- How to properly set permissions for NFS folder? Permission denied on mounting end.
- 5 Answers 5
- NFS network mount: set owner to specific account
- User permissions in NFS mounted directory
- 2 Answers 2
- NFS permission denied
- configuration nfs server
- configuration nfs client
- 2 Answers 2
- example
- services running on nfs clients
- rpcinfo
- mounting and the kernel modules
How to properly set permissions for NFS folder? Permission denied on mounting end.
I’m trying to connect to an NFS folder on my dev server. The owner of the folder on the dev server is darren and group darren. When I export and mount it to my Mac using the Disk Utility it mounts, but then when I try to open the folder is says I do not have permissions. I have set rw, sync, and no_subtree_check. The user on the Mac is darren with a bunch of groups. Do I need to have the same group and user set to access the folder?
5 Answers 5
NFS is built on top of RPC authentication. With NFS version 3, the most common authentication mechanism is AUTH_UNIX. The user id and group id of the client system are sent in each RPC call, and the permissions these IDs have on the file being accessed are checked on the server. For this to work, the UID and GIDs must be the same on the server and the clients. However, you can force all access to occur as a single user and group by combining the all_squash, anonuid, and anongid export options. all_squash will map all UIDs and GIDs to the anonymous user, and anonuid and anongid set the UID and GID of the anonymous user. For example, if your UID and GID on your dev server are both 1001, you could export your home directory with a line like
I’m less familiar with NFS version 4, but I think you can set up rpc.idmapd on the clients to alter the uid and gid they send to the server.
I ran across this answer trying to solve an Apple OS X Yosemite nfs issue. This answer is much more relevant and accurate than the accepted answer. It is not advisable nor is it feasible to match UID/GID across systems. A root user on system A is probably not a root user on system B.
When you mount NFS, your permissions you’re mounting it with must match up with what you have on the server. For example, if your user has only read-only access, mounting it with read-write will cause you to see the same errors you mentioned in your post when you try to actually load the mount. Unfortunately, this will ONLY show up when accessing the folder, not when you actually mount it.
You also want to make sure that the user NFS is running as on the server and the user on the client are using the same UID and GID. You can check these values by running id darren on both the server and the client. If the UID and GID values do not match up, you can edit /etc/passwd to make it so — but make sure you understand what you’re doing before arbitrarily changing values!
Yeah I shouldn’t have tried to change the UID I have to redo my server now. How would one mimic the UID and GID? Is it really this complicated?
Unfortunately, in my experience of using this in the workplace, NFS is extremely fragile, and yes—it can be this complicated. Usually, you’ll want a dedicated NFS user with a specif UID/GID on each server/client so that you don’t run into this issue. If you have a choice in your dev environment (i.e., it doesn’t HAVE to use NFS), looking into using something like SSHFS will make your dev headaches go away—but won’t replicate the same functionality as a production server using NFS.
Do you think Samba is another solution? I have used it with Windows with no problem and I am thinking this is the way I will have to go even though I am using a Mac for developing my application.
I would hesitate to say NFS is fragile. It is a long established file service protocol. There are really only two requirements for NFS: synchronized UID/GID among the clients and synchronized time between the clients and server. Traditionally, NIS was used to synchronize user information, but LDAP is a more secure choice for new deployments in the last decade.
Do your UIDs and GIDs match on both servers? That’s what it’s using to control access and not the login and group name.
Example on how to mount a NFS share on Ubuntu Eoan as a server and MacOS Catalina as a client.
Example assumptions (you need to adapt this):
Client PC name: Bills-MBP
(Press Cmd+Space, start 'terminal', there something like bill@Bills-MBP: is written as a prompt. Use what's written between the @ and the : as client PC name further below).
Username in Ubuntu: tux
(Press the penguin-key on your keyboard, if you have none, order a penguin keyboard sticky and place it over the ugly key with four mis-shaped squares near the space bar. Enter "terminal", start the terminal, the user name will be shown before the @ sign in the prompt. E.g. "tux@dustycray:")
PC name of Ubuntu: dustycray
(Can be found out like shown above.)
Folder on Ubuntu to be shared: /home/tux/mp3
Use whatever folder you need to share as absolute path
On the NFS-Server (Ubuntu EOAN in my case) enter in the terminal (which we opened as shown above):
id -u tux # remember the number, use it below as anonuid (replace the 1000 there) id -g tux # remember the number, use it below as anongid (replace the 1001 there) sudo nano /etc/exports # At the end of the file add the following line, replace the path name, the Client PC Name and the two numbers with your values: /home/tux/mp3 Bills-MBP(rw,sync,insecure,all_squash,anonuid=1000,anongid=1001) #leave with ctrl+x and confirm file saving sudo exportfs -ra
Now on the mac, open a terminal as shown above and enter (leave /private/nfs as it is):
sudo make /private/nfs #Replace the ubuntu pc name (dustycray) and the path (home . ) by your's now: sudo mount -t nfs -o resvport,rw dustycray:/home/tux/mp3 /private/nfs
Then the NFS can be accessed in the path /private/nfs. In finder you will see a new entry called (e.g.) «dustycray» on the left in the section «locations», also in file-open dialogs.
