Kerberized NFS on Mac OS X 10.8 (Heimdal)
Eric Buller
ebuller at uwaterloo.ca
Mon Jul 8 14:42:11 EDT 2013
This has been posted to an Apple forum with no response. https://discussions.apple.com/message/22340802#22340802
I am working on having our Mountain Lion clients use Kerberos security to access data on a NetApp filer. The Kerberos realm is Active Directory at Server 2003 functional level. The AD schema includes the unix attributes for users (uid, uidNumber, gidNumber, unixHomeDirectory) which we set and are used by Mac OS X. The Mac OS X clients are joined to the AD domain and use the AD domain controllers for DNS.
The OS X clients use automount to mount the remote file system to use as the user's home folder.
We have managed to get this working fairly well with only a few of issues. I appreciate any ideas on how to resolve this particular issue.
Sometimes, when a user logs in, no nfs ticket is issued and the default profile is used instead of the one stored on the remote file system. When this happens, the user has to stay logged on for 5 minutes, then log out, and log in to get access to the remote file system. Tcpdump/Wireshark shows no Kerberos traffic during the 5 minute wait period even when trying to access the mounted file system. After the 5 minute delay, Kerberos ticket is requested and issued as soon as the user accesses the home folder. The first thing I thought about was time skew (5 minutes) but everything is synched to the same master time sources (NetApp, Mac OS X, AD)
I have been following these discussion threads but they might be stale:
https://discussions.apple.com/thread/4905826?start=0&tstart=0
https://discussions.apple.com/message/21694945#21694945
More information about the Kerberos
mailing list