Ubuntu 11.04 SBS (Small Business Server) Setup: Part 8 – Connecting Mac OS X Clients to Your Ubuntu Server with Kerberos, LDAP and NFS Home Directories

Sadly, it’s inevitable (until the resolution of bug number 1) that many organisations will use software only available for platforms other than Ubuntu. This section of the guide is going to look at adding Macs to your network.

Changes to the Server

At present, Mac OS X (10.6 and below) does not support NFSv4. There is alpha support, but only when mounting manually, not when using automount. In short, that means we need to make sure our server is capable of using NFSv3 alongside NFSv4.

If you’ve followed the rest of this guide to setup your server, there’s nothing to do here you can skip straight to configuring your mac! 🙂

If your /etc/exports file looks something like this:

# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/export         gss/krb5(rw,fsid=0,async,subtree_check,no_root_squash,crossmnt)
/export/home   gss/krb5(rw,sync,no_subtree_check)

Where the export lines contain gss/krb5(….) then you need to change them. This is a deprecated way of exporting NFS shares, but unfortunately lots of other guides still use it. You need to change the above lines to look like so:

/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)

Note the insecure option. This is required for OS X to be able to connect. It’s not as bad as it sounds though! You’ll still be using Kerberos, so your system will still be secure, it just means that ports above 1024 can be used. See this relevant snippet from “man mount_nfs” on OS X:

resvport
Use a reserved socket port number. This is useful for mounting
servers that require clients to use a reserved port number on the
mistaken belief that this makes NFS more secure. (For the rare
case where the client has a trusted root account but untrustwor-
thy users and the network cables are in secure areas this does
help, but for normal desktop clients this does not apply.)

All that remains to do on the server now, is restart NFS:

sudo service nfs-kernel-server restart

Configuring the Mac

Kerberos

Open the terminal from finder at Applications/Utilities/Terminal and create a /Library/Preferences/edu.mit.Kerberos file as follows:

sudo nano /Library/Preferences/edu.mit.Kerberos

This file will be completely empty so we only need to add basic information like so:

[libdefaults]
	default_realm = DANBISHOP.ORG
	dns_lookup_kdc = true
	forwardable = true
	noaddresses = true
	allow_weak_crypto = true
[realms]
	DANBISHOP.ORG = {
		kdc = neo.danbishop.org
		admin_server = neo.danbishop.org
	}

Remembering of course to change the realm information to math your own!

Now we need to enable Kerberos authentication for login. This is done by modifying the /private/etc/authorization file.

sudo cp -p /private/etc/authorization /private/etc/authorization_orig
sudo pico -w /private/etc/authorization

Press ctrl+W to begin a search, then enter system.login.console

You will get something like this depending on which version of OS X you are using:

...
                system.login.console
                
                        class
                        evaluate-mechanisms
                        comment
                        Login mechanism based rule.  Not for general us$
                        mechanisms
                        
                                builtin:smartcard-sniffer,privilegedloginwindow:login
                                builtin:reset-password,privilegedbuiltin:auto-login,privileged
                                builtin:authenticate,privileged
                                loginwindow:success
                                HomeDirMechanism:login,privilegedHomeDirMechanism:status
                                MCXMechanism:login
                                loginwindow:done
                        
...

For Tiger (Mac OS X 10.4.x), change:
From:

authinternal 

To:

builtin:krb5authnoverify,privileged

For Leopard (Mac OS X 10.5.x) or greater, change:

From:

builtin:authenticate,privileged

To:

builtin:krb5authnoverify,privileged

There may be multiple occurrences of ‘authinternal’ or ‘authenticate’ in the /etc/authorization file. Make sure you change the correct one!

Now we’re going to create a kerberos principal for NFS on the Mac and then add it to the Mac’s Kerberos keytab:

kadmin -p dan/admin -q "addprinc -randkey nfs/dan-macmini.danbishop.org"
sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"

LDAP

Now we need to configure OS X so that it knows how to find user details from our Ubuntu LDAP server. To do this we use the directory utility. In OS X Snow Leopard (10.6) this is found by going to System Preferences/Accounts/Login Options then clicking the join button by “Network Account Server:”. On the window that pops up, click “Open Directory Utility”.

Select LDAPv3 from the services list and click the edit icon (the pencil). Click show options and press the “New” button followed by the “Manual” button.

Now it’s time to enter the settings… you can set anything you like as the configuration name. For the server name enter the address of your LDAP server (“neo.danbishop.org” in my case). For LDAP Mappings you must select RFC 2307 (Unix). When you do this you will be prompted to enter the search base. This is your domain in ldap format… e.g. “dc=danbishop,dc=org”.

Leave SSL unticked (unless you know what you’re doing) and click OK.

Now we need to edit the search policy. Click the search policy button at the top of the Directory Utility and change the search dropdown from “Automatic” to “Custom Path”. Click on the + button that appears under the list of Directory Domains. You should see the domain we just setup listed as available. Click add, then apply. We’re done with the Directory Utility now 🙂

NFS

Try as I might, I cannot get the OS X automounter to work with this setup 🙁 Any suggestions would be VERY welcome!

Meanwhile, we can mount the entire /home directory at boot (though Kerberos will prevent unauthorised access!) by going to the Disk Utility (spotlight it if you can’t find it) then selecting File/NFS Mounts…

Click the plus icon and enter the following two settings:

Remote NFS URL: nfs://neo.danbishop.org/export/home
Mount Location: /home

Reboot the Mac and you’re done 😀

You can read about my efforts so far with the automounter below:

NFS and Automounts

PLEASE NOTE: THIS DOES NOT CURRENTLY WORK!

sudo nano /etc/auto_home
#
# Automounter map for /home
#
#+auto_home     # Use directory service
#
# Automounter map for /home
#
#+auto_home     # Use directory service
*   -fstype=nfs,sec=krb5   neo.danbishop.org:/export/home/&

Restart the Mac and you’re good to go! 🙂

References

http://clc.its.psu.edu/UnivServices/itadmins/mac/kerbldaplogins
http://krypted.com/mac-os-x-server/nfs-ubuntu-mac-os-x-clients-a-quickie/