NFSv4 Connection Issues

[reasonsandreasons]

Picking up from my last post, I'm working on setting up NFSv4 sharing between my server and a Linux box to share some media files. I'm having a bear of a time getting this to work, though, even following this guide. I'm able to mount the pseudo-root on the guest with doas mount -t nfs4 -o sec=sys,ro 10.10.1.5:/ /ds9 but am unable to mount the actual share with doas mount -t nfs4 -o sec=sys,ro 10.10.1.5:/main/media /ds9. Any help anyone can provide would be greatly appreciated. NFSv3 would be a potential fallback here but I'd really like to keep the firewall setup easer and every client involved should be able to handle it fine. More details below.

# FreeBSD Host
## /etc/rc.conf
nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfsv4_server_only="YES"
nfs_server_flags="-t"
nfsuserd_enable="YES"
nfsuserd_flags="-domain ar558.net"

# /etc/sysctl.conf
vfs.nfs.enable_uidtostring=1
vfs.nfsd.enable_stringtouid=1

## /etc/exports
V4: /

## /etc/zfs/exports
/main/media    -network 10.10.1.0/24 -mapall=media -ro -alldirs
/main/media/Dropbox    -network 10.10.1.0/24 -mapall=media -ro -alldirs

## ls -la /media
total 145
drwxrwx--x   7 main         main             9 Apr 12 22:20 ./
drwxr-xr-x  22 root         wheel           25 Apr 23 00:21 ../
drwxrwx--x  17 media        media           21 Apr 21 22:34 media/

## /etc/passwd
media:*:10001:10001:Media dataset owner:/nonexistent:/usr/sbin/nologin

## /etc/pf.conf
pass in on $main_if proto tcp from any to port 2049

# Linux Client
## Mount error message
promenade:~$ doas mount -t nfs4 -o sec=sys,ro 10.10.1.5:/main/media /ds9
mount.nfs4: access denied by server while mounting 10.10.1.5:/main/media
mount: mounting 10.10.1.5:/main/media on /ds9 failed: Permission denied

## /etc/passwd
media:x:10001:10001::/home/media:/nonexistent

 

[reasonsandreasons]

Just as a quick update, I've been able to successfully mount the folder on the client by changing
-mapall=media to -maproot=root. -maproot=media doesn't seem to work, though, and when logged in as media on the guest I'm not able to see the contents of the share. I'm going to keep digging but am puzzled as to why this is a problem. Near as I can tell the export is configured correctly and directory traversal by any user is working (it is for SMB, at least).

In case it's useful to anyone, the client is specifically Alpine linux.

 

[T-Daemon]

This looks good on the FreeBSD host side. I've tested the setup with a Linux Mint client (all in bhyve(8) guests) but couldn't reproduce the error.

My setup has no firewall enabled., have you tried without the firewall?

By the way, exporting /main/media/Dropbox to the same subnet and options as /main/media separately doesn't make much sense. The client can access Dropbox via /main/media share.

It would make sense if the Dropbox dataset is exported to a different subnet and/or with different options.

I'm able to mount the pseudo-root on the guest with doas mount -t nfs4 -o sec=sys,ro 10.10.1.5:/ /ds9

Are you able to list directory contents (ls(1))?

In my test setup it's possible to mount the "/" NFSv4 tree root but listing directory contents produces a input/output error. This might be related to the Linux Mint distribution (v21.2), I haven't tried with other distributions. EDIT: Tried Void Linux, same here: input/output error on listing directory contents.

 

[reasonsandreasons]

Thank you so much for doing all this testing! It's very much appreciated. Good call with Dropbox, too. It was inheriting from the parent dataset. Since turned off.

I have tried it without the firewall! Unfortunately, it doesn't seem to work there, either.

Interestingly I don't get an I/O error with the root mounted. I don't see any contents ( total 0 is the only output as both the admin user and root). In case it's useful, this is an Alpine Linux client.

My big lead now is that it's a permissions issue somewhere in the stack since -maproot=root does work? I guess setting -mapall=root is a potential solution, especially since it's read-only, but I'd like to figure out the permissions if at all possible.