theGrok Posted May 22, 2017 Share Posted May 22, 2017 Hello, I have been using CIFS shares only up until now. I recently got a raspberry pi and wanted to use NFS on one of my shares so that I can mount it on the pi. I enabled NFS I have Export set to YES I have Security set to PRIVATE Rule: is left empty on my pi I issue the command: sudo mount 192.168.x.x:/mnt/user/Media /mnt/nfs The share mounts no problem. I have however, not provided any username or password. The share mounts Read Only. I was under the impression that with security settings set to PRIVATE, only certain users with username/pass would have access to the share. Is this expected behavior that I can still mount read only without that? Thanks Quote Link to comment
ken-ji Posted May 23, 2017 Share Posted May 23, 2017 NFS does not have concept of passwords for security. it relies on network ACLs and filesystem ACLs Security = Secure make eveything readonly Security = Private requries a rule to allow a machine to read and write (cf the linked post). A rule can also be set block access Finally the mounting machine will send the accessing userid and groupid to the server, which will then do a regular filesystem ACL check to determine if you can read or write to which files and directories. 1 Quote Link to comment
theGrok Posted May 23, 2017 Author Share Posted May 23, 2017 20 minutes ago, ken-ji said: NFS does not have concept of passwords for security. it relies on network ACLs and filesystem ACLs Security = Secure make eveything readonly Security = Private requries a rule to allow a machine to read and write (cf the linked post). A rule can also be set block access Finally the mounting machine will send the accessing userid and groupid to the server, which will then do a regular filesystem ACL check to determine if you can read or write to which files and directories. So If I understand correctly (after reading the linked post) I need to add a rule giving the IP of my machine that I want to have access to the share? Quote Link to comment
ken-ji Posted May 23, 2017 Share Posted May 23, 2017 well by default the shares are still mountable, they will just be read-only shares. The rules will allow you to grant write access to certain machines. Quote Link to comment
theGrok Posted May 23, 2017 Author Share Posted May 23, 2017 1 minute ago, ken-ji said: well by default the shares are still mountable, they will just be read-only shares. The rules will allow you to grant write access to certain machines. Thanks for the help. So I can look in any linux manual to see the correct syntax for the rules and different options? Quote Link to comment
ken-ji Posted May 23, 2017 Share Posted May 23, 2017 Yes. Typically you will only need rw or ro Quote Link to comment
volume Posted October 13, 2018 Share Posted October 13, 2018 thanks for the info! i would like to share more than one ip with a NFS SHARES? my settings are: Security: Private Rule: 10.0.0.100(sec=sys,rw) that works for one ip. but how can i put two or more? the below rule unfortunatly doesn't work. Rule: 10.0.0.100(sec=sys,rw), 10.0.0.101(sec=sys,rw) thanks in advance! 1 Quote Link to comment
ken-ji Posted October 14, 2018 Share Posted October 14, 2018 drop the comma Rule: 10.0.0.100(sec=sys,rw) 10.0.0.101(sec=sys,rw) 3 2 Quote Link to comment
piratx Posted January 17, 2020 Share Posted January 17, 2020 Maybe, I'm a little bit late on this convo. I am using mac as my main computer and I need to have access from my mac to the unraid share I have tried to: make a new file /etc/auto_nfs and in there have this : /../Volumes/server-nfs -fstype=nfs,noowners,nolockd,noresvport,hard,bg,int,rw,tcp,nfc nfs://eleven.local:/mnt/user/server and then added the auto_nfs on auto_master like this: /- auto_nfs -nobrowse,nosuid I can see the share just fine but it wont let me make any changes. Is there anything I should fix? Thanks in advance Quote Link to comment
John_M Posted January 17, 2020 Share Posted January 17, 2020 7 hours ago, piratx said: nfs://eleven.local:/mnt/user/server That doesn't look right as it has two colons. I'd try eleven.local:/mnt/user/server instead. Quote Link to comment
piratx Posted January 18, 2020 Share Posted January 18, 2020 What about the permissions? I can mount it and all well but when I need to copy, rename, move files I don't have the permissions.. I have tried rw etc Quote Link to comment
