[MacTUG] Kerberized NFS using Active Directory and NetApp filers
Dani Roloson
daroloso at uwaterloo.ca
Sun Jul 7 20:45:28 EDT 2013
Posting this for a co-worker:
I am working on having our Mountain Lion clients use Kerberos security to access data on a NetApp filer. The Kerberos realm is Active Directory at Server 2003 functional level. The AD schema includes the unix attributes for users (uid, uidNumber, gidNumber, unixHomeDirectory) which we set and are used by Mac OS X. The Mac OS X clients are joined to the AD domain and use the AD domain controllers for DNS.
The OS X clients use automount to mount the remote file system to use as the user's home folder.
We have managed to get this working fairly well with only a few of issues. I appreciate any ideas on how to resolve these last issues.
1. Sometimes, when a user logs in, no hfs ticket is issued and the default profile is used instead of the one stored on the remote file system. When this happens, the user has to stay logged on for 5 minutes, then log out, and log in to get access to the remote file system. Wireshark shows no Kerberos traffic during the 5 minute wait period even when trying to access the mounted file system. After the 5 minute delay, Kerberos ticket is requested and issued as soon as the user access the home folder. The first thing I thought about was time skew (5 minutes) but everything is synched to the same master time sources (NetApp, Mac OS X, AD)
2. Our users need to be able to run programs for extended periods (days) and we need to automatically renew Kerberos tickets. I have seen conflicting information on the pam_krb module. I can get renewable tickets by adding renewable = true under [libdefaults] in /etc/krb5.conf. Unfortunately, the lifetime values in /etc/krb5.conf are ignored. Now I need to automate renewal. Maybe with a LaunchAgent that runs kinit -R on a schedule. The second thread below includes a possibility but not the -R switch.
I have been following these discussion threads but they might be stale:
https://discussions.apple.com/thread/4905826?start=0&tstart=0
https://discussions.apple.com/message/21694945#21694945<https://discussions.apple.com/message/21694945#21694945#21694945>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20130708/a4fe5b94/attachment.html>
More information about the MacTUG
mailing list