 3001 2 12. Jun 18:30 share-share_testdir
Comparing it with the directory on the server, ownership is set as intended:
share@truenas:/mnt/nas/test$ ls -l
total 2
drwxrwx--- 2 admin share 2 Jun 12 18:30 admin-share_testdir
drwxrwx--- 2 chrolish share 2 Jun 12 18:30 chrolish-share_testdir
drwxrwx--- 2 share share 2 Jun 12 18:40 created-from-client
drwxrwx--- 2 share share 2 Jun 12 18:30 share-share_testdir
Some things I have tried:
- different combinations of enabling
manage-gidsand enablingnfs4andnfs3via TrueNAS GUI chmod 777 chrolish-share_testdirsolved the problem, but now all files and folders would be accessible by other users and groups as well (which I´d like to avoid)