Above’s mount procedure is not permanent, I use a script to mount it whenever I need it. However, you can also make the mount permanent if you like (e.g. System preferences / Users&Groups / Login Items / + / Select any root folder within (!) the NFS share / Add).
NFS network mount: set owner to specific account
OK, I’m seriously confused over this stuff, so really descriptive answers would be appreciated, especially if they make this whole mounting stuff less magical and more predictable. I am trying to mount my Drobo-FS NAS with nfs to get better performance than with cifs. The drobo is running some trimmed down linux distribution. Inside /etc/fstab on the client machine (Ubuntu with IP: 192.168.1.150)
# Mount Drobo 192.168.1.100:/mnt/DroboFS/Shares/public /media/drobonfs nfs rw,soft,proto=tcp,users 0 0
I have unfsd installed on the drobo and access via ssh. This is the exports file on the server machine (Drobo-FS with IP 192.168.1.100):
# Allow access for client machine /mnt/DroboFS/Shares 192.168.1.150(rw,no_root_squash)
Mounting works fine, except that the mounted files are all owned by root with most of the file permissions set to 744. The file permissions shown in the mount on the client match the actual permissions on the server. For example:
client$ sudo chmod 123 /media/drobonfs/somefile client$ ls -l /media/drobonfs/somefile ---x-w--wx 1 root root 0 2012-01-04 14:15 /media/drobonfs/somefile drobo$ ls -l /mnt/DroboFS/Shares/public/somefile ---x-w--wx 1 root root 0 Jan 4 14:15 /mnt/DroboFS/Shares/public/somefile
Writing sudo in front of every command is a drag and I want to understand what is going on, so what can I do to mount it on the client machine with the owner/group set to my account instead of root?
User permissions in NFS mounted directory
I have oracle linux 6.7, a NFS server in Windows, and I am trying to mount a shared folder in Linux. The Windows NFS server has a shared mount :
In my oracle linux server, I created a folder , /orabackup and the oracle user from oinstall group is the owner of this folder :
mkdir /orabackup chown -R oracle:oinstall /orabackup chmod -R 777 /orabackup mount -t nfs -o rw 192.168.1.10:/OracleBK /orabackup
192.168.1.10:/OracleBK /orabackup nfs defaults 0 0
Now , the «orabackup» folder is mounted . However the oracle user cannot read and write, and needs read and write permissions to this directory. The root user can read and write. What should be done to give full permissions to the oracle user ?
If it is a NFS server in Windows, then please add to the post the product/software that allows you to do that.
2 Answers 2
NFS checks access permissions against user ids (UIDs). The UID of the user on your local machine needs to match the UID of the owner of the files you are trying to access on the server.
I would suggest to go to the server and look at the file permissions. Which UID (find out with id username ) do they belong to and which permissions are set?
And if you are the only one accessing the files on the server, you can make the server pretend that all request come from the proper UID. For that, NFS has the option all_squash . It tells the server to map all request to the anonymous user, specified by anonuid,anongid.
Add these options: all_squash,anonuid=1026,anongid=100 to the export in /etc/exports .
Be warned though, that this will make anyone mounting the export effectively the owner of those files.
NFS permission denied
When I configure NFS and create a file on the client NFS shared dir, I get the following message: permission denied. My configuration:
configuration nfs server
http://www.server-world.info/en/note?os=CentOS_6&p=nfs&f=1
configuration nfs client
http://www.server-world.info/en/note?os=CentOS_6&p=nfs&f=2 where is the problem?
Those 2 images don’t tell much. Can you do a showmount -e server from the client as well the output from mount ?
What user are you logged in to the client as? If root, what are your NFS export options on the server?
LEGEND . I have been trying to mount a docker NFS volume for two days now no where did I see no_all_squash until here ! Shot bro!
2 Answers 2
You need to run the command on the server after modifying the /etc/exports file:
Also when debugging connectivity issues with NFS you can run the command showmount -e to see what mounts a given server is exporting out.
example
$ showmount -e cobbler Export list for cobbler: /cobbler/isos 192.168.1.0/24
services running on nfs clients
You need to make sure that you have the following services running so that the clients can communicate with the NFS server:
$ chkconfig --list|grep rpc rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
$ chkconfig --list|grep nfs nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcinfo
With the above services running you should be able to check that the client can make remote procedure calls (rpc) to the NFS server like so:
$ rpcinfo -p cobbler program vers proto port service 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 807 status 100024 1 tcp 810 status 100011 1 udp 718 rquotad 100011 2 udp 718 rquotad 100011 1 tcp 721 rquotad 100011 2 tcp 721 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100021 1 udp 60327 nlockmgr 100021 3 udp 60327 nlockmgr 100021 4 udp 60327 nlockmgr 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100021 1 tcp 57752 nlockmgr 100021 3 tcp 57752 nlockmgr 100021 4 tcp 57752 nlockmgr 100005 1 udp 750 mountd 100005 1 tcp 753 mountd 100005 2 udp 750 mountd 100005 2 tcp 753 mountd 100005 3 udp 750 mountd 100005 3 tcp 753 mountd
mounting and the kernel modules
I see what you wrote in an answer that you then deleted. You should’ve added that info to the question!
I can see where you were getting stumped now. I don’t believe you’re suppose to be mounting using:
Try changing that. Also I see where you were ultimately getting stumped. You didn’t have the nfs kernel module loaded.