Print

Setting up Kerberised NFSv4 client on Mac OS X 10.4 Tiger

My Environment

  • NFS Server: blackhole.dfusion.com.au (Solaris 10 – specifically 5.11, NexentaOS_20090926)
  • KDC Server: blackhole.dfusion.com.au (ie same box)
  • Domain name: dfusion.com.au
  • Client: Apple OS X Tiger (10.4.X)

Problem to be solved

  • a) Mount directory tree from Solaris onto one or more Macs such that files owned by kim (uid=1000, gid=10) on the NFS server may be read/written as expected by user kim on the Mac (uid=501, gid=20).
  • b) “ls -l” should always show the correct ownerships (ie show up as owned by “kim”) even though kim has different uids on client and server.

Before continuing I suggest you read NFSv4 on Apple OS X.

Method 1) Really simple but not perfect


Refer to Method 1) in Setting up Kerberised NFSv4 client on Mac OS X 10.5 Leopard - it's the same (as I recall).

Method 2) A bit more complex but addresses all problems


Before continuing I suggest you read NFSv4 on Apple OS X, including the section __newnfs limitations. Also read the HOWTO in the downloaded tarball.

2a) Download the newnfs source/binaries.

2b) Install newnfs
  • Follow the HOWTO, Setup and Kerberos-Setup install instructions, this is what I did after installing into /Library/Filesystems
  • In one terminal window as root:
    # cd /Library/Filesystems/ca.uoguelph.newnfs.fs/Support
    # sync
    # ./nfsuserd -kext -cbd -domain dfusion.com.au 1
  • In another terminal window AS USER KIM
    $ cd /Library/Filesystems/ca.uoguelph.newnfs.fs/Support/
    $ ./gsscl -domain dfusion.com.au

2c) Setting up Apple Kerberos Application on Tiger and Leopard
This step can actually be done any time above, but we do it here just before we need a ticket.

2d) Configure the Kerberos Ticket encryption types
Note: This took me AGES to work out so don't skip it! It is not needed on Leopard

  • Quit Kerberos application just to be safe (you don't have to as it reads in changes automatically but...)
  • Create the file /Library/Preferences/edu.mit.Kerberos if the Kerberos Application didn't create it for you. Note the capital K in the filename although it is a case insensitive filing system for many applications
  • Optionally create a symlink from (std location) /etc/krb5.conf to /Library/Preferences/edu.mit.Kerberos
    ln -s /Library/Preferences/edu.mit.Kerberos /etc/krb5.conf
  • Contents should look similar to the following (but with your domains and realms):
krb5.conf or edu.mit.Kerberos
[libdefaults]
        default_realm = DFUSION.COM.AU
        dns_fallback = yes

# Settings for Tiger client and Solaris server:
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[domain_realm]
        .dfusion.com.au = DFUSION.COM.AU

[realms]
        DFUSION.COM.AU = {
                kdc = blackhole.dfusion.com.au:88
                admin_server = blackhole.dfusion.com.au:749
        }

Sometimes the options are quoted:
alternative quoted version
[libdefaults]
    default_realm = "DFUSION.COM.AU"
    dns_fallback = "yes"
    default_tkt_enctypes = des-cbc-crc des-cbc-md5 des-cbc-md4
    default_tgs_enctypes = des-cbc-crc des-cbc-md5 des-cbc-md4

[domain_realm]
    .dfusion.com.au = "DFUSION.COM.AU"

[realms]
    DFUSION.COM.AU = {
        admin_server = "blackhole.dfusion.com.au:749"
        kdc = "blackhole.dfusion.com.au:88"
    }

#[logging]
#        kdc = FILE:/var/log/krb5kdc.log
#        default = FILE:/var/log/krb5lib.log

Note: Quotes can usually be omitted. Comments must have '#' in first column. Blank lines are ok.

  • There are two lines that MUST be added to the Tiger configuration file (at least for Solaris 10 servers):
    default_tkt_enctypes = des-cbc-crc des-cbc-md5 des-cbc-md4
    default_tgs_enctypes = des-cbc-crc des-cbc-md5 des-cbc-md4
    My working version actually omits the des-cbc-md4 from both but I think it's ok and it's last in the list. What are NOT ok are encryption types: des3-cbc-sha1-kd aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 (arcfour- is aka rc4-)

2e) Mount the share
  • Start the Kerberos application again and login in if needed.
  • In a third terminal window AS USER KIM
    $ sudo mkdir /mnt
    $ sudo chmod 777 /mnt     (just for convenience. Or could be chown kim:staff /mnt)
    $ mount -t newnfs -o -4,-T,-Skrb5 blackhole.dfusion.com.au:FILESYSTEM  /mnt
    $ cd /mnt
    $ touch z

Notes:
  • In Tiger code version -T (TCP) is required in the mount options whereas it is the default in the Leopard version.
  • The mount is done as user not as root (to ensure the user's kerberos ticket is used)
  • See the docs for how to get nfsuserd and gsscl to run automatically.
  • -Skrb5 to -Skrb5i or -Skrb5p can be set as needed, but I suggest krb5 initially.
  • The very first time I did “touch z” it appeared to hang. I ctrl-C’d it and did it again and it worked. Maybe it was trying to get the nfs ticket.
  • tuning rsize and wsize may improve NFS performance, but it may not be as useful on TCP where packet sizes are larger by default (I think).

2f) Check it works
  • You will see that nfs/blackhole tick appear in the Kerberos application.
  • In the terminal ls -l works correctly, so all the original requirements are met.

  • + : A leading plus sign indicates that this word must be present in every object returned.
  • - : A leading minus sign indicates that this word must not be present in any row returned.
  • By default (when neither plus nor minus is specified) the word is optional, but the object that contain it will be rated higher.
  • < > : These two operators are used to change a word's contribution to the relevance value that is assigned to a row.
  • ( ) : Parentheses are used to group words into subexpressions.
  • ~ : A leading tilde acts as a negation operator, causing the word's contribution to the object relevance to be negative. It's useful for marking noise words. An object that contains such a word will be rated lower than others, but will not be excluded altogether, as it would be with the - operator.
  • * : An asterisk is the truncation operator. Unlike the other operators, it should be appended to the word, not prepended.
  • " : The phrase, that is enclosed in double quotes ", matches only objects that contain this phrase literally, as it was typed.

Categories

Related Sites

Toolbox

Print