Linux – How to configure permissions for linux NFSv4 client with Synology NAS

linuxnfsUbuntu

I have an established Linux server (Ubuntu 12.04) and a new Synology NAS and am having trouble getting correct NFS user permissions on the mountpoint.

The server also mounts an NFS export from another Ubuntu server without issues, but the UIDs on that NFS server and the client are the same (ranging from 1001 to 1015). In the case of the Synology, UIDs start at 1024.

The following line from /etc/fstab is how Synology and other examples show to configure the mount.

nas:/volume1/Video      /mnt/nas/Video  nfs     nouser,rsize=8192,wsize=8192,atime,auto,rw,dev,exec,suid        0       0

I have configured idmapd.conf as follows:

[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
Domain = SYNOLOGY

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

[Static]
homenas@SYNOLOGY = homenas

At this point when I mount the folder, everything looks correct until I create a file. The file is owned by nobody.nogroup, but I'm still able to make changes to it.

$ id
uid=1002(homenas) gid=1002(homenas) groups=1002(homenas)
$ pwd
/mnt/nas/Video
$ ls -l test
ls: cannot access test: No such file or directory
$ touch test
$ ls -l test
-rw-rw-r-- 1 nobody nogroup 0 Dec 24 15:30 test
$ rm test

How do I correctly mount an NFS share and retain the correct user permissions when the UIDs do not match, and enforce those permissions?

Best Answer

Add nfsvers=3 to /etc/fstab.

nas:/volume1/Video      /mnt/nas/Video  nfs     nfsvers=3,nouser,rsize=8192,wsize=8192,atime,auto,rw,dev,exec,suid        0       0

The problem only occurs with NFS version 4, if you specify that you want NFS version 3, that solves the problem.

Related Solutions

NFS share access – Permission denied

Verify that the directory actually is exported with no_root_squash:

grep git /proc/fs/nfs/exports

Do you have SELinux enabled on client or server? If so, try disabling it (or set the policy to permissive), then restart nfsd and remount the share.

What do your logs (client and server) say about this?

Edit:

Do you see the mounts/exports when you run showmount -a server and showmount -e server on the client?

Do you get ready and waiting responses when running the following three commands on the client?

rpcinfo -T udp server nfs
rpcinfo -T udp server mountd
rpcinfo -T udp server nlockmgr

User ID mapping with NFS on Synology NAS

For NFSv4 ID mapping to work properly, both client and server must be running the idmapd ID Mapper daemon and have the same Domain configured in /etc/idmapd.conf.

This way your NFS Client sends its ID credentials as roger@example.com in the NFS commands on the wire, and your NFS Server idmapper maps that to a user called roger on the NFS Server. The UID and GID don't matter, they are mapped on each system by the idmapper.

However I don't bother with that on my Synology. My Shared Folder has the following permissions:

Permissions
- Local Users
  - Admin = read/write
NFS Permissions
- Squash
  - Map all users to admin

This results in anonuid=1024,anongid=100 (the admin user and users group) being added to the export in /etc/exports on the NAS.

My NFS Client (which doesn't have the ID Mapper running) sends my NFS commands as my user (1000:1000) and because that UID and GID don't exist on the NAS, it translates my UID and GID to 1024:100 so I am treated as the Admin user who has full permission.

This is a terribly unprofessional and insecure use of NFS for a business environment, but just for me to access my files at home it is an abuse of NFS behaviour which is acceptable to me.

Another option is to make roger's UID and GID the same on the NFS Client and NAS, then you can use NFSv4 without ID Mapping, or you could then use NFSv3 which relies only on UID and GID.

Best Answer

Related Solutions

NFS share access – Permission denied

User ID mapping with NFS on Synology NAS

Related Question