Problem with permissions for NFS shares for Plex indexing

Hello

I have a headless Ubuntu Server 18.04 and a Synology Nas on which all the files are stored. On the server I have Plex installed. I want Plex to look through the files on the Nas

I set up NFS on the Synology and gave read/write permissions to the IP of the server. On the server I created directories for the mounts:

/mnt/NFS/Films
/mnt/NFS/Movies
/mnt/NFS/Series
and some other directories...

So all the directories are in /mnt/NFS/. I can mount all shares. I went to /etc/fstab so that the shares are mounted at startup:

10.10.10.6:/volume1/Films /mnt/NFS/Films nfs noatime,actimeo=1800 0 0
10.10.10.6:/volume1/Series /mnt/NFS/Series nfs noatime,actimeo=1800 0 0
10.10.10.6:/volume1/Movies /mnt/NFS/Movies nfs noatime,actimeo=1800 0 0 

The selected options I read somewhere. I selected noatime to reduce disk IO on the SSD and actimeo to not check for new attributes every 3 seconds since they don’t change at all.

When starting up the server all shares are mounted, so I think the configuration of fstab is ok:

10.10.10.6:/volume1/Films        5.5T  3.6T  1.9T  66% /mnt/NFS/Films
10.10.10.6:/volume1/Movies       5.5T  3.6T  1.9T  66% /mnt/NFS/Movies
10.10.10.6:/volume1/Series       5.5T  3.6T  1.9T  66% /mnt/NFS/Series

When I use cd to go to /mnt/NFS/Films then I can ls the files.When doing the same for the other directories I get an error:

-bash: cd: /mnt/NFS/Series: Permission denied

When looking up the permissions I get this:

total 84
drwxr-xr-x  10 root root  4096 May  2 10:38  . 
drwxr-xr-x   3 root root  4096 May  1 20:33  .. 
drwxrwxrwx 273 root root 20480 May  3 13:53  Films
d---------  64 root root  4096 May  2 23:11  Movies
drwxr-xr-x   2 root root  4096 May  2 10:22  Series

I don’t know enough of Linux to know what’s happening here but according to me there is something wrong with the permissions. Why and how to solve that’s why I’m asking here.How come it works for the Films share I don’t know either. First I thought it’s because it’s the first line in the fstab file so I put another there to check but that gave nothing.

During the install of Ubuntu Server I was asked to create a user. That is the only user I created and it’s the one I login with on the command line of Ubuntu Server.

The things I execute on the command line are all things I need to look up, that way I’m learning about it but this I cannot find how to solve.

Thanks!

No Linux guy here, but I know that PMS on Linux is running under its own user account. So it doesn’t have access to your Movies folder, which is set to be accessed by ‘root’ only.
(Think of ‘root’ as a “superuser” or “Administrator” account)
You need to change the permissions on that folder, so that the user plex has at least ‘read’ permissions.

You might want to take a look at How to mount media from your NAS shares on Linux using NFS
(the secret lies mainly in the chmod command, but read the post in full, just to be on the safe side)

I’ll try following the guide this evening.

How can I look up which users have which access rights on certain folders?

I don’t know details, but this should serve as an introduction:

wow, the amount of documentation and help Plex has published never ceases to amaze me.

Also give a read here.

With a “plex” username on the Syno ( a placeholder )
give username plex access to see those shares you want.

VERY IMPORTANT

Set the mount point directory permissions BEFORE mounting the NFS volume.

I followed the guide linked to by OttoKerner which gave me drwxr-xr-x permissions on the mounted shares except for one (I don’t know why) but still I can only cd or ls on the “Films” share. For the other ones I still get a permission denied error.

I did the sudo chmod -r 755 command without any change.

I had unmounted the shares, stopped the plex service and removed the plex user from the shares on my Synology. Restarted the Synology, recreated the plex user and gave read only rights on the shares.
Then I told the NFS setting in the shares to allow read only traffic from the servers IP.

Concerning the settings for NFS on the Synology, should I enable v4?

v41003×565 40 KB

And on the NFS settings per share, besides the read only, should I change some other settings too (squash,…)?

Thanks

P.S.: Another question, if I for example want to cd to a mount with a space in the name, then can I use this command (note the apostrophes): cd /mnt/NFS/'TV Series' or must I use this command: cd /mnt/NFS/TV\ Series

Ok, I think I found something but I’m not sure what I must do.

I logged in over SSH on the Synology Nas. When I “ls -la /volume1” on the shares it hosts I get the following:

drwxrwxrwx  273 root            root                20480 May  3 13:53 Films
drwxrwxrwx+  64 root            root                 4096 May  2 23:11 Movies
drwxrwxrwx+  16 root            root                 4096 Sep 24  2019 Series

I notice there’s a + after the permissions for Movies and Series and not for Films. I found out it has something to do with ACL but I don’t know how to change it in the Synology DiskStation.