ken-ji Posted January 19, 2020 Share Posted January 19, 2020 This is NFS, and your question indicates you are not quite familiar about how it works: So, in a nutshell, NFS works under the assumption that the underlying POSIX user ids in both the server the client are matched, so that root is root and a named user ie bob has uid 1000 on both; similarly for group ids. (There are special rules for root mapping and anonymous user access) When a share is mounted on the client, for bob (uid 1000 and gid 100) to be able to read and write on the client, the following must be true: the NFS directory and files are either owned by a user with uid 1000, or gid 100 or the underlying filesystem ACLs allow other uid to read and write. so ie. # ls -al Strike\ the\ Blood drwxrws--- 1 nobody users 1228 Sep 18 19:53 ./ drwxrws--- 1 nobody users 134750 Jan 19 08:02 ../ drwxrws--- 1 nobody users 648 Aug 5 17:40 BD\ menu/ -rw-rw---- 1 nobody users 1352685938 Aug 5 17:41 [Beatrice-Raws]\ Strike\ the\ Blood\ OVA\ -\ 01\ [BDRip\ 1920x1080\ HEVC\ FLAC].mkv In this case, my /etc/exports contains: "/mnt/user/Downloads" -async,no_subtree_check,fsid=117 192.168.2.0/24(sec=sys,rw,no_root_squash,insecure) *(sec=sys,ro,insecure,anongid=100,anonuid=99,all_squash) and my Shares setting is So this means, my NFS client can map the /mnt/user/Downloads directory and do file operations as root, or the nobody user. Other clients in different subnets, are all forced to the nobody user, which still has correct access to files. (I've done some changes to my Samba config to force all the access as the nobody user but still require authentication) Hope this helps. Quote Link to comment
nlcjr Posted November 26, 2020 Share Posted November 26, 2020 Ken-Ji Thank you for this, I was struggling to mount "secure or private" nfs shares to my Proxmox storage group. This worked perfectly. Quote Link to comment
piratx Posted October 18, 2021 Share Posted October 18, 2021 (edited) On 1/19/2020 at 2:10 AM, ken-ji said: There are special rules for root mapping and anonymous user access Even, after so many months thank you for this. Couldn't imagined it working this way. Was struggling with the username/password idea (like afp,smb etc). Now I have for quite a while my synology setup with NFS and I would say it's a bit faster that the simple SMB. Moving stuff to unraid though, cause yeah it's still one of a kind and cannot be compared to others. So many disks inside, so few to think about. Anyways. This is my setup, any easy way to type that done in rule on unraid settings? Thanks in advance Edited October 18, 2021 by piratx Quote Link to comment
ken-ji Posted October 19, 2021 Share Posted October 19, 2021 Haven't used NFS in awhile since I don't have NFS clients locally to the Unraid server anymore But I think it should be like this: 10.0.0.0/24(sec=sys,rw,async,insecure,no_subtree_check,crossmnt) There a few things that depend on your setup. what's the admin user for you in Unraid? the user that's allowed write access to the shares? then you'll add something like anonuid=99,anongid=100,all_squash this will "squash" all access to uid = 99, which is the nobody user in Unraid and group = 100, which is the users group so you can change the uid to match the "admin" user will the clients be accessing the files as root? then add "no_root_squash" to allow root continue access as root 1 Quote Link to comment
piratx Posted October 28, 2021 Share Posted October 28, 2021 On 10/19/2021 at 5:47 PM, ken-ji said: 10.0.0.0/24(sec=sys,rw,async,insecure,no_subtree_check,crossmnt) I need the client (my mac) will have to be admin, rw access etc. What is strange, is that Synology shares works with my options provided on the screenshot above but Unraid won't like it no matter what I am trying. On NFS settings the Tunable (fuse_member) is set to 330. Then on shares.. I am going to "eleven" my main share with settings: export: Yes security: Private rule: 10.0.0.0/24(sec=sys,rw,async,insecure,no_subtree_check,crossmnt,anonuid=99,anongid=100,all_squash) But with both Finder and the Terminal cannot mount from Unraid, but as I said synology works Thanks for all the help! Quote Link to comment
ken-ji Posted October 28, 2021 Share Posted October 28, 2021 So i tried to mount it remotely via Terminal /mnt/user/isos <world>(ro,async,wdelay,hide,no_subtree_check,fsid=121,anonuid=99,anongid=100,sec=sys,insecure,root_squash,all_squash) This is my public share (I can't mount my private shares as they're open only on the LAN and I'm currently away) I'm not sure if I have actual read access to some of the files, since access is squashed to nobody, but I think that's an issue that can be resolved. My only Macbook is my employer's and this is the first time I've tried to access Unraid from it. And here's what happened. (Ishikawa is my Macbook, and Unraid is 192.168.2.5 over VPN) Ishikawa:~ kenneth$ mkdir RemoteTest Ishikawa:~ kenneth$ mount 192.168.2.5:/mnt/user/isos RemoteTest Ishikawa:~ kenneth$ mount /dev/disk1s1s1 on / (apfs, sealed, local, read-only, journaled) devfs on /dev (devfs, local, nobrowse) /dev/disk1s5 on /System/Volumes/VM (apfs, local, noexec, journaled, noatime, nobrowse) /dev/disk1s3 on /System/Volumes/Preboot (apfs, local, journaled, nobrowse) /dev/disk1s6 on /System/Volumes/Update (apfs, local, journaled, nobrowse) /dev/disk1s2 on /System/Volumes/Data (apfs, local, journaled, nobrowse) map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse) 192.168.2.5:/mnt/user/isos on /Users/kenneth/RemoteTest (nfs, nodev, nosuid, mounted by kenneth) Ishikawa:~ kenneth$ cd RemoteTest/ /Users/kenneth/RemoteTest Ishikawa:RemoteTest kenneth$ ls -l total 51486120 -rwxrwxrwx 1 root wheel 2147483648 Jul 17 21:30 BigSur-install.img -rwxrwxrwx 1 root wheel 157286400 Jul 17 21:24 BigSur-opencore.img -rw-rw---- 1 kenneth _lpoperator 417333248 Dec 9 2013 CentOS-6.5-x86_64-minimal.iso -rw-r--r-- 1 kenneth _lpoperator 950009856 Jun 20 2018 CentOS-7-x86_64-Minimal-1804.iso -rw-r--r-- 1 kenneth _lpoperator 519045120 Jun 20 2018 CentOS-7-x86_64-NetInstall-1804.iso -rw-rw---- 1 kenneth _lpoperator 7554990080 Mar 28 2020 CentOS-8.1.1911-x86_64-dvd1.iso -rw-r--r-- 1 kenneth _lpoperator 4692365312 Apr 12 2018 Win10_1803_English_x64.iso -rw-r--r-- 1 root wheel 2368405504 Mar 6 2020 Zorin-OS-15.2-Lite-64-bit.iso -rw-r--r-- 1 root _lpoperator 139460608 Jan 29 2021 alpine-standard-3.13.1-x86_64.iso -rw-r--r-- 1 root _lpoperator 36700160 Jun 20 2019 alpine-virt-3.10.0-x86_64.iso -rw-r--r-- 1 root _lpoperator 42991616 Feb 17 2021 alpine-virt-3.13.2-x86_64.iso -rw-rw---- 1 kenneth _lpoperator 3901456384 Sep 13 2019 debian-10.1.0-amd64-DVD-1.iso -rw-r--r-- 1 root _lpoperator 351272960 Feb 8 2020 debian-10.3.0-amd64-netinst.iso -rw-r--r-- 1 kenneth _lpoperator 657457152 Jun 30 2018 debian-9.4.0-amd64-i386-netinst.iso -rw-r--r-- 1 kenneth _lpoperator 305135616 Jun 30 2018 debian-9.4.0-amd64-netinst.iso -rw-r--r-- 1 kenneth _lpoperator 116391936 Dec 29 2019 slackware64-current-mini-install.iso -rw-r--r-- 1 kenneth _lpoperator 322842624 Aug 16 2018 virtio-win-0.1.160-1.iso -rw-r--r-- 1 kenneth _lpoperator 371732480 May 21 2019 virtio-win-0.1.171.iso -rw-rw-rw- 1 kenneth _lpoperator 394303488 Jan 19 2020 virtio-win-0.1.173-2.iso -rw-r--r-- 1 root wheel 412479488 Jul 21 2020 virtio-win-0.1.185.iso drwxrws--- 1 kenneth _lpoperator 4096 Mar 6 2021 virtio-win-0.1.190-1 -rw-rw-rw- 1 root _lpoperator 501745664 Nov 24 2020 virtio-win-0.1.190-1.iso 1 Quote Link to comment
piratx Posted November 10, 2021 Share Posted November 10, 2021 Thanks for your answer. I have tried to make my share public and used it the way you showed me. I got No. Prog available and then I deleted my /etc/nfs.conf file and everything worked finally Thank you for all your answers! Quote Link to comment
zAdok Posted January 26 Share Posted January 26 On 1/19/2020 at 11:10 AM, ken-ji said: This is NFS, and your question indicates you are not quite familiar about how it works: So, in a nutshell, NFS works under the assumption that the underlying POSIX user ids in both the server the client are matched, so that root is root and a named user ie bob has uid 1000 on both; similarly for group ids. (There are special rules for root mapping and anonymous user access) When a share is mounted on the client, for bob (uid 1000 and gid 100) to be able to read and write on the client, the following must be true: the NFS directory and files are either owned by a user with uid 1000, or gid 100 or the underlying filesystem ACLs allow other uid to read and write. so ie. # ls -al Strike\ the\ Blood drwxrws--- 1 nobody users 1228 Sep 18 19:53 ./ drwxrws--- 1 nobody users 134750 Jan 19 08:02 ../ drwxrws--- 1 nobody users 648 Aug 5 17:40 BD\ menu/ -rw-rw---- 1 nobody users 1352685938 Aug 5 17:41 [Beatrice-Raws]\ Strike\ the\ Blood\ OVA\ -\ 01\ [BDRip\ 1920x1080\ HEVC\ FLAC].mkv In this case, my /etc/exports contains: "/mnt/user/Downloads" -async,no_subtree_check,fsid=117 192.168.2.0/24(sec=sys,rw,no_root_squash,insecure) *(sec=sys,ro,insecure,anongid=100,anonuid=99,all_squash) and my Shares setting is So this means, my NFS client can map the /mnt/user/Downloads directory and do file operations as root, or the nobody user. Other clients in different subnets, are all forced to the nobody user, which still has correct access to files. (I've done some changes to my Samba config to force all the access as the nobody user but still require authentication) Hope this helps. Just in case anyone else is struggling to get their their proxmox pbs datastore connected to nfs on unraid - this post has the info you need. I was specifically getting EPERM: Operation not permitted error when trying to add the datastore. adding the no_root_squash onto the export solved it. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.