Mounted nfs is owned by root (permission denied)


The following seems to properly mount a shared TrueNAS NFS share:

  fileSystems."/mnt/truenas-video" = {
    device = "";
    fsType = "nfs";
    options = [

running nixos-rebuild switch works fine at least, the folder is created at /mnt/truenas-video but its owned by root and my every day user cannot create files there, but even with sudo touch test I get the error Permission denied.

I have tried other variations of options, like:

    options = [

but then nixos-rebuild switch does fail complaining about uid and gid.
I also tried with

    options = [

And this does build but /mnt/truenas-video is still owned by root and sudo touch fails with permission denied.

system.stateVersion = "23.11"; in case its relevant.

I have looked at other posts here but it seems like this minimal configuration works for most, now Im thinking if I should add my user to some extra group:

  users.users.purefan = {
    extraGroups = [ "networkmanager" "wheel" "docker" "<something-else>"];

Can someone please help?


What do the permissions and uids look like on the share? What is the output of

$ ls -la /mnt/truenas-video

Also, what does mount say?

$ mount | grep truenas-video

NFS expects uids and gids to be synchronised between machines that use the share. It makes everything much easier.

If the mount looks right on the client and you still can’t write to it, is there something on the server causing the share to be read only? It’s been a while since I used NFS regularly, I thought the root user on the client should always have rw access, but maybe I’m wrong about that.

Hi and thanks for replying!

$ ls -la /mnt/truenas-video
total 8
drwxr-xr-x 2 root root 4096 18 jan 15.01 .
drwxr-xr-x 7 root root 4096 18 jan 15.10 ..

But now it gets interesting because
$ mount | grep truenas-video

gives nothing (exit code 1). So now Im thinking that even though nixos-rebuild switch succeeded, and /mnt/truenas-video was created, it was not actually mounted.

To be honest I was a little surprised I managed to “get it right” on the first try. Perhaps irrelevant but on TrueNAS I’ve configured my NFS Share:

  • Path: /mnt/pool-01/video
  • Enabled: checked
  • Networks: empty (leave empty to allow everybody)
  • Hosts: empty (leave empty to allow everybody)

(and it does show as Running on TrueNAS)

Have you ever tried to mount the share just using mount?

sudo mount -t nfs /mnt/truenas-video

This should mount the share or tell you why it failed.

One thing I’ve thought of is, have you opened the ports on your nixos firewall? Depending on what version of NFS you’re using, there could be many ports you need to open. this Arch Linux page has a lot of useful info. It’s possible that nix opens the right ports when you install nfs-client, but you can check what ports you have open with

sudo iptables -nvL

Can you see the logs anywhere? Does the NAS GUI expose them? On the client, you can use journalctl to look for any error messages from mount.

I just tried to manually mount it on a test location and it did work, however still getting Permission Denied.

$ mount | grep test on /mnt/manual-test type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=,local_lock=none,addr=

and checking IPTables I see this:

Chain nixos-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 nixos-fw-accept 0 – lo *
29965 36M nixos-fw-accept 0 – * * ctstate RELATED,ESTABLISHED
0 0 nixos-fw-accept 6 – * * tcp dpt:111
0 0 nixos-fw-accept 6 – * * tcp dpt:2049
0 0 nixos-fw-accept 6 – * * tcp dpt:20048
0 0 nixos-fw-accept 6 – * * tcp dpt:27015

