Private NFS share mounts without user/pass


Recommended Posts

Hello,

 

I have been using CIFS shares only up until now. I recently got a raspberry pi and wanted to use NFS on one of my shares so that I can mount it on the pi.

I enabled NFS

 

I have Export set to YES

I have Security set to PRIVATE

Rule: is left empty

 

on my pi I issue the command:

sudo mount 192.168.x.x:/mnt/user/Media /mnt/nfs

 

The share mounts no problem. I have however, not provided any username or password. The share mounts Read Only.

 

I was under the impression that with security settings set to PRIVATE, only certain users with username/pass would have access to the share. Is this expected behavior that I can still mount read only without that?

 

Thanks

Link to comment

NFS does not have concept of passwords for security. it relies on network ACLs and filesystem ACLs

Security = Secure make eveything readonly

Security = Private requries a rule to allow a machine to read and write (cf the linked post). A rule can also be set block access

 

Finally the mounting machine will send the accessing userid and groupid to the server, which will then do a regular filesystem ACL check to determine if you can read or write to which files and directories.

 

  • Thanks 1
Link to comment
20 minutes ago, ken-ji said:

NFS does not have concept of passwords for security. it relies on network ACLs and filesystem ACLs

Security = Secure make eveything readonly

Security = Private requries a rule to allow a machine to read and write (cf the linked post). A rule can also be set block access

 

Finally the mounting machine will send the accessing userid and groupid to the server, which will then do a regular filesystem ACL check to determine if you can read or write to which files and directories.

 

So If I understand correctly (after reading the linked post) I need to add a rule giving the IP of my machine that I want to have access to the share? 

Link to comment
1 minute ago, ken-ji said:

well by default the shares are still mountable, they will just be read-only shares.

The rules will allow you to grant write access to certain machines.

Thanks for the help. So I can look in any linux manual to see the correct syntax for the rules and different options?

Link to comment
  • 1 year later...

thanks for the info!

 

i would like to share more than one ip with a NFS SHARES?

 

my settings are:

 

Security: Private

Rule: 10.0.0.100(sec=sys,rw)

that works for one ip. but how can i put two or more?

 

the below rule unfortunatly doesn't work.

Rule: 10.0.0.100(sec=sys,rw), 10.0.0.101(sec=sys,rw)

 

thanks in advance!

  • Like 1
Link to comment
  • 1 year later...

Maybe, I'm a little bit late on this convo. I am using mac as my main computer and I need to have access from my mac to the unraid share I have tried to:

 

make a new file /etc/auto_nfs and in there have this :

  /../Volumes/server-nfs  -fstype=nfs,noowners,nolockd,noresvport,hard,bg,int,rw,tcp,nfc nfs://eleven.local:/mnt/user/server

 

and then added the auto_nfs on auto_master like this:

/-  auto_nfs  -nobrowse,nosuid

 

I can see the share just fine but it wont let me make any changes. Is there anything I should fix?

Thanks in advance

Link to comment

This is NFS, and your question indicates you are not quite familiar about how it works: So, in a nutshell,

NFS works under the assumption that the underlying POSIX user ids in both the server the client are matched, so that root is root and a named user ie bob has uid 1000 on both; similarly for group ids. (There are special rules for root mapping and anonymous user access)

When a share is mounted on the client, for bob (uid 1000 and gid 100) to be able to read and write on the client, the following must be true:

the NFS directory and files are either owned by a user with uid 1000, or gid 100 or the underlying filesystem ACLs allow other uid to read and write.

 

so ie.

# ls -al Strike\ the\ Blood
drwxrws--- 1 nobody users       1228 Sep 18 19:53 ./
drwxrws--- 1 nobody users     134750 Jan 19 08:02 ../
drwxrws--- 1 nobody users        648 Aug  5 17:40 BD\ menu/
-rw-rw---- 1 nobody users 1352685938 Aug  5 17:41 [Beatrice-Raws]\ Strike\ the\ Blood\ OVA\ -\ 01\ [BDRip\ 1920x1080\ HEVC\ FLAC].mkv

In this case, my /etc/exports contains:

"/mnt/user/Downloads" -async,no_subtree_check,fsid=117 192.168.2.0/24(sec=sys,rw,no_root_squash,insecure) *(sec=sys,ro,insecure,anongid=100,anonuid=99,all_squash)

and my Shares setting is

image.thumb.png.2fc531a9c790503085258f1823a148f9.png

 

So this means, my NFS client can map the /mnt/user/Downloads directory and do file operations as root, or the nobody user. Other clients in different subnets, are all forced to the nobody user, which still has correct access to files. (I've done some changes to my Samba config to force all the access as the nobody user but still require authentication)

 

Hope this helps.

