Koozali.org: home of the SME Server

Permissions issue with NFS mounted data

Offline stabilys

  • *
  • 76
  • +0/-0
  • Ah din't do it!!
    • Stabilys Ltd
Permissions issue with NFS mounted data
« on: April 11, 2016, 11:22:01 PM »
Excuse my ignorance in NFS please: I usually can get it to do what I want but not this time. Advice on getting it to work and best practice sought.

Scenario:

SME Machine 1, 3 TiB very full with some large 100GiB+ directories in only occasional use. All users use this and have user accounts. User access via Samba.
SME Machine 2, 2 TiB only 500GiB in use, only graphics creators using this (subset of all, only these users have user accounts). User access via Samba.

Both machines running SME 8, Machines will be replaced early next year. But space issues to get us to next year.

Plan: move 500GiB of assorted directories from Machine 1 to Machine 2, export them via NFS, symlink them back to the same locations in filesystem on Machine 1. NFS installed, export created, temp mount made, data rsync'ed over all OK, symlinked OK.

That all works fine for me looking from the console as root, but does not work well for users accessing via Samba where access is denied.

After reading around I suppose the issues are UID/GID related but I am ignorant in this area.

Machine 2 export:
/home/e-smith/files 172.17.60.10/31(rw,sync,no_wdelay,nohide,no_root_squash)

Machine 1 test mount:
mount -t nfs 172.17.60.18:/home/e-smith/files /mnt/nfs

I then symlinked from the target directory under /mnt/files to the original location, but as I say, only root had full access.

There are no internal security requirements for these files, they are required for access by everyone as archived product files for retired products.

I have played with all_squash and that did not seem to do anything.

I have considered creating an nfsuser on both machines and giving this the same UID and GID on both, but I'm not clear on how to do that and make it work with canonical e-smith config files and samba.

Can anyone offer any suggestions please?

TIA!

MeJ

« Last Edit: April 11, 2016, 11:25:07 PM by stabilys »
This, too, will pass ;)

Offline Gary Douglas

  • *
  • 79
  • +1/-0
Re: Permissions issue with NFS mounted data
« Reply #1 on: April 12, 2016, 09:27:36 AM »
Like you I usually get NFS to work. Not sure whether what I did is correct practice, somewhere in the past I found it necessary.
I don't have SME servers sharing NFS anymore so can't look up, but kept the following notes; /affa was the root shared folder;
(SME Server) chown nfsnobody.nfsnogroup /affa
(debian server) chown nobody:nogroup /affa

Offline stabilys

  • *
  • 76
  • +0/-0
  • Ah din't do it!!
    • Stabilys Ltd
Re: Permissions issue with NFS mounted data
« Reply #2 on: April 14, 2016, 02:15:59 PM »
Thanks for your suggestion (sorry for my delayed response, travelling) - I will try this and see what happens!

MeJ
This, too, will pass ;)

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Permissions issue with NFS mounted data
« Reply #3 on: April 14, 2016, 06:57:10 PM »
Exporting with no_root_squash probably isn't necessary, and is a security risk.

Offline stabilys

  • *
  • 76
  • +0/-0
  • Ah din't do it!!
    • Stabilys Ltd
Re: Permissions issue with NFS mounted data
« Reply #4 on: April 17, 2016, 11:28:43 PM »
Charlie, no_root_squash is not ideal but it does not currently seem to work without it.

After a great deal of head-banging I finally realised what the main problem (apparently) was:

https://www.samba.org/samba/news/symlink_attack.html

Samba no longer permits 'wide links' for security reasons and I assume upstream and here implements just that..

I could then have turned off the security provision but decided on another way of doing it - to mount the nfs direct to the desired target directory with that having appropriate users - and it seems to work (being tested Monday am by users).

I will then try to tighten up the no_root_squash.

Thanks all.

MeJ
This, too, will pass ;)