Need some help with setting up NFS4

DD4711

Contributor
Joined
Nov 19, 2018
Messages
102
Hello @ all,

I'm currently testing FreeNAS as an alternative to my Synology NAS. Currently I'm trying to get NFS ready for my home network. I basically understand how NFS works but I have problems understanding NFS 4 permissions. Maybe someone can help me with that.

I need NFS for rancher equipped with plex, dokuwiki and some caldav/carddav server. Some of these folders are also used by network users. My whole network is Linux Mint based besides one damn windows client. So NFS should be best choice for file sharing.

In FreeNAS I created a pool storage with a dataset nfs, beneath that some more datasets like music, video, dokuwiki and so on.

My users have same ID/name/password on FreeNAS and the Mint computers and are all in the "user" group on FreeNAS.

One NFS share /mnt/Storage/nfs is created, all dirs are mountable.
Dataset nfs is configured as followed:
- Apply user: root
- apply group: user
-r/w/e allowed for Owner and Group

OK, now I mount the nfs share on Mint within fstab:
servername:/mnt/Storage/nfs /mnt/nfs nfs nfsvers=4,rw 0 0

If I browse to the mount point on my Mint computer and try to select nfs I am asked for a password.

And now my questions:

I want to share different folders to different network users, some are used together, some are only r/w for specified users.
-> why am I asked for a password (see above)? Is Mint trying to connect with the local account? If yes, it should work because of same name/ID/password. It would be best to authenticate like in SMB: only allowed users are able to read and write specified shares from FreeNAS nfs.

Where can I enter credentials in fstab for nfs share?

Do I need to set up security in the NFS share? krb5, krb5i or krb5p to get my plan working?

Thank you very much for your help and tips :)
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
A couple of quick comments:

1. Test with manual mount as root at the CLI on Mint before editing your fstab file: e.g mount -v -t nfs4 servername:/mnt/Storage/nfs /mnt/nfs

2. You should not be asked for a password. Perhaps you have not correctly setup the nfs share on FreeNAS, or the Mint file manager somehow thinks you are trying to access a smb share. Post the output of cat /etc/exports at root CLI on FreeNAS.

3. Be clear about the distinction between "authentication" and "authorisation". The first is about ensuring the client attempting to access data on FreeNAS is who they say they are. Setting up kerberos is a non-trivial exercise and is probably not essential for what you want to do. Without kerberos, NFS4 simply authenticates by the client's IP address. An "authenticated" client may still not have the permission to perform actions. This is going to be standard file perms as a starting point (dataset owner/group & nfs share mapping), and the next layer is the use of ACLs which is another non-trivial topic. The special permission set group id - sgid - can be of some help when a group of users need to access a common share.
 

DD4711

Contributor
Joined
Nov 19, 2018
Messages
102
Hello KrisBee,

thanks first for your help and explanation!

I tried to mount the nfs share at the CLI with your suggested command. I am also asked for a password.

cat /etc/exports reports:
V4: / -sec=sys
/mnt/Storage/nfs -alldirs -mapall="nobody":"nobody"

What I search for is an access to a folder with user/password configured on FreeNAS. This is the way SMB works as I understand. But NFS is quite different. I don't understand the access control by NFS4. I can restrict access to a folder by IP (not really good security). Documents on the NFS share have owner, this is based on UIDs if I understand aright. On the client someone can also edit UIDs so this is also no good security. I have to deal with ACLs so I understand the next layer of security. This is what I'm searching for if I understand aright.
 

DD4711

Contributor
Joined
Nov 19, 2018
Messages
102
In Mint Explorer I can browse to network, there I can find the server freenas, when I double click it I have to enter username AND password. I enter a user/password from FreeNAS. Then the FreeNAS System ist presented and I can browse to mnt/storage/nfs. I can go to e.g. music and am able to create folders and files. This is somewhat I am searching for: enter credentials and do what is allowd with this account on FreeNAS.
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
The new forum design isn't showing our different time zones, so this conversation is going to be disjointed.

Problem 1. Why are you being asked for a password when trying to mount an NFS share? Please post the output of your mount command which should be done at CLI as root in linux.

Problem 2. Your scheme of a shared dataset with root/user as the owner/group and a nfs share definition which maps to "nobody:nobody" cannot work. Once the share is mounted, any linux user is being turned into "nobody:nobody" and will not have any permissions on your shared dataset.

At least read the relevant sections of the user guide ( 11.2.1 and 11.2.2 at https://www.ixsystems.com/documentation/freenas/11.2/sharing.html#unix-nfs-shares ). Access by user/password for NFS4 does not exist in a simple setup.

Problem 3. If you changed the owner/group of the NFS share to "nobody:nobody" , you have no audit trail, no way to distinguish who did what and when. Everything will appear to have been done by "nobody:nobody", regardless of who actually accessed/altered/created the data.

Problem 4. Placing all data to be shared in folders in a single dataset gives no fine control over user access. Think about placing those different folders in separate datasets.

Without kerbros NFS4 is insecure, what is acceptable on a home network may not be in a work/commercial environment. Are you trying to setup NFS in a work or home environment?

P.S You said "root/user" as "owner/group" of shared dataset, did you mean "root/users". As it is "users" (typically gid 100) which is an in-built group in linux.
 
