Setting up Kerberised NFSv4 client on Mac OS X 10.5 Leopard

My Environment

  • NFS Server: (Solaris 10 – specifically 5.11, NexentaOS_20090926)
  • KDC Server: (ie same box)
  • Domain name:
  • Client: Apple OS X Leopard (10.5.8)

Problem to be solved

  • a) Mount directory tree from Solaris onto one or more Macs such that files owned by kim (uid=1000, gid=10) on the NFS server may be read/written as expected by user kim on the Mac (uid=501, gid=20).
  • b) “ls -l” should always show the correct ownerships (ie show up as owned by “kim”) even though kim has different uids on client and server.

Before continuing I suggest you read NFSv4 on Apple OS X.

Method 1) Really simple but not perfect

As it stands (maybe can be configured) it doesn’t quite address superficial problem b). See caveat at end.

1a) Setting up Apple Kerberos Application on Tiger and Leopard

1b) Mounting the Share
  • Finder -> Go -> Connect to Server
    • Enter: nfs: //
    • Connect

1c) Check it works
  • You will see that nfs/ ticket appear in the Kerberos application.

With a bit of luck you should shortly find yourself able to access your remote filing system with full permissions.

Note: I actually used the IP address of my NFS server as I had DNS problems prior to Kerberos.
Note: In case it is not ticked, I suggest selecting: Finder -> Preferences -> General -> Connected Servers (shown on Desktop)

Having done all this – it DOES work for me BUT original problem b) is not solved. In a console window the mounted filing system /Volumes/XXXX/…. shows the Server uid/gid mapped (where valid) to local mac user/group names (or left numeric where no mapping exists).
I can live with this but I intend fixing it.

Method 2) A bit more complex but addresses all problems

Before continuing I suggest you read NFSv4 on Apple OS X, including the section newnfs limitations. ALso read the HOWTO in the downloaded tarball.

2a) Download the newnfs source/binaries.

2b) Install newnfs
  • Review the HOWTO, Setup and Kerberos-Setup install instructions
  • Follow the HOWTO install instructions UP TO “Starting nfsuserd by hand”.
  • You can carry on with the HOWTO but for reference this is what I did:
  • In one terminal window as root:
# cd /Library/Filesystems/ca.uoguelph.newnfs.fs/Support
# sync
# ./nfsuserd -cbd -domain 1

Note: Can set this to run on boot later (see HOWTO)
  • In another terminal window:
# mkdir /mnt
# chmod 777 /mnt
# mount -t newnfs -o -4,-Skrb5  /mnt
# cd /mnt
# touch z

  • you can change -Skrb5 to -Skrb5i or -Skrb5p as needed, but I suggest krb5 initially.
  • The very first time I did “touch z” it appeared to hang. I ctrl-C’d it and did it again and it worked. Maybe it was trying to get the nfs ticket.
  • tuning rsize and wsize may improve NFS performance, but it may not be as useful on TCP where packet sizes are larger by default (I think).

2c) Setting up Apple Kerberos Application on Tiger and Leopard

2d) Check it works
  • You will see that nfs/blackhole ticket appear in the Kerberos application.
  • In the terminal ls -l works correctly, so all the original requirements are met.

  • + : A leading plus sign indicates that this word must be present in every object returned.
  • - : A leading minus sign indicates that this word must not be present in any row returned.
  • By default (when neither plus nor minus is specified) the word is optional, but the object that contain it will be rated higher.
  • < > : These two operators are used to change a word's contribution to the relevance value that is assigned to a row.
  • ( ) : Parentheses are used to group words into subexpressions.
  • ~ : A leading tilde acts as a negation operator, causing the word's contribution to the object relevance to be negative. It's useful for marking noise words. An object that contains such a word will be rated lower than others, but will not be excluded altogether, as it would be with the - operator.
  • * : An asterisk is the truncation operator. Unlike the other operators, it should be appended to the word, not prepended.
  • " : The phrase, that is enclosed in double quotes ", matches only objects that contain this phrase literally, as it was typed.


Related Sites