# [Solved] NFS - Permissions  denied on client side, need +x

## lexflex

Hi,

I am trying to share files from my central home server with a couple of clients on the same local network using NFS.

However, on the client side, the files show ' permission denied' and  are red blinking:

```
 /mnt # ls Server/ -all

ls: cannot access 'Server/.': Permission denied

ls: cannot access 'Server/..': Permission denied

ls: cannot access 'Server/file1.txt': Permission denied

ls: cannot access 'Server/file2.txt': Permission denied

total 0

d????????? ? ? ? ?            ? .

d????????? ? ? ? ?            ? ..

?????????? ? ? ? ?            ? file1.txt

?????????? ? ? ? ?            ? file2.txt
```

This seems to be the same issues as described (but not solved)  here:

https://forums.gentoo.org/viewtopic-t-1077002-highlight-nfs+permissions.html

https://forums.gentoo.org/viewtopic-t-1065634-highlight-nfs+permissions.html

On the  server side:

```
 /homessd/alex/nfstest/data # ls -all

total 16

drw-r--r-- 2 alex      alex      4096 Oct  6 06:23 .

drwxr-xr-x 3 alex      alex      4096 Oct  6 06:23 ..

-rw-r--r-- 1 alexander alexander    7 Oct  6 06:23 file1.txt

-rw-r--r-- 1 alexander alexander    7 Oct  6 06:23 file2.txt

```

And server-side  /etc/exports:

```
cat /etc/exports

# /etc/exports: NFS file systems being exported.  See exports(5).

/homessd/alex/nfstest/data  192.168.0.0/255.255.0.0(rw,all_squash,crossmnt)
```

I can somehow solve it by changing the permissions to 777 (including +x):

Server side:

```
# chmod 777 /homessd/alex/nfstest/data/ -R

HomeServer /homessd/alex/nfstest/data # ls -all

total 16

drwxrwxrwx 2 alex      alex      4096 Oct  6 06:23 .

drwxr-xr-x 3 alex      alex      4096 Oct  6 06:23 ..

-rwxrwxrwx 1 alexander alexander    7 Oct  6 06:23 file1.txt

-rwxrwxrwx 1 alexander alexander    7 Oct  6 06:23 file2.txt

```

The client then shows:

```
# ls Server/ -all

total 16

drwxrwxrwx 2 root root 4096 Oct  6 06:23 .

drwxr-xr-x 6 root      root      4096 Oct  6 06:20 ..

-rwxrwxrwx 1 alex      alex         7 Oct  6 06:23 file1.txt

-rwxrwxrwx 1 alex      alex         7 Oct  6 06:23 file2.txt
```

So, although this workaround works, it seems a bit strange that I would need to add +x in order to share read/write directories and files...

I guess I probably somehow messed up permissions on one side or the other, but I would not know how to change this behavior ( and if this is normal behavior or not, although I expect it is not).

Thanks for any hints, pointers, on how to get this NFS-sharing right,

Alex.Last edited by lexflex on Tue Oct 08, 2019 8:38 am; edited 1 time in total

----------

## krinn

1/ your exports is bad for a nfsv4 server, i know nfsv4 server are lazy and accept weird entries (for nfsv3 server compatibility), still the result is bad, do the thing properly if you want proper behavior.

nfsv4 server could be use with nfsv3 client, still it doesn't mean nfsv4 server should be configure like an nfsv3 server

see for example : https://wiki.gentoo.org/wiki/Nfs-utils#Virtual_root

2/ Did you mess up your group and user id between your server and client?

```
Server side:

...

-rwxrwxrwx 1 alexander alexander    7 Oct  6 06:23 file1.txt

The client then shows:

-rwxrwxrwx 1 alex      alex         7 Oct  6 06:23 file1.txt

```

i would expect client to also show "alexander:alexander" too, it's not a problem if you only have alexander on one side and alex on the other side, but your server show the directories are own by "alex", so server at least have two users "alex" and "alexander", i suppose your client have that too.

3/ "all_squash" option, make the server handling any query as "nfsnobody:nfsnobody"

so even if your client would made a query as alexander:alexander, the server will not compare the action to alexander:alexander permissions, but against nfsnobody:nfsnobody permissions

----------

## NeddySeagoon

lexflex,

nfs uses the user and group IDs everywhere.

What does 

```
ls -n
```

show on both systems for those files.

The owner and group names are not useful as they are obtained by consulting the local /etc/password and /etc/groups.

There is a world of pain getting those aligned across all the systems that will use the nfs share.

----------

## lexflex

Hi Krinn and Neddy, thanks for your replies!

 *krinn wrote:*   

> 
> 
> 2/ Did you mess up your group and user id between your server and client?
> 
> 

 

Probably I messed up , since I actually didnt take care of aligning those user ID's at all. 

They are just two systems on my local network, one acting as server with storage, the others acting as clients.

Since it is local, I trust the clients and also would like the clients to write/add to those directories.

 *Quote:*   

> see for example : https://wiki.gentoo.org/wiki/Nfs-utils#Virtual_root

 

Yes, I read that, but I thought the virtual root thing was not relevant for my usecase in which I just share a specific directory.