After some time I noticed the following differences in the screens. This is what I see for the Films share:

Schermafbeelding 2020-05-05 om 22.39.16859×569 33.9 KB

This is the same screen but then for the Movies share and the Series share:

Schermafbeelding 2020-05-05 om 22.40.29860×568 63.6 KB

As you can see, the bottom part of the window is missing for the Films share. There are no “Advanced permissions for shared folder” settings.

I think it has something to do with this. Does anybody know anything more?

Thanks!

EDIT: When I do “ls -el /volume1” in the terminal of the Synology I get this:

drwxrwxrwx  273 root            root                20480 May  3 13:53 Films
drwxrwxrwx+  64 root            root                 4096 May  2 23:11 Movies
	 [0] group:_Group_VPN:deny:rwxpdDaARWcCo:fd-- (level: 0)
	 [1] group:_Group_Administrator:allow:rwxpdDaARWc--:fd-- (level: 0)
	 [2] user:plex:allow:r-x---a-R-c--:fd-- (level: 0)
	 [3] group::allow:r-x---a-R-c--:fd-- (level: 0)
	 [4] group:_Group_Gebruiker:allow:rwxpdDaARWc--:fd-- (level: 0)
drwxrwxrwx+  16 root            root                 4096 Sep 24  2019 Series
	 [0] group::deny:rwxpdDaARWcCo:fd-- (level: 0)
	 [1] group:_Group_VPN:deny:rwxpdDaARWcCo:fd-- (level: 0)
	 [2] group::deny:rwxpdDaARWcCo:fd-- (level: 0)
	 [3] group::deny:rwxpdDaARWcCo:fd-- (level: 0)
	 [4] group:_Group_Administrator:allow:rwxpdDaARWc--:fd-- (level: 0)
	 [5] user:plex:allow:r-x---a-R-c--:fd-- (level: 0)
	 [6] group::allow:r-x---a-R-c--:fd-- (level: 0)
	 [7] group::allow:r-x---a-R-c--:fd-- (level: 0)
	 [8] group:_Group_Gebruiker:allow:rwxpdDaARWc--:fd-- (level: 0)
	 [9] group::allow:r-x---a-R-c--:fd-- (level: 0)
	 [10] user::allow:r-x---a-R-c--:fd-- (level: 0)

So for the Films share there are no ACL permissions found. Maybe that’s why I can’t access the other shares and it only works for the Films share.

This is what I get when I do “sudo cat /etc/exports” on the Synology:

/volume1/Films	10.10.10.74(ro,async,no_wdelay,no_root_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100)
/volume1/Movies	10.10.10.74(ro,async,no_wdelay,no_root_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100)
/volume1/Series	10.10.10.74(ro,async,no_wdelay,no_root_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100)

I really don’t know what to do here.

Create a username plex on the Synology.
Give username plex permission to read the share(s).
(Control Panel - Shared Folders - share-name - EDIT - Permissions)

This is the easiest way.

Next, be certain to allow ports higher in the NFS export rule

Screenshot from 2020-05-05 18-14-18871×574 22.4 KB

Attempting to force the Synology will only lead to frustration if these steps have not been performed first.

ACLs are a nightmare – Avoid them at all cost. Let DSM do what it does best via the GUI.

ChuckPa, I’ll try it within a couple of hours when I have access to my Synology.

The plex user was and is already created with read only permissions on each share. The screen you’re showing I have set up too but the “non-privileged port” and “cross-mount” are on denied. I’ll change it when I try it. Must I reboot the Synology after each change?

If I SSH into the Ubuntu server, I do that with the user “tom” I created during the Ubuntu install. If I mount a share from the Synology, I execute the commands with this user. I have the same user on the Synology? I don’t know if this matters.

EDIT: I tested what you posted but still I can’t cd or ls the shares. They are mounted but that’s all.
Here are my settings on Synology:

1858×566 36.6 KB

Image 001737×329 64.2 KB

When connected per SSH and trying to cd or ls:

You do not need to restart DSM after making the changes. The exports list is regenerated.

On my LAN, because all machines are mine, I use the wildcard * host IP specification.
It makes life easier. “Set & Forget”

In your screenshots above, “tom” probably doesn’t have an account on the Syno do you?

Last question:

Before mounting the syno, are the mount point directory permissions 0755
Without this, you won’t be able to cross the mount-point directory barrier.

There is a user Tom on the Synology. No password is set with read only permissions on the same folders as plex needs.

Do you mean “ls -la /mnt/Synology”? Then this is the output:

tom@hpsrv:~$ ls -la /mnt/Synology
total 36
drwxr-xr-x 9 root root 4096 May  5 21:05  .
drwxr-xr-x 3 root root 4096 May  5 20:58  ..
drwxr-xr-x 2 root root 4096 May  5 21:03  Films
drwxr-xr-x 2 root root 4096 May  5 21:03  Movies
drwxr-xr-x 2 root root 4096 May  5 21:03  Series

Is the account enabled?
Synology continues to get stricter on security.

