使用Webmin挂载NFS时，权限被拒绝（Mac OSX + Ubuntu安装程序）

Question

The Goal

I have the following setup -

• Home Server running Ubuntu 13.10
• Laptop running Mac OSX 10.9 (Mavericks)

I'm trying to export the Home Server directory ~/Documents as an NFS mount that can be accessed from my mac laptop

Ubuntu Setup

I used Webmin on Ubuntu to create an NFS Export. In the interest of just testing access for the moment I allowed any hostname to connect with read/write access.

Webmin created the following configuration under /etc/exports

/home/jeeves/Documents        (insecure,no_subtree_check,no_root_squash,rw,nohide)

Mac OX 10.9 Laptop Setup

I mounted the remote directory to a local directory, /private/nfs

sudo mount -t nfs 192.168.1.219:/home/jeeves/Documents /private/nfs 

All worked fine, and I can see "Dcouments" mounted under /private in Finder.

However, I can't get into that directory

jeeves:~ $ cd /private/nfs/
-bash: cd: /private/nfs/: Permission denied

I had webmin set permissions as read/write ( rw ) and it's not filtering on any IP's or hostnames, so what else is required to access that directory?

Thanks in advance for all your help!

Edit :

Here's my Webmin setup.

Webmin wont let me select an NFS version of 4, presumably because I only have NFS v3 installed, as per nfsstat

jeeves@HAL:~$ nfsstat
...
Server nfs v3:
null         getattr      setattr      lookup       access       readlink     
25        5% 28        6% 0         0% 126      29% 211      48% 0         0% 
...

Answer 1

You're likely running into an issue with numeric user id's: the numeric user id on your ubuntu system does not match the numeric user id on your Mac. With NFS, you generally have to insure that your numeric user ids are somehow made the same across all of your systems. On home/personal systems, user ids tend to assigned haphazardly, without any sort of synchronization, which causes problems with NFS.

Since this is a home server, and if you trust everyone that connects to your NFS server, one possible quick-and-easy-and-dirty-and-ugly-and-kludgy fix is to open up permissions and allow everyone and everything to read/write/delete your files (do not do this in an enterprise environment, obviously):

On your Ubuntu system, login as jeeves (do not sudo or use any other account), open a terminal window, and run the commands, in the given order:

 cd /home/jeeves/Documents find . -type d -print0 | xargs -0 chmod 777 find . -type f -print0 | xargs -0 chmod a+rw 

However, this assumes that NFS is set up to allow access to untrusted users (in webmin, "Treat untrusted users as" is set to default, and I'm not sure what this is).

Note that, with the above commands, the owners of files and directories created by the Mac will appear as numeric users on Ubuntu (because the Ubuntu system will likely not have any users in /etc/passwd corresponding to the Mac numeric ids, Ubuntu will simply display the raw numeric ids).

Long answer:

When you created the jeeves account on your Ubuntu system, Ubuntu assigned it some numeric user id. When you created your user account on your Mac, the Mac assigned it a numeric user id, which was likely different than the number assigned on the Ubuntu system. Note that user names (eg, "jeeves") are a user convenience; neither Ubuntu nor the Mac use them internally, and instead use user ids. NFS uses these numeric ids to determine ownership/permissions (on the Ubuntu box).

• If the ids match, the "user" permissions are used.

• If the ids don't match:

  • ("Group" permissions can be used, but that's unlikely, and I'm not going to discuss that.)

  • The "Other" permissions are used. Note that, when creating files/directories, if the (Mac) user id isn't found in the Ubuntu box, you'll generally get files that appear to be owned by a "numeric" owner; the number you see is what the Mac is using, and you see the number because that id doesn't appear in Ubuntu's /etc/passwd .

IIRC, Ubuntu uses a umask of 022, which means that only the owner of /home/jeeves/Documents can write/create files and directories; everyone else has read-only permissions. Unless you've somehow synchronized user ids between your boxes, you're unlikely to have the same user ids, and so you will get permission issues.

Since this is a home server, the easiest fix, mentioned above, is to just get rid of security and allow everyone and everything to access your files. Of course, this is distasteful for obvious reasons.

The correct fix is to make sure that all user ids are synchronized between all systems, but this can be a problem in a home environment. Also, changing user ids once an account has been used is problematic; while this can be done, it has to be done carefully, as you might bork your system. I'm not going to go into details.

Edit: fixed partial sentence.