[NFS + LDAP] Group permissions not working

[gabriel-milan]

Hi, I'm new to FreeNAS and so I'm testing it on VMs before doing anything else. My setup looks like this:

== LDAP VM
OS: Debian Buster
Software: OpenLDAP (followed this tutorial)

== Storage VM
OS: FreeNAS 11.3-U3.2
Steps:
* Open Directory Services > LDAP and set Hostname, Base DN, Bind DN and Bind password correctly. Set Enable to true.
* Create pool using secondary Virtual Disk called "Pool01"
* Create dataset inside this pool called "ds1"
* Open Sharing/Unix Shares (NFS) and add/mnt/Pool01/ds1
* Go back to the "ds1" and edit permissions: Owner User becomes "cluster", which is a valid user on LDAP, Owner Group becomes "cluster", which is also a valid group on my LDAP server
* Even with "Apply Group" and "Apply User" options enabled, it passes. It means that they exist.

When I mount this share on "/storage" it goes well, but I can't write into the directory, even being on the "cluster" group. If I ser the Owner User of "ds1" to "c01", which is another user I've created, only "c01" is able to manage the directory successfully.

Why can't group stuff work?

 

[gabriel-milan]

Note: I just want FreeNAS to provide the NFS share. Permissions and stuff should be managed through LDAP. Is it possible?

 

[Fredda]

Managing stuff through LDAP is possible. I'm not sure if I understand your configuration correctly and there is also some information missing.
* Is the LDAP working correctly? Please check with from the FreeNAS shell with getent passwd ds1 and getent group cluster.
* How did you configure your unix share? Could you post your /etc/exports file? Please use [code][/code] tags
* Do you use nfs or nfsv4?

 

[gabriel-milan]

Hi, thanks for the reply.

I'm sorry if anything is missing, I do not understand quite well how FreeNAS works. But anyway:

Is the LDAP working correctly? Please check with from the FreeNAS shell with "getent passwd ds1" and "getent group cluster"

The "getent passwd ds1" command gives me no text output, but when I do "echo $?" I get code 2, which means it's probably not OK.
The "getent group cluster" command gives me "cluster:*:3000:user", which I honestly don't know what it means.

How did you configure your unix share? Could you post your /etc/exports file? Please use tags

My /etc/exports file looks like this:

Code:

/mnt/Pool01/ds1 -alldirs

Do you use nfs or nfsv4?

Currently the "Enable NFSv4" option is not checked, because it was giving me some weird group and user IDs, but I've tried enabling it. I have disabled mostly because I've read in some other post here that it didn't work.

 

[gabriel-milan]

I think that maybe there was a typo in "getent passwd ds1" and it should be something like "getent passwd c01", which is the user I've mentioned. If that's the case, the output is:

Code:

c01:*:10000:10000:Cluster User 01:/home/c01:

 

[gabriel-milan]

Okay, I've figured it out. It wasn't FreeNAS stuff.

On my LDAP server, I had two "cluster" groups with different GIDs and this was messing everything up. In order to test it, I've created a group called "storage" and added both c01 and c02 users to it. Changed "ds1" owner group to "storage" and everything worked as expected. Thank you so much!

 

[Samuel Tai]

That's the problem. c01 doesn't appear to be a member of the cluster group.

 

[Fredda]

The "getent passwd ds1" command gives me no text output, but when I do "echo $?" I get code 2, which means it's probably not OK.
The "getent group cluster" command gives me "cluster:*:3000:user", which I honestly don't know what it means.

OK I misread it, ds1 is probably not a valid user, the command is get passwd <user>, where user is a valid username.
So it looks like LDAP is working. The group command means only user "user" is in the group cluster.
You should make yourself familiar with these commands, when you are running LDAP server.

Your exports looks good.

 

[gabriel-milan]

Okay, so I've managed to do that and now I'm facing another issue.

I've posted it also on StackOverflow in order to reach more people. I'd be glad if anyone could help me:

Creating files inside NFS shares gives some weird permissions

I have a FreeNAS instance on a VM, connected to my LDAP server, that has a single Pool, called Pool01. This pool has two datasets: home and storage. Both of these datasets have the same ACL configu...

stackoverflow.com