I also re-ran nixos-rebuild switch just now and rebooted, then journalctl -r | grep nfs and this is what I got for today and part of yesterday:

jan 19 11:21:38 nixos systemd[1]: var-lib-nfs-rpc_pipefs.mount: Deactivated successfully.
jan 19 10:10:07 nixos sudo[36633]: purefan : TTY=pts/3 ; PWD=/mnt ; USER=root ; COMMAND=/run/wrappers/bin/mount -t nfs /mnt/manual-test
jan 19 10:05:30 nixos sudo[34461]: purefan : TTY=pts/2 ; PWD=/mnt ; USER=root ; COMMAND=/run/wrappers/bin/mount -t nfs /mnt/manual-test
jan 19 09:58:36 nixos sudo[15778]: purefan : TTY=pts/0 ; PWD=/mnt ; USER=root ; COMMAND=/run/wrappers/bin/mount -t nfs /mnt/manual-test
Module without build-id.
#3 0x00007ff26c25789d dconf_gdbus_worker_thread ( + 0xb89d)
Module without build-id.
#3 0x00007fa3bd0ee89d dconf_gdbus_worker_thread ( + 0xb89d)
jan 18 16:02:09 nixos systemd[1]: var-lib-nfs-rpc_pipefs.mount: Deactivated successfully.
jan 18 15:42:26 nixos kernel: nfs4: Unknown parameter ‘uid’
jan 18 15:42:26 nixos mount[14720]: mount.nfs: an incorrect mount option was specified
jan 18 15:10:31 nixos sudo[12724]: purefan : TTY=pts/1 ; PWD=/home/purefan/projects/nixos ; USER=root ; COMMAND=/run/wrappers/bin/mount -t nfs /mnt/manual-test

(please remember I was trying different options for gid and uid)

What strikes me as surprising is that I dont see anything for truenas-video so I journalctl -r | grep truenas and I see

jan 19 11:22:10 nixos systemd[1]: Mounted /mnt/truenas-video.
jan 19 11:22:10 nixos systemd[1]: Mounting /mnt/truenas-video…
jan 19 11:21:39 nixos systemd[1]: Unmounted /mnt/truenas-video.
jan 19 11:21:39 nixos systemd[1]: mnt-truenas\x2dvideo.mount: Deactivated successfully.
jan 19 11:21:39 nixos systemd[1]: Unmounting /mnt/truenas-video…
jan 19 11:20:40 nixos systemd[1]: Mounted /mnt/truenas-video.
jan 19 11:20:40 nixos systemd[1]: Mounting /mnt/truenas-video…
jan 18 16:02:09 nixos systemd[1]: Unmounted /mnt/truenas-video.
jan 18 16:02:09 nixos systemd[1]: mnt-truenas\x2dvideo.mount: Deactivated successfully.

so truenas-video is being mounted, which I can also confirm here:

$ mount | grep truenas on /mnt/truenas-video type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=,local_lock=none,addr=

Iptables looks fine.

OK, so now the share is definitely mounted, what does it look like? Run this again

ls -la /mnt/truenas-video

You have NFSv4 and the share is mounted rw so I see no reason why root on the client can’t write to the share. If it can, then you just need to create a directory and chown it to your user. Your user on the client will never have permission to create anything in the root of the share. You might be able to fiddle the default umask when you mount it. But don’t do that.

BTW, a nice little trick is to touch a file in all of your mount points called “not-mounted”. Then, when you run “ls” on a mount point expecting a filesystem, you can easily see that something isn’t mounted :slight_smile:

$ touch /mnt/truenas-video/not-mounted

You have to do this when it is NOT mounted, obviously!

well my friend, I have no explanation as to why this is working now but it is… I did try sudo touching a file many times and nothing worked until now, I dont think I have even restarted my desktop computer since this morning… I was even able to mkdir /mnt/truenas-video/test and chown to my user and just cp files, no need to mess with permissions and I can see the files in TrueNAS so everything is working as it should…

I wish I could pinpoint to what specifically made it work, Im sure someone else in the future will come and hope to find an eureka post… sorry future netizen, but perhaps some of the tips offered by octomancer will help you

Octomancer, thank you so much for taking the time and helping me out, I really appreciate your time and your kindness. Have a great day!

Good news purefan! You’re welcome :slight_smile:

It’s possible that the bogus uid/gid options persisted more than you thought they did, or should have. Also, NFS has insane retry persistence for some tasks, so maybe it did some housekeeping overnight.

Whatever, glad it’s all working now!