Last edited:

DD4711

Contributor
Joined
Nov 19, 2018
Messages
102
Hello KrisBee,

I edited the permissions for nfs share to: R/W/E allowed for owner, group AND other. When I do that I can access the NFS share without the need to enter a passwort. When I remove R/W/E for other I am again asked for a password. So there's something like a user auth?!

This is the nfs share config:
nfs share config.png


This are my permissions on the dataset nfs and all folders beneath:
nfs dataset permissions.png


This is my command for mounting the NFS share:
sudo mount -t nfs4 freenas:/mnt/Storage/nfs /mnt/nfs

This is what it looks like:
nfs password.png


Problem 4: Yes I wanted to create one dataset per share. But in rancherOS I am only able to configure one NFS share. E.g. Plex needs music, video and photo shares which therefore need to be beneath one NFS share, in my example "nfs". Currently I am in testing, so thank you for the hint.

I do it for my home network. There's basically no need for any data security on my network BUT if someone thieves my NAS he can access easily shared data because of missing security. And I want to learn aboout NFS ;) So Kerberos could be the right way?!

I read the doc about NFS. About nobody I read in 11.2.1, that's why I did it:

"By default, the Mapall fields are not set. This means that when a user connects to the NFS share, the user has the permissions associated with their user account. This is a security risk if a user is able to connect as root as they will have complete access to the share."
I forgot to apply user/group to nobody what I now corrected (see screenshot above).

Now I am able to mount dataset nfs but all the folder beneath still want to have a password in Linux Mint browser (although "Apply permissions recursively is checked while editing nfs-dataset). It is strange, on the one hand NFS4 has nothing to do with user/passwort authentication, on the other hand I am told to enter a password, without username... And in permissions on the dataset I can also set user/gropus for r/w/e permit

It is somewhat strange and still not logic to myself, especially the user auth context :rolleyes:
 

DD4711

Contributor
Joined
Nov 19, 2018
Messages
102
Just to clarify my needs:

I have two users on two Mint machines:
  • user1
  • user2
They need shares on the nas:
  • share1 rw for user1
  • share2 rw for user2
  • share3 rw for both users
  • share4 rw for both users and r for plex on freenas
Noone else is able to rw or see all shares.

This should be a pretty simple config and current config used by nearly all freenas installations?!
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
This is my command for mounting the NFS share:
sudo mount -t nfs4 freenas:/mnt/Storage/nfs /mnt/nfs

But what is the output this command once you've enter your root password?
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
There's absolutely no output

You didn't include the "-v" flag in your command. So how do you know if the command succeeded of failed, Did you check to see what was mounted with a simple mount command as root at the CLI? Are you sure the file manger prompt is not just a prompt for the Mint password that allows root access on the local machine? Have you installed nfs-common on your Mint machines?

File managers in typical Linux desktop distros are often able to browse any windows shares out of the box, but are not necessarily pre-configured for nfs access.
 

DD4711

Contributor
Joined
Nov 19, 2018
Messages
102
Ooops :rolleyes:

OK, here we go:
sudo mount -v -t nfs4 freenas:/mnt/Storage/nfs /mnt/nfs

mount.nfs4: timeout set for Sun Dec 9 17:21:00 2018
mount.nfs4: trying text-based options 'vers=4.2,addr=192.168.1.201,clientaddr=192.168.1.154'
mount.nfs4: mount(2): Protocol not supported
mount.nfs4: trying text-based options 'vers=4.1,addr=192.168.1.201,clientaddr=192.168.1.154'

nfs-common I did not install but it is installed.

The file manager prompt comes up only when trying to open a file beneath nfs.
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
OK, the mount command looks to have succeeded. By the way, in the nfs service setup on FreeNAS did you tick both "nfs4 "and the "NFSv3 ownership model for NFSv4" options?

I don't know what's going on with nemo, I don't have a Mint iso to hand. If for example the shared dataset has "root:users" as its "owner:group", then if you mounted at simply /mnt then a ls -l command should show that the owner:group of the mountpoint /mnt has changed to "root:users". Hence, if you local Mint non-root account's primary group was "users", you should be to access this via your file manager.

In your case, check you can access the mounted share in the /mnt/nfs directory as a normal user at the CLI in Mint .

Returning to your #7 above. I assume you ensured that your Mint users have unique user and group ids, and were not simply allocated the first non-root user id/gid at install time on the two Mint machines.

Your share requirements 1 to 3 can be met by just picking the appropriate combination of dataset "owner:group", perms and share mappings.

Your last listed requirement might need some additional thought: share4 rw for both users and r for plex on freenas

You need to consider the owner:group etc. of datasets shared for internal use by rancher/docker as wells as your Mint users. For example does rancher require root access? Do any of your docker apps need to run with a specific uid/gid combo?
 

DD4711

Contributor
Joined
Nov 19, 2018
Messages
102
NFS4 is ricked, "NFSv3 ownership model for NFSv4" is not ticked.

My user on Mint is identical with name and id to user on Freenas. Groups are not identical.

I will have a look on your latest hints. Thanks again for your help :)

by the way: I tested the performance NFS vs. SMB and NFS was really bad :( I opened another thread for this problem
 
Top