Link to comment
  • 10 months later...
  • 10 months later...
On 1/19/2020 at 2:10 AM, ken-ji said:

There are special rules for root mapping and anonymous user access

Even, after so many months thank you for this.

Couldn't imagined it working this way. Was struggling with the username/password idea (like afp,smb etc).

Now I have for quite a while my synology setup with NFS and I would say it's a bit faster that the simple SMB.

 

Moving stuff to unraid though, cause yeah it's still one of a kind and cannot be compared to others. So many disks inside, so few to think about. Anyways. This is my setup, any easy way to type that done in rule on unraid settings?

 

Thanks in advance

 

7b7773e4c89b5290e4390f07a5118939.png.jpeg

Edited by piratx
Link to comment

Haven't used NFS in awhile since I don't have NFS clients locally to the Unraid server anymore

But I think it should be like this:

10.0.0.0/24(sec=sys,rw,async,insecure,no_subtree_check,crossmnt)

There a few things that depend on your setup.

what's the admin user for you in Unraid? the user that's allowed write access to the shares?

  then you'll add something like

anonuid=99,anongid=100,all_squash

this will "squash" all access to uid = 99, which is the nobody user in Unraid and group = 100, which is the users group

so you can change the uid to match the "admin" user

 

will the clients be accessing the files as root? then add "no_root_squash" to allow root continue access as root

  • Like 1
Link to comment
  • 2 weeks later...

 

On 10/19/2021 at 5:47 PM, ken-ji said:
10.0.0.0/24(sec=sys,rw,async,insecure,no_subtree_check,crossmnt)

 

 

I need the client (my mac) will have to be admin, rw access etc.

What is strange, is that Synology shares works with my options provided on the screenshot above but Unraid won't like it no matter what I am trying.

 

On NFS settings the Tunable (fuse_member) is set to 330.

Then on shares.. I am going to "eleven" my main share with settings:

export: Yes

security: Private

rule: 10.0.0.0/24(sec=sys,rw,async,insecure,no_subtree_check,crossmnt,anonuid=99,anongid=100,all_squash)

 

But with both Finder and the Terminal cannot mount from Unraid, but as I said synology works :(


Thanks for all the help!

 

Link to comment

So i tried to mount it remotely via Terminal

/mnt/user/isos  <world>(ro,async,wdelay,hide,no_subtree_check,fsid=121,anonuid=99,anongid=100,sec=sys,insecure,root_squash,all_squash)

This is my public share (I can't mount my private shares as they're open only on the LAN and I'm currently away)

I'm not sure if I have actual read access to some of the files, since access is squashed to nobody, but I think that's an issue that can be resolved.

My only Macbook is my employer's and this is the first time I've tried to access Unraid from it.

 

And here's what happened. (Ishikawa is my Macbook, and Unraid is 192.168.2.5 over VPN)

Ishikawa:~ kenneth$ mkdir RemoteTest
Ishikawa:~ kenneth$ mount 192.168.2.5:/mnt/user/isos RemoteTest
Ishikawa:~ kenneth$ mount
/dev/disk1s1s1 on / (apfs, sealed, local, read-only, journaled)
devfs on /dev (devfs, local, nobrowse)
/dev/disk1s5 on /System/Volumes/VM (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk1s3 on /System/Volumes/Preboot (apfs, local, journaled, nobrowse)
/dev/disk1s6 on /System/Volumes/Update (apfs, local, journaled, nobrowse)
/dev/disk1s2 on /System/Volumes/Data (apfs, local, journaled, nobrowse)
map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse)
192.168.2.5:/mnt/user/isos on /Users/kenneth/RemoteTest (nfs, nodev, nosuid, mounted by kenneth)
Ishikawa:~ kenneth$ cd RemoteTest/
/Users/kenneth/RemoteTest
Ishikawa:RemoteTest kenneth$ ls -l
total 51486120
-rwxrwxrwx  1 root     wheel        2147483648 Jul 17 21:30 BigSur-install.img
-rwxrwxrwx  1 root     wheel         157286400 Jul 17 21:24 BigSur-opencore.img
-rw-rw----  1 kenneth  _lpoperator   417333248 Dec  9  2013 CentOS-6.5-x86_64-minimal.iso
-rw-r--r--  1 kenneth  _lpoperator   950009856 Jun 20  2018 CentOS-7-x86_64-Minimal-1804.iso
-rw-r--r--  1 kenneth  _lpoperator   519045120 Jun 20  2018 CentOS-7-x86_64-NetInstall-1804.iso
-rw-rw----  1 kenneth  _lpoperator  7554990080 Mar 28  2020 CentOS-8.1.1911-x86_64-dvd1.iso
-rw-r--r--  1 kenneth  _lpoperator  4692365312 Apr 12  2018 Win10_1803_English_x64.iso
-rw-r--r--  1 root     wheel        2368405504 Mar  6  2020 Zorin-OS-15.2-Lite-64-bit.iso
-rw-r--r--  1 root     _lpoperator   139460608 Jan 29  2021 alpine-standard-3.13.1-x86_64.iso
-rw-r--r--  1 root     _lpoperator    36700160 Jun 20  2019 alpine-virt-3.10.0-x86_64.iso
-rw-r--r--  1 root     _lpoperator    42991616 Feb 17  2021 alpine-virt-3.13.2-x86_64.iso
-rw-rw----  1 kenneth  _lpoperator  3901456384 Sep 13  2019 debian-10.1.0-amd64-DVD-1.iso
-rw-r--r--  1 root     _lpoperator   351272960 Feb  8  2020 debian-10.3.0-amd64-netinst.iso
-rw-r--r--  1 kenneth  _lpoperator   657457152 Jun 30  2018 debian-9.4.0-amd64-i386-netinst.iso
-rw-r--r--  1 kenneth  _lpoperator   305135616 Jun 30  2018 debian-9.4.0-amd64-netinst.iso
-rw-r--r--  1 kenneth  _lpoperator   116391936 Dec 29  2019 slackware64-current-mini-install.iso
-rw-r--r--  1 kenneth  _lpoperator   322842624 Aug 16  2018 virtio-win-0.1.160-1.iso
-rw-r--r--  1 kenneth  _lpoperator   371732480 May 21  2019 virtio-win-0.1.171.iso
-rw-rw-rw-  1 kenneth  _lpoperator   394303488 Jan 19  2020 virtio-win-0.1.173-2.iso
-rw-r--r--  1 root     wheel         412479488 Jul 21  2020 virtio-win-0.1.185.iso
drwxrws---  1 kenneth  _lpoperator        4096 Mar  6  2021 virtio-win-0.1.190-1
-rw-rw-rw-  1 root     _lpoperator   501745664 Nov 24  2020 virtio-win-0.1.190-1.iso

 

 

  • Like 1
Link to comment
  • 2 weeks later...
  • 2 years later...
On 1/19/2020 at 11:10 AM, ken-ji said:

This is NFS, and your question indicates you are not quite familiar about how it works: So, in a nutshell,

NFS works under the assumption that the underlying POSIX user ids in both the server the client are matched, so that root is root and a named user ie bob has uid 1000 on both; similarly for group ids. (There are special rules for root mapping and anonymous user access)

When a share is mounted on the client, for bob (uid 1000 and gid 100) to be able to read and write on the client, the following must be true:

the NFS directory and files are either owned by a user with uid 1000, or gid 100 or the underlying filesystem ACLs allow other uid to read and write.

 

so ie.

# ls -al Strike\ the\ Blood
drwxrws--- 1 nobody users       1228 Sep 18 19:53 ./
drwxrws--- 1 nobody users     134750 Jan 19 08:02 ../
drwxrws--- 1 nobody users        648 Aug  5 17:40 BD\ menu/
-rw-rw---- 1 nobody users 1352685938 Aug  5 17:41 [Beatrice-Raws]\ Strike\ the\ Blood\ OVA\ -\ 01\ [BDRip\ 1920x1080\ HEVC\ FLAC].mkv

In this case, my /etc/exports contains:

"/mnt/user/Downloads" -async,no_subtree_check,fsid=117 192.168.2.0/24(sec=sys,rw,no_root_squash,insecure) *(sec=sys,ro,insecure,anongid=100,anonuid=99,all_squash)

and my Shares setting is

image.thumb.png.2fc531a9c790503085258f1823a148f9.png

 

So this means, my NFS client can map the /mnt/user/Downloads directory and do file operations as root, or the nobody user. Other clients in different subnets, are all forced to the nobody user, which still has correct access to files. (I've done some changes to my Samba config to force all the access as the nobody user but still require authentication)

 

Hope this helps.

Just in case anyone else is struggling to get their their proxmox pbs datastore connected to nfs on unraid - this post has the info you need. I was specifically getting EPERM: Operation not permitted error when trying to add the datastore. adding the no_root_squash onto the export solved it.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.