From both your replies, I understand that the official way to do it right includes aligning all ID's ( which is a pain, as Neddy suggest,specifically since both systems already have users). 

Is there some simpler way of doing this on local trusted machines that does not involve that?

The  use case (which i hoped was simple) that I wanted to achieve is: 

a) share media files on a local server

b) watch them from clients on the local network

If I don't want to go down the route of aligning all ID's, what would be the simplest way to share files between (local network)  linux machines. Is nfs the good choice for that?

 *NeddySeagoon wrote:*   

> What does 
> 
> ```
> ls -n
> ```
> ...

 

 Server side:

```
$ ls -all -n

total 16

drwxrwxrwx 2 1002 1002 4096 Oct  6 06:23 .

drwxrwxrwx 3 1002 1002 4096 Oct  6 06:23 ..

-rwxrwxrwx 1 1000 1000    7 Oct  6 06:23 file1.txt

-rwxrwxrwx 1 1000 1000    7 Oct  6 06:23 file2.txt
```

Client side:

```

 $ ls  -n

total 8

-rwxrwxrwx 1 1000 1000 7 Oct  6 06:23 file1.txt

-rwxrwxrwx 1 1000 1000 7 Oct  6 06:23 file2.txt
```

Thanks!

Alexander.

----------

## NeddySeagoon

lexflex,

Before I answer, I infer that you only need read access from the clients?

Is that true?

Think about how you will add new titles to the server.

On my mediaserver, I use nfs version 3 as I could not get netbooting to work with nfs ver4.

The /etc/exports contains

```
/mnt/mediatomb 192.168.100.0/24(no_subtree_check,root_squash,all_squash,ro,async)

/mnt/mediatomb 192.168.100.20(no_subtree_check,all_squash,rw,async,anonuid=1000)
```

All users on 192.168.100.0/24 see the files as user nobody and may read them.

My system on 192.168.100.20 is allowed rw access and whatever user I appear as is forced to anonuid=1000.

That's my userID on the server.

On my system /etc/fstab contains

```
# DVDs Read Only

192.168.100.55:/mnt/mediatomb           /mnt/media      nfs            sync,hard,intr,ro,nolock,vers=3  0 0
```

Its read only there. If I want to add media, I have to remount it read/write.  

That's fairly rare though.

----------

## Jaglover

Changing UID is a matter of editing it and then running chown on users home. If it seems too much create a group in both machines and allow full access to this group.

----------

## msst

 *Quote:*   

> The owner and group names are not useful as they are obtained by consulting the local /etc/password and /etc/groups.
> 
> There is a world of pain getting those aligned across all the systems that will use the nfs share.
> 
> _

 

Learnt through some pain: NFS is fast and easy, but it is old and his handling of permissions - access control sucks. The only thing that sucks even more is debgging NFS problems.

Therefore the only way to handle NFS shares across several computers is ensuring all UID/GID match exactly. Ideally also all usernames. And only inside trusted local networks.

If you want more, don't use NFS.

----------

## Jaglover

NFSv4 was designed with usage over internet in the mind. You can use NIS to avoid UID:GID problem. There is also idmapping for NFS. So I'd amend the previous poster. Don't use NFS if you don't know how.

----------

## Hu

You need search on a directory (+x) to stat files in it.  On the server, you ran as root, so root's CAP_DAC_READ_SEARCH let you ignore the permissions and search the directory even when the permissions said you could not.  On the client, squashing changed your effective uid, as other posters have already explained above.  As a general debugging tip, if you want to use squashing, then your shell on the server should be run under the same uid as the squashed clients.  If you had run the server's shell as alex, you would have seen more consistent results.

----------

## lexflex

Thanks a lot to you all,

Your replies above give me enough insight to understand how to get this to work.

As suggested, I now created a user on both systems that have the same user and group ID 5000 using the -u option:

```
 useradd <....> -u 5000
```

 *Hu wrote:*   

> You need search on a directory (+x) to stat files in it.  

 

[/url]Ok, I did not know or understand this before, but indeed this is needed as well.

I now changed all files to rw (unless they already had +x, but this was not the case here), and all (sub)directories to rwx, using:

```
chmod -R a+rwX /directory
```

( it took me https://unix.stackexchange.com/questions/416877/what-is-a-capital-x-in-posix-chmod  this to decode the capital X in chmod).

Now all seems ok in terms of permissions, and the clients can access the nfs shares as expected!

Thanks a lot,

Alex.

----------

## Hu

Personally, I wouldn't consider world-writable to be "ok in terms of permissions" here, but if you're happy with the functionality and security consequences, we can call this thread solved.

----------

## lexflex

 *Hu wrote:*   

> Personally, I wouldn't consider world-writable to be "ok in terms of permissions" here, but if you're happy with the functionality and security consequences, we can call this thread solved.

 

Yes, you are right that I  should actually make it something like 'rwxr-xr-x' for the directories, or maybe also for the group. 

So , I now removed all write access to the other directories.

Then, added +x just for the user for directories by using:

```
chmod -R u+wrX   
```

Alex.

----------