I will setup a test in a bit to see if I can replicate your results but so far I’ve not had this type problem.

Both accounts (tom and plex) are enabled, both have no password (although dots are shown) and both have the same settings.

Here are the settings of the user tom. I have a plex share but that’s from the previous plex install on the Synology.

Schermafbeelding 2020-05-06 om 19.14.18907×519 30.4 KB

Schermafbeelding 2020-05-06 om 19.14.36906×515 39.3 KB

Schermafbeelding 2020-05-06 om 19.14.45910×516 28.4 KB

Here are the settings of the Series share, one of those that’s not working:

Schermafbeelding 2020-05-06 om 19.15.12856×566 37.1 KB

Schermafbeelding 2020-05-06 om 19.15.24860×565 36.4 KB

Schermafbeelding 2020-05-06 om 19.15.35854×565 64.2 KB

Schermafbeelding 2020-05-06 om 19.15.44856×565 27.9 KB

EDIT: I logged in on the Synology over SSH as the administrator account (not the default one but a new one I created). I looked up the UID and GID on the nfs host:

_user_new-admin£@DiskStation:/$ id
uid=1029(_user_new-admin£) gid=100(users) groups=100(users),101(administrators),1023(http),65542(_Group_Administrator)
_user_new-admin£@DiskStation:/$ id tom
uid=1039(tom) gid=100(users) groups=100(users)
_user_new-admin£@DiskStation:/$ id plex
uid=1037(plex) gid=100(users) groups=100(users)

I did the same on the server on which I’ll put plex (plex is not yet installed so the plex user doesn’t exist yet):

tom@hpsrv:~$ id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

I don’t know enough about this all but I suppose these should be the same?

Ok, I think I found out what’s wrong and a possible solution.

So at the time I bought the Synology NAS, I read on the Synology knowledge base that it’s better to disable the default admin account and also the guest account, which I did.

Today, I connected to the Synology over ssh and using the sudo cat /etc/exports command I looked up the nfs specifics for the shares. I found out that the anonuid and anongid were 1025 and 100 for all shares.

With the sudo cat /etc/passwd command I searched to which user these uid and gid belong to:

guest:x:1025:100:Guest:/nonexist:/sbin/nologin

At that moment I reminded that the guest account was disabled because of the Synology knowledge base. As a test I re-enabled the guest account and gave it read only permissions on one of the shares. Then I changed the NFS settings to all_squash (map all users to guest).

When I now mount this share on the client, I no longer have “permission denied” error messages. I can perfectly cd and ls the files.

I thought that “map all users to guest” meant to “a guest”, I didn’t know it meant the guest account on the Synology.

Knowing all this, is it possible to map the users not to guest but to a specific user that I created? Or is that not possible?

Also: because of some update in the past, at a certain point ACL was put standard on the system by Synology. I suppose that because only the Films share already existed back then, the ACL permissions were not forced upon this share. Maybe that’s why I could connect to the Films share but not the other ones which were created later with ACL permissions.

You can’t force the username/group like you can with CIFS but you have something even better.

NFS supports sec=sys which turns off NFS’s authentication mechanism. sec=sys means that each host will perform its own security checking and NFS will defer to the baseline Linux UID/GID permissions bits.

How to leverage this:

1. Create a username on Synology you wish to use (usually a name common to both/all systems using this mechanism). Also create the name on the other systems.

2. Select a UID value which will not conflict with any of the involved systems

3. Manually edit /etc/passwd on each host involved to use this new UID.

4. Change the Syno’s export rule to:
   a. Sec=sys
   b. Root squash NO
   c. Allow everything
   

5. Now, you can mount on the Linux client and have full root access

mount -o defaults,sec=sys  ip.addr.of.syno:/volumeX/share  /mount/point

6. With root access, you can employ setuid & setgid bits to force UID/GID on all files created as well as forcing permissions. Example of how to employ this is here:

This is what I use for normal daily work. It makes the NASes extensions of the workstation as they should be.

Chuck, re: step 3… there can be some side effects from just editing /etc/password directly (these should be minimal on home systems, I don’t like to tempt trouble.) At least use vipw, or better yet, run usermod (on EL style distributions) to change the uid and gid numbers.

That’s fine. If you have tools such as vipw, great. Most NAS platforms are minimal so those tools aren’t available.

For Synology and QNAP, use VI

Thanks a lot for the help! Everything is working perfect now!

The hooray was too early…
I changed nothing but when I want to see the files in the shares I get this message:

ls: reading directory '.': Permission denied

Yesterday I saw a list of the files.