NFS share readonly, although set to rw on fstab

English Network/Internet
1

NFS server on Leap 15.6, one NFS client with Leap 15.6 and another with Leap 16.
Both can mount a rw share in Dolphin, but on the Leap 16 box it is ro, regardless of fstab mount options (the same in both clients):

192.168.0.xxx:/home/user/share  /home/user/share  nfs    soft,noauto,rw,users,timeo=100,retrans=200  0  0

User name/ID is the same in all boxes.
In the Leap 15.6 client services mountd, nfs, nfs3 and rpc-bind are allowed on Yast Firewall module. IDK if all are actually necessary of a client.
In Leap 16 I couldn’t find any front-end to the firewall (in Cockpit or as a standalone app), firewall service shows as active in cockpit.

So how do I allow rw in the Leap 16 box? And how do I manage the firewall?

Thanks!

2

@brunomcl Firewall control is under Networking?

Not SELinux related?

3

Was the Leap 16.0 a fresh install? With the first user connectiing? Then the group id from the Leap 16.0 will be bruno not users like on the Leap 15.6 machines.

4

Just edited the post. Cockpit show Firewalld service as active.
SELinux in Cockpit only has two system modifications:

  • Allow virt to sanbox use all caps
  • Alow virt to use nfs
    None are related to the issue, I think.
5

Yes, it was a fresh install but keeping /home.
No, it’s the same username. I just substituted “user” in place for this post. ID is 1000 on all three boxes.

6

@ malcolmlewis: I didn’t notice Firewall in Cockpit, stupid of me. Will check now, thanks!

7

It is about the group. You specified “users” on the fstab line. But on Leap 16, the group has the name of the first user.

test@leaptest:~> id
uid=1000(test) gid=1000(test) groups=1000(test),496(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
test@leaptest:~>
1 Like
8

Allowing services mountd, nfs, nfs3 and rpc-bind make no difference, the share is still ro. I think these services are only needed for server roles.

9

My mistake. I mixed up different topics.

10

OK, the username is bruno, in groups admin(wheel), users and bruno (It was only admin(wheel) and users, I included group bruno and it was listed in the available groups but now it can’t be removed (no “x” at the right of the group name).
Edited fstab options to soft,noauto,rw,bruno,timeo=100,retrans=200 0 0
and logged out and back in, but the share is still readonly.
Services nfs, nfs3, mountd and rpc-bind are still open in the firewall.

11

OK, no problem. Thanks for trying to help.

12

Bruno, here’s what it should look like on 15.6:

knurpht@Lenovo-P16:~> grep knur /etc/passwd
knurpht:x:1001:100:Knurpht:/home/knurpht:/bin/bash
knurpht@Lenovo-P16:~> groups
users libvirt docker video
knurpht@Lenovo-P16:~> grep 100 /etc/group
users:x:100:
knurpht@Lenovo-P16:~> grep knur /etc/group
video:x:483:knurpht,ollama
libvirt:x:108:knurpht,libvirtdbus
docker:x:449:knurpht
knurpht@Lenovo-P16:~>

This is a good comparison since my TW is from before the changes to user:user format. Now look at the same commands on your Leap 16.0

BTW you can edit /etc/groups as root to make changes.

13

OK, I’m lost here. Both client desktops seem to be configured exactly alike.

  1. Same fstab mount options
  2. Same mount filesystem (nfs4)
  3. No ports open in the firewalls (I removed the server services from the 15.6 box, the share is still accessable and rw)
  4. When mounted the shared folders are owned and writable by the user, group and others, belong to the main user (bruno) and group users.

Help please!

14

One difference: I can change the shared folder permissions in the 15.6 box, using Dolphin’s property panel, but not in the Leap 16 box (permission denied).

15

Some differences here:

LEAP 15.6 (rw share)
bruno@pcem-13:~> grep bruno /etc/passwd
bruno:x:1000:**100**:Bruno de Mello Campos:/home/bruno:/bin/bash
bruno@pcem-13:~> groups
users vboxusers video cdrom
bruno@pcem-13:~> grep bruno /etc/group
cdrom:x:491:bruno
video:x:483:bruno
vboxusers:x:463:bruno
bruno@pcem-13:~> grep 100 /etc/group
users:x:**100**:

LEAP 16 (ro share)
bruno@backup:~> grep bruno /etc/passwd
bruno:x:1000:**1000**:Bruno de Mello Campos:/home/bruno:/bin/bash
bruno@backup:~> groups
bruno users wheel
bruno@backup:~> grep bruno /etc/group
users:x:100:bruno
wheel:x:496:bruno
bruno:!:1000:
bruno@backup:~> grep 100 /etc/group
users:x:100:bruno
bruno:!:1000:
bruno@backup:~>

(the ** are mine, it should be bold but isn’t)
Perhaps something to do with the 100/1000 difference?

16

FWIW, tested with disabled SELinux rules in Cockpit, but no change.

17

That’s what I think, yes. But NFS for me is > 10 years ago. I then ran into this issue when a Ubuntu user needed to mount NFS shares. Fixed it, but don’t remember how.

18

I vaguely remember an issue with nfs4 that required additional authentication (something like PAM, perhaps) to allow write permission, but I may be remembering wrongly - something more frequent as I continue the inexorable march to the 70yo milestone :grin:

19

Run id bruno and report back.

The primary GID is currently 1000 (bruno), but you’ll need to change that so that users is the primary group. You can change that to be the primary group with sudo usermod -g users bruno. It will take effect at next login.

The server’s share files are owned by GID 100 (users). NFSv4 enforces permissions based on numeric UID and primary GID sent by the client. That results in the RO behavior you’re experiencing on the Leap 16 host.

The fstab entry should look like

192.168.0.xxx:/home/user/share  /home/user/share  nfs  rw,soft,timeo=100,retrans=200  0 0

Don’t include usernames - NFS uses numeric UID/GID, which will now match the server once the primary group is fixed.

20 
LEAP 15.6:
bruno@pcem-13:~> id bruno
uid=1000(bruno) gid=100(users) grupos=491(cdrom),483(video),463(vboxusers),100(users)

LEAP 16
bruno@backup:~> id bruno
uid=1000(bruno) gid=1000(bruno) grupos=1000(bruno),100(users),496(wheel)

But after

bruno@backup:~> sudo usermod -g users bruno
[sudo] senha para bruno: 
bruno@backup:~> id bruno
uid=1000(bruno) gid=100(users) grupos=100(users),496(wheel)

removing “users” option in fstab and logging out and back in, the share name still appear in Dolphin, under the Network panel, but won’t mount anymore.

Current fstab entry:

192.168.0.3:/home/bruno/share  /home/bruno/share  nfs    soft,noauto,rw,timeo=100,retrans=200  0  0

Almost there, I think