Knowledge Center

Assign NFS Permissions

You can assign NFS permissions to any shared folder, allowing Linux clients to access it.

To assign NFS permissions to a shared folder:

  1. Select the shared folder you want to edit from the shared folder list.
  2. Click Edit > NFS Permissions.
  3. Click Create to add an NFS rule.
  4. A popup appears. Define the below options.
  5. Hostname or IP: Enter the IP address of the NFS client which will access the shared folder. You may specify a host in three ways:
    • Single Host: The fully qualified domain name, or an IP address.
    • Wildcards: *, *.synology.com
    • IP networks: 203.74.205.32/255.255.252.0, /24
  6. Privilege: Select read/write permissions for the NFS client.
  7. Security: Specify the security flavor to implement.
    • AUTH_SYS: Use the NFS client's UID (user identifier) and GID (group identifier) to check access permissions.
    • Kerberos authentication: Perform Kerberos authentication when the NFS client connects to the shared folder. The client can only access the shared folder after passing Kerberos authentication.
    • Kerberos integrity: Perform Kerberos authentication and ensure the integrity of packets during data transfer to prevent malicious tampering.
    • Kerberos privacy: Perform Kerberos authentication and encrypt the NFS packets during data transfer, thus preventing malicious parties from tampering with NFS traffic or eavesdropping on NFS packets.
  8. Squash: This field allows you to control users' access privileges of the NFS client. Please select one of the following:
    • No mapping: Allows all users of NFS client, including root users, to maintain original access privileges.
    • Map root to admin: Assigns access privileges to root users of NFS client equivalent to the admin user access privileges on your system.
    • Map root to guest: Assigns access privileges to root users of NFS client equivalent to the guest access privileges on your system.
    • Map all users to admin: Assigns access privileges to all users of NFS client equivalent to the admin user access privileges on your system.
    • Map all users to guest: Assigns access privileges to all users of NFS client equivalent to the guest access privileges on your system.
  9. Enable asynchronous: Checking this option allows your Synology NAS to reply to requests from NFS clients before any changes to files are completed, yielding better performance.
  10. Allow connections from non-privileged ports (ports higher than 1024): Checking this option allows NFS clients to use non-privileged ports (i.e. ports greater than 1024) when connecting to the Synology NAS.
  11. Allow users to access mounted subfolders: Checking this option allows NFS clients to access mounted subfolders.
  12. Click OK to finish.
  13. Click OK to apply the NFS permissions.

Note:

  • When the format of the server name is *.domain, the NFS client's IP address must have a corresponding DNS PTR record, in order to allow the Synology NAS to find the name *.domain by searching for the corresponding IP address.

Security Flavors:

When accessing a shared folder via NFS with a specific user account:

  • If AUTH_SYS security flavor is implemented: The client must have exactly the same numerical UID (user identifier) and GID (group identifier) on the NFS client and Synology NAS, or else the client will be assigned the permissions of others when accessing the shared folder. To avoid any permissions conflicts, you can select Map all users to admin from Squash or give "Everyone" permissions to the shared folder.
  • If Kerberos (krb5, krb5i, krb5p) security flavor is implemented: You must go to File Services > NFS > Enable NFS service > Advanced Settings > Kerberos Settings to map the NFS client to a specific user, or join a Windows /LDAP domain with the corresponding user account, otherwise the client will be assigned the permissions of guest when accessing the shared folder.
  • If the file system of the external device on which shared folders are created is NTFS or FAT, the option Map all users to admin will be forcefully applied.

To use Kerberos security flavors to connect to the Synology NAS, Kerberos authentication must be configured by going to File Services > NFS > Enable NFS service > Advanced Settings > Kerberos Settings.