Although it's native to Mac OS X, the Network File System (NFS) service is very different than all the other file services available. The main difference is that the NFS service trusts the client's computer for authentication instead of the user. Specifically, rather than allowing the user to authenticate the connection, NFS requests the user identification number (UID). As long as the user's local UID matches a UID on the server, the NFS connection is authenticated. If the permissions allow everyone access, any UID that doesn't match a UID on the server is authenticated as a guest. For more information about UIDs, see Chapter 4, "User and Group Management." To understand why NFS uses this type of authentication, you have to know where NFS comes from. The NFS service was first used by Unix terminals to access files on mainframe servers. Early Unix implementations relied on a unified directory service to authenticate users to any terminal computer. Because every user had to authenticate to the directory server before they had any computer access, it was safe to assume that once they were logged in to the terminal they were who they said they were. Thus, the NFS service requested the UID from the terminal computer. In today's modern computing environment, which is rife with commodity personal computers, login authentication is often delegated to a local account. Even worse, on Mac OS X client computers, the local administrator accounts (UID 501) and root accounts (UID 0) have the same UIDs on your Mac OS X Server! However, this section discusses a variety of options that let you properly configure NFS share points, called exports, and protect them from such security risks. To set up an NFS export: 1. | Launch the Workgroup Manager tool located in /Applications/Server, and authenticate as the administrator (Figure 5.98).
| 2. | Click the Sharing icon in the Toolbar.
| 3. | To configure an existing share point, click the Share Points tab , and then select the share point you wish to edit from the sharing browser (Figure 5.99).
| 4. | Click the Protocols tab to the right of the sharing browser (Figure 5.100).
| 5. | Directly below the Protocols tab is the Protocols pop-up menu. From this menu, select NFS Export Settings (Figure 5.101).
| 6. | In the NFS frame, select the "Export this item and its contents to" check box to enable NFS for this share point (Figure 5.102).
| 7. | To specify via IP address which clients can mount this export, choose one of the following from the Export pop-up menu (Figure 5.103):
Client limits this NFS export to a list of specific clients (Figure 5.104). Click Add or Remove to manage this list.
World allows any client to access this NFS export (Figure 5.105).
Subnet limits this NFS export to a specific subnet of computers (Figure 5.106). Enter the subnet address and mask in the appropriate fields.
| 8. | To further restrict access to this NFS export, choose any of the following (Figure 5.107):
Nobody in this case is an actual user with the name "nobody."
| 9. | When you've finished making changes, click the Save button .
| 10. | Launch the Server Admin tool located in /Applications/Server, and authenticate as the administrator (Figure 5.108).
| 11. | Select the NFS service for your server in the Computers & Services list (Figure 5.109).
| 12. | Click the Overview button , and verify that the NFS service is running (Figure 5.110).
It should automatically start when you configure your first NFS export.
| Tips Aside from what you've configured here, all access to this share point is granted based on file-system permissions. See "Configuring File and Folder Permissions" for more information. In order for guests to access a share point, its permissions must be set to allow everyone read access. You can have only one World-viewable NFS export per server. Setting up your own World-viewable NFS export will interfere with the NetBoot service, because it uses a World-viewable NFS export to share boot images. To delete an NFS export, deselect the "Export this item and this contents to" check box, and then click the Save button. You can connecting to an NFS export from a Mac OS X client as follows. In the Finder, click the Network icon to browse for your server. Mac OS X Client can browse for NFS exports via the Rendezvous protocol. You can also connect directly in the Finder by selecting Go > Connect to Server from the menu bar and entering an NFS export server and path address or by pressing Command-K from the keyboard (Figure 5.111). Default settings dictate that the share point's icon mounts on the Finder's desktop . |
Resharing an NFS share point The lack of secure NFS authentication prevents many people from implementing NFS services to desktop clients. Thus, authenticated protocols such as AFP and SMB are used instead. However, depending on the organization, large investments may have been made in NFS-based file servers that don't support AFP or SMB. Mac OS X Server is unique in filling this gap by providing the NFS reshare service. Basically, your Mac OS X Server connects to another NFS export and then reshares that export via AFP or SMB. Clients connect securely via their native protocol to your Mac OS X Server, and it acts as a conduit to the other NFS server. This process lets you keep your current NFS-based server infrastructure and at the same time provide native and secure authentication to the desktop clients. The system administrator for the originating NFS export must allow your Mac OS X Server root access to the export. This is required because the AFP service runs as root on your server. The security risk created by allowing root access is overcome by configuring the NFS export to allow access only by your server. You can also set up a private network for this connection. To reshare an NFS share point: 1. | On your Mac OS X Server, use the Finder or the command mkdir to create a folder at the root of the system drive called nfs_reshares.
This folder must be named exactly as shown, or the task will not work.
| 2. | Although root doesn't have to own this folder, you must configure the permissions so root has access (see "Configuring File and Folder Permissions") (Figure 5.112).
Use Workgroup Manager to configure the share point.
| 3. | Inside the /nfs_reshares folder, create folders for each NFS export you plan to reshare.
Give each folder the same name as the local mount name of the NFS export on your server. Once again, although root doesn't have to own these folders, you must configure the permissions so root has access. For example, if you have a Unix computer with a hard disk you want to share and the disk is called myhd, you'll create a folder in the nfs_reshares folder called myhd.
| 4. | To make your server automatically mount the NFS exports at startup, you must configure network mount instructions in the server's local NetInfo database.
Launch the NetInfo Manager tool, located in /Applications/Utilities on your server.
| 5. | Click the lock icon , and authenticate as the server administrator (Figure 5.113).
| 6. | In the NetInfo Manager directory browser, select the mounts directory (Figure 5.114).
Click the New button to add a new directory item.
| 7. | Double-click the name value in the NetInfo property browser to edit that item.
Change the value to match your original NFS export, using the following format: <nfs server name>:/<nfs export path> (Figure 5.115).
| 8. | Choose Directory > New Property to add new properties (Figure 5.116).
Add two properties: vfstype and dir. The vfstype value is nfs. The dir value is the local mount point of the NFS export: /nfs_reshares/<share name> (Figure 5.117).
Don't worry if your properties are out of order; when you save the changes, they will reorder.
| 9. | When you've finished configuring the mount properties and values, click any other directory in the directory browser to initiate the save process.
Continue through two verification dialogs to save your changes (Figures 5.118 and 5.119).
You can add more NFS exports by repeating steps 69.
| 10. | Quit NetInfo Manager, and restart your server.
Verify that the NFS exports are automounted. NFS reshares must always appear as mounted servers in the /nfs_reshares folder (Figure 5.120).
| 11. | Launch the Workgroup Manager tool located in /Applications/Server, and authenticate as the administrator (Figure 5.121).
| 12. | The NFS exports mounted in the /nfs_reshares folder automatically appear under the All tab in the sharing browser (Figure 5.122).
| 13. | Configure the NFS exports as you would any other share point on your server (see the task "To configure new share points," earlier in this chapter).
| Tips Test the shares as you would any other secure share point. However, if the link between the original NFS server and your server is broken, the reshares will likewise be severed. Be very careful when using NetInfo Manager, because changes are made live. Workgroup Manager can also be used to create the NFS reshare. |