Home / server / Questions / 1166535
Accepted
Paul Peters
Asked: 2024-10-13 21:16:53 +0800 CST

Synology NFS Share client user permission

  • 772

I've been facing an NFS issue for the past few days and could really use some help.

My setup:

NAS Storage: Synology, NFS Export /volume1/data

Nextcloud App Server: Debian, NFS Client mounted at /mnt/storage_cloud

Mounting the NFS 4.1 export works fine, and I can access all the data with read/write permissions as the root user. However, the www-data user (which runs the Nextcloud application) can't access the directory at all.

What I’ve tried so far:

  • chown: -> changing ownership of 'storage_cloud': Operation not permitted

  • chmod 777 (I know this isn’t ideal, but worth a try): -> changing permissions of 'storage_cloud': Operation not permitted

  • setfacl: -> Operation not supported

After doing extensive research, I found that using Kerberos instead of sys_auth might be a solution, but I’ve found very little documentation or tutorials on this topic.

Given that my setup doesn’t seem particularly complex, it feels like there should be a simpler solution to allow proper access to the NFS share for www-data. I might be overcomplicating things.

I’d really appreciate any insights or suggestions!

Thanks in advance, PP

debian

1 Answers

  1. Best Answer

    Just a quick update: I found a solution! It seemed complicated at first, but in the end, it’s working. It might not be the perfect solution, so feel free to suggest any further improvements.

    First off, the access issues stem from the way NFS maps devices 1:1, exactly as they exist on the Synology side. Synology creates a user and group, and you can mount them 1:1 using the same user and group IDs on your local device. Root is squashed on the server side, which made it seem like it was working. However, once you switch to any other user, it stops functioning.

    The solution: Create the same user and group IDs locally, and ensure the group access permissions are correct.

    In my case, I changed the NGINX and PHP services to run under my new user and group. It sounds complicated, but it's just a matter of editing two config files and modifying the ownership of the PID files and logs. That’s essentially all the "magic." It was resolved within 5 minutes once I accepted that I couldn't grant access the usual way.

    Although it may seem unusual to change the default www-data user, this is quite common in multi-vhost setups, like those provided by Plesk or cPanel.

    This is the approach I’ve taken.

    The alternative solution—setting up Kerberos with LDAP (and LDAP beforehand!) for user ID mapping—is much more complex.

    I hope this helps anyone facing the same issue I did!

    • 0