Network File System Sharing

The Network File System (NFS) service is very different than all the other file services available. When using NFS, you don't supply a username and password when connecting. Instead the client system determines what permissions a user has on the system.

It's easiest to think of NFS as a locally attached hard drive, as it treats permissions in the same way.

For example, if a user has a UID of 501 on the client system, they will have all of the permissions of the user with the UID of 501 on the NFS server, regardless whether the short names, or even the accounts, are the same. For more information about UIDs, see Chapter 4.

To understand why NFS uses this type of authentication, you have to know where NFS comes from. The NFS service was first used by Unix terminals to access files on mainframe servers. Early Unix implementations relied on a unified directory service to authenticate users to any terminal computer. Because every user had to authenticate to the directory server before they had any computer access, it was safe to assume that once they were logged in to the terminal, they were who they said they were. Thus, NFS requested the UID from the terminal computer.

In today's modern computing environment, which is rife with commodity personal computers, login authentication is often delegated to a local account. Even worse, on Mac OS X computers, the local administrator accounts (UID 501) and root accounts (UID 0) have the same UIDs on your Mac OS X Server. This section discusses a variety of options that let you properly configure NFS share points, called exports, and protect them from such security risks.

To set up an NFS export

1.	Follow steps 1-3 in the "To configure Windows share-point settings" task earlier in this chapter.
2.	From the Protocols menu, select NFS Export Settings (Figure 5.41). Figure 5.41. After selecting the share point, click the Protocols tab to configure NFS share point options.
3.	Select the "Export this item and its contents to" check box to enable NFS for this share point.
4.	To specify via IP address which clients can mount this export, choose one of the following from the Export pop-up menu (Figure 5.42): Client limits this NFS export to a list of specific clients. Click Add or Remove to manage this list. World allows any client to access this NFS export. Subnet limits this NFS export to a specific subnet of computers. Enter the subnet address and mask in the appropriate fields. Figure 5.42. Select the "Export this item and its contents to" check box to begin NFS sharing.
5.	To further restrict access to this NFS export, click any of the following check boxes at the bottom of the window and click Save (Figure 5.43): "Map Root user to nobody" "Map All users to nobody" "Read-only" Figure 5.43. You have three options when exporting via NFS. Nobody in this case is an actual user with the name "nobody."
6.	Launch Server Admin and select the NFS service for your server in the Computers & Services list (Figure 5.44). Figure 5.44. Select the NFS service for your server in the Computers & Services list.
7.	Verify that the NFS service is running. It should automatically start when you configure your first NFS export.

Tips

• Aside from what you've configured here, all access to this share point is granted based on file-system permissions. See "Configuring File and Folder Permissions" earlier in this chapter for more information.

• To delete an NFS export, deselect the "Export this item and this contents to" check box, and then click Save.