Sadly, it’s inevitable (until the resolution of bug number 1) that many organisations will use software only available for platforms other than Ubuntu. This section of the guide is going to look at adding Macs to your network.
Changes to the Server
At present, Mac OS X (10.6 and below) does not support NFSv4. There is alpha support, but only when mounting manually, not when using automount. In short, that means we need to make sure our server is capable of using NFSv3 alongside NFSv4.
If you’ve followed the rest of this guide to setup your server, there’s nothing to do here you can skip straight to configuring your mac! 🙂
If your /etc/exports file looks something like this:
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/export gss/krb5(rw,fsid=0,async,subtree_check,no_root_squash,crossmnt)
/export/home gss/krb5(rw,sync,no_subtree_check)
Where the export lines contain gss/krb5(….) then you need to change them. This is a deprecated way of exporting NFS shares, but unfortunately lots of other guides still use it. You need to change the above lines to look like so:
/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
Note the insecure option. This is required for OS X to be able to connect. It’s not as bad as it sounds though! You’ll still be using Kerberos, so your system will still be secure, it just means that ports above 1024 can be used. See this relevant snippet from “man mount_nfs” on OS X:
resvport
Use a reserved socket port number. This is useful for mounting
servers that require clients to use a reserved port number on the
mistaken belief that this makes NFS more secure. (For the rare
case where the client has a trusted root account but untrustwor-
thy users and the network cables are in secure areas this does
help, but for normal desktop clients this does not apply.)
All that remains to do on the server now, is restart NFS:
sudo service nfs-kernel-server restart
Configuring the Mac
Kerberos
Open the terminal from finder at Applications/Utilities/Terminal and create a /Library/Preferences/edu.mit.Kerberos file as follows:
sudo nano /Library/Preferences/edu.mit.Kerberos
This file will be completely empty so we only need to add basic information like so:
[libdefaults]
default_realm = DANBISHOP.ORG
dns_lookup_kdc = true
forwardable = true
noaddresses = true
allow_weak_crypto = true
[realms]
DANBISHOP.ORG = {
kdc = neo.danbishop.org
admin_server = neo.danbishop.org
}
Remembering of course to change the realm information to math your own!
Now we need to enable Kerberos authentication for login. This is done by modifying the /private/etc/authorization file.
sudo cp -p /private/etc/authorization /private/etc/authorization_orig
sudo pico -w /private/etc/authorization
Press ctrl+W to begin a search, then enter system.login.console
You will get something like this depending on which version of OS X you are using:
...
system.login.console
class
evaluate-mechanisms
comment
Login mechanism based rule. Not for general us$
mechanisms
builtin:smartcard-sniffer,privilegedloginwindow:login
builtin:reset-password,privilegedbuiltin:auto-login,privileged
builtin:authenticate,privileged
loginwindow:success
HomeDirMechanism:login,privilegedHomeDirMechanism:status
MCXMechanism:login
loginwindow:done
...
For Tiger (Mac OS X 10.4.x), change:
From:
authinternal
To:
builtin:krb5authnoverify,privileged
For Leopard (Mac OS X 10.5.x) or greater, change:
From:
builtin:authenticate,privileged
To:
builtin:krb5authnoverify,privileged
There may be multiple occurrences of ‘authinternal’ or ‘authenticate’ in the /etc/authorization file. Make sure you change the correct one!
Now we’re going to create a kerberos principal for NFS on the Mac and then add it to the Mac’s Kerberos keytab:
kadmin -p dan/admin -q "addprinc -randkey nfs/dan-macmini.danbishop.org"
sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"
LDAP
Now we need to configure OS X so that it knows how to find user details from our Ubuntu LDAP server. To do this we use the directory utility. In OS X Snow Leopard (10.6) this is found by going to System Preferences/Accounts/Login Options then clicking the join button by “Network Account Server:”. On the window that pops up, click “Open Directory Utility”.
Select LDAPv3 from the services list and click the edit icon (the pencil). Click show options and press the “New” button followed by the “Manual” button.
Now it’s time to enter the settings… you can set anything you like as the configuration name. For the server name enter the address of your LDAP server (“neo.danbishop.org” in my case). For LDAP Mappings you must select RFC 2307 (Unix). When you do this you will be prompted to enter the search base. This is your domain in ldap format… e.g. “dc=danbishop,dc=org”.
Leave SSL unticked (unless you know what you’re doing) and click OK.
Now we need to edit the search policy. Click the search policy button at the top of the Directory Utility and change the search dropdown from “Automatic” to “Custom Path”. Click on the + button that appears under the list of Directory Domains. You should see the domain we just setup listed as available. Click add, then apply. We’re done with the Directory Utility now 🙂
NFS
Try as I might, I cannot get the OS X automounter to work with this setup 🙁 Any suggestions would be VERY welcome!
Meanwhile, we can mount the entire /home directory at boot (though Kerberos will prevent unauthorised access!) by going to the Disk Utility (spotlight it if you can’t find it) then selecting File/NFS Mounts…
Click the plus icon and enter the following two settings:
Remote NFS URL: nfs://neo.danbishop.org/export/home
Mount Location: /home
Reboot the Mac and you’re done 😀
You can read about my efforts so far with the automounter below:
NFS and Automounts
PLEASE NOTE: THIS DOES NOT CURRENTLY WORK!
sudo nano /etc/auto_home
#
# Automounter map for /home
#
#+auto_home # Use directory service
#
# Automounter map for /home
#
#+auto_home # Use directory service
* -fstype=nfs,sec=krb5 neo.danbishop.org:/export/home/&
Restart the Mac and you’re good to go! 🙂
References
http://clc.its.psu.edu/UnivServices/itadmins/mac/kerbldaplogins
http://krypted.com/mac-os-x-server/nfs-ubuntu-mac-os-x-clients-a-quickie/