Information for Mac OS X users
Accessing NetApp filespace
Your normal file space held on the departmental NetApp file server can be accessed directly from Mac OS X whilst your computer is physically within the building (or via VPN). Access is permitted from the network on which unmanaged machines are connected and the local wireless network.
To access the lab filespace you must have a valid login (Kerberos password) for using lab-managed Linux or Windows machines.
You can choose between two ways of accessing the filer:
- SMB/CIFS protocol – Behaves very much like access from Windows, in particular most files you create will be managed by the filer using Windows NTFS-style access controls. Symbolic links created under Unix/Linux will not be recognizeable as such, but mandatory locking is available. This option may be preferable for anyone who mostly collaborates with Windows users.
- NFSv3 protocol – Behaves more like lab-managed Unix/Linux. Files created will have Unix-style access control permissions (see “man chmod”), symbolic links are fully supported, and the protocol is very fast on LANs. This option may be preferable for anyone who mostly collaborates with Unix/Linux users, or uses their Mac commonly from the shell command-line.
The NFSv4 protocol tries to combine the best of both worlds, but bugs in Apple's NFSv4 client (as of OS X 10.9.5) still prevent it from being usable here.
Access via SMB/CIFS
Start the “Finder” and select the menu item “Go | Connect to Server ...” and then type in as the “Server Address:” the required folder that you want to mount.
Example mount points:
- To mount your windows_home:
- To mount your unix_home:
- To mount your “super home” (contains both of the above):
- To mount your group space
The “userid@” prefix is not needed if the login name on your Mac is already your CRSID.
If you do not already have a fresh Kerberos ticket, Finder will ask you for your departmental Kerberos password:
Only one uid/password mapping is permitted by CIFS/SMB per host connection. It is therefore sensible to add this to your keychain to simplify future access.
Access via NFS
Access via NFS is currently only available from within the Computer Laboratory, and requires a connection to a suitable local network, (e.g. VLAN 290).
Create the file /etc/krb5.conf and fill it as follows:
[libdefaults] default_realm = AD.CL.CAM.AC.UK allow_weak_crypto = true [domain_realm] .cl.cam.ac.uk = AD.CL.CAM.AC.UK
- The allow_weak_crypto=true is unfortunately still necessary because, as of OS X 10.9, the only encryption type that both the filer and OS X manage to agree on is des-cbc-crc, using weak 56-bit DES encryption keys. OS X 10.9 appears to support only des-cbc-crc, des-cbc-md5, des-cbc-md4, and des3-cbc-sha1 as encryption types for NFS session keys (see gssd.c, nfs_gss_crypto.h), whereas Microsoft Active Directory server only supports aes256-sha1, aes128-sha1, des-cbc-crc, des-cbc-md5, arcfour-hmac-md5. Therefore, allow_weak_crypto=true will be necessary until Apple finally supports AES (or RC4) session keys in its NFS implementation. (Apple Bug Report: 21522754)
- The domain_realm entry is not strictly necessary, as our DNS servers provide equivalent information (try “host -t txt _kerberos.cl.cam.ac.uk”), but it helps to avoid one “gssd: No credentials found for CL.CAM.AC.UK” warning in /var/log/system.log.
Does not work on Yosemite: The allow_weak_crypto=true configuration no longer works (i.e., has no effect) on Yosemite (OS X 10.10), where Apple appears to have removed Single-DES support from Kerberos, sadly without yet adding AES support to NFS. Therefore, NFS access to the departmental filer is currently not possible with Yosemite.
Getting a Kerberos ticket
To access the filer, you need to have a fresh Kerberos ticket, which you can get using your password. They last about a day by default. If you did not already get a ticket during your last Kerberos-authenticated login, you can request one manually via the shell command line
$ kinit crsid crsid@AD.CL.CAM.AC.UK's Password: [type your Kerberos password]
Note: An added benefit of having a Kerberos ticket is that SMB mount's will no longer require a password, and neither will logins with “ssh -K” to lab-managed Linux machines.
Once Kerberos is set up and you have a ticket, just create an empty directory as a mount point and then mount the desired export. You can do this under your normal user identity in your home directory (no sudo required). Please be aware that the actual location of your filespace on the filer may change. If you have problems in future then remember to come back and check this page for updated information.
$ mkdir cl-filer $ mount filer.cl.cam.ac.uk:/vol/userfiles/crsid cl-filer
NFSv3 communicates only numeric user and group identifiers, therefore if you type “ls -l” in a mounted folder, you may see the owner and group to which a file belongs displayed as integer numbers (e.g., “1597” instead of “mgk25”), because these numeric user identifiers will not exist in the local user and group directory of OS X.
To help OS X Directory Services to translate numeric user and group identifiers into user and group names, you have to configure it to consult a departmental Unix LDAP server.
The following steps work on Mavericks:
- Under “(Apple)|System Preferences|Users & Groups” click on “Login Options”. Then click the padlock symbol and unlock it with your admin password.
- Next to “Network Account Server:” click “Join...” (or “Edit” if you already have AD authentication configured) and then on the menu that pops up “Open Directory Utility...”.
- In the Directory Utility, again open the padlock using your admin password. Under “Services” double-click “LDAPv3” and on the menue that opens click “Show Options” and then click “New...”.
- In the “New LDAP Connection” menue that pops up, set Server Name or IP Address:” to “ldap-serv1.cl.cam.ac.uk”. Among the radio buttons underneath, make sure that “Use for authentication” is ticked. Then click “Continue”.
- Back on the list of options, for the server you just added, set “LDAP Mappings” to “RFC2307”. You will then be prompted for “Search Base Suffix” and should enter enter “dc=cl,dc=cam,dc=ac,dc=uk”. The screen should then