Synology NAS Procedure Share a NFS Folder: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
=External=
=External=


* https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/file_share_privilege_asp
* https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/file_share_privilege_nfs


=Internal=
=Internal=


* [[Synology NAS Procedures#Procedures|Synology NAS Procedures]]
* [[Synology NAS Procedures#Procedures|Synology NAS Procedures]]
* [[Synology_NAS_Procedure_Remove_a_NFS_Folder|Remove a NFS Folder]]


=Overview=
=Overview=
Line 23: Line 24:
Volume:  
Volume:  


Check "Hide this shared folder in 'My Network Places'"
'''Check''' "Hide this shared folder in 'My Network Places'"


Check "Hide sub-folders and files from users without permissions"
'''Check'''' "Hide sub-folders and files from users without permissions"


Leave "Enable Recycle Bin" unchecked.
Leave "Enable Recycle Bin" unchecked.


'''Permissions'''
'''Permissions'''
Nothing should be selected.


'''Advanced'''
'''Advanced'''
Nothing should be selected.


'''NFS Permissions'''
'''NFS Permissions'''
Line 40: Line 45:
# Network segment: 203.74.205.32/255.255.255.0, 203.74.205.32/24.
# Network segment: 203.74.205.32/255.255.255.0, 203.74.205.32/24.


Privilege: Read/Write, Read only.
Privilege:  
# Read/Write '''Select'''
# Read only
 
Squash:
#  '''Select''' "No mapping": Allows all users of NFS client, including root users, to maintain original access privileges. This will propagate the NFS client UID/GIDs to the NFS server filesystem.
# "Map root to admin": Assigns access privileges to root users of NFS client equivalent to the admin user access privileges on your system.
# "Map root to guest": Assigns access privileges to root users of NFS client equivalent to the guest access privileges on your system.
# "Map all users to admin": Assigns access privileges to all users of NFS client equivalent to the admin user access privileges on your system.
 
Security:
# '''Select''' AUTH_SYS: Use the NFS client's UID (user identifier) and GID (group identifier) to check access permissions. The client must have exactly the same numerical UID (user identifier) and GID (group identifier) on the NFS client and Synology NAS, or else the client will be assigned the permissions of others when accessing the shared folder. To avoid any permissions conflicts, you can select Map all users to admin from Squash or give "Everyone" permissions to the shared folder.
# Kerberos authentication
# Kerberos integrity
# Kerberos privacy
 
"Enable asynchronous": Checking this option allows your Synology NAS to reply to requests from NFS clients before any changes to files are completed, yielding better performance. '''Check'''.
 
<span id='Allow_Connections_from_Non-privileged_Ports'></span>"Allow connections from non-privileged ports (ports higher than 1024)":  Checking this option allows NFS clients to use non-privileged ports (i.e. ports greater than 1024) when connecting to the Synology NAS. '''Check'''.
 
"Allow users to access mounted subfolders": Checking this option allows NFS clients to access mounted subfolders. '''Check'''
 
OK
 
The result is a /volume''n''/''nfsdirname'' with no permissions by default:
 
d---------    3 root    root          4096 May 14 20:55 nfstest
 
The folder will be exposed to the NFS client with the same permissions it was created on the NFS server, by default none. If different permissions need to be exposed, they should be set manually on the NFS server folder.
 
=Troubleshooting=
 
==error while mounting volume ... permission denied==
 
Check Synology NAS /var/log/messages:
 
May 14 19:55:08 RackStation mountd[11252]: refused mount request from 192.168.1.136 for /volume1/nfstest (/volume1/nfstest): illegal port 63347


Squash: No mapping, Map root to admin, Map root to guest, Map all users to admin.
Resolutions: Configure "[[#Allow_Connections_from_Non-privileged_Ports|Allow connections from non-privileged ports (ports higher than 1024)]]"

Latest revision as of 04:02, 15 May 2018

External

Internal

Overview

If the NFS service has not been setup yet, set it up:

Configure NFS Service

Procedure

Main Menu -> Control Panel -> Shard Folder -> Create

Name: The name specified here will propagate as mount path: /volumeX/shared-folder-name

Description:

Volume:

Check "Hide this shared folder in 'My Network Places'"

Check' "Hide sub-folders and files from users without permissions"

Leave "Enable Recycle Bin" unchecked.

Permissions

Nothing should be selected.

Advanced

Nothing should be selected.

NFS Permissions

Access can be restricted to a specific host or network, by specifying "Hostname or IP". The host may be specified in three ways:

  1. Single host.
  2. Wildcards *.example.com.
  3. Network segment: 203.74.205.32/255.255.255.0, 203.74.205.32/24.

Privilege:

  1. Read/Write Select
  2. Read only

Squash:

  1. Select "No mapping": Allows all users of NFS client, including root users, to maintain original access privileges. This will propagate the NFS client UID/GIDs to the NFS server filesystem.
  2. "Map root to admin": Assigns access privileges to root users of NFS client equivalent to the admin user access privileges on your system.
  3. "Map root to guest": Assigns access privileges to root users of NFS client equivalent to the guest access privileges on your system.
  4. "Map all users to admin": Assigns access privileges to all users of NFS client equivalent to the admin user access privileges on your system.

Security:

  1. Select AUTH_SYS: Use the NFS client's UID (user identifier) and GID (group identifier) to check access permissions. The client must have exactly the same numerical UID (user identifier) and GID (group identifier) on the NFS client and Synology NAS, or else the client will be assigned the permissions of others when accessing the shared folder. To avoid any permissions conflicts, you can select Map all users to admin from Squash or give "Everyone" permissions to the shared folder.
  2. Kerberos authentication
  3. Kerberos integrity
  4. Kerberos privacy

"Enable asynchronous": Checking this option allows your Synology NAS to reply to requests from NFS clients before any changes to files are completed, yielding better performance. Check.

"Allow connections from non-privileged ports (ports higher than 1024)": Checking this option allows NFS clients to use non-privileged ports (i.e. ports greater than 1024) when connecting to the Synology NAS. Check.

"Allow users to access mounted subfolders": Checking this option allows NFS clients to access mounted subfolders. Check

OK

The result is a /volumen/nfsdirname with no permissions by default:

d---------    3 root     root          4096 May 14 20:55 nfstest

The folder will be exposed to the NFS client with the same permissions it was created on the NFS server, by default none. If different permissions need to be exposed, they should be set manually on the NFS server folder.

Troubleshooting

error while mounting volume ... permission denied

Check Synology NAS /var/log/messages:

May 14 19:55:08 RackStation mountd[11252]: refused mount request from 192.168.1.136 for /volume1/nfstest (/volume1/nfstest): illegal port 63347

Resolutions: Configure "Allow connections from non-privileged ports (ports higher than 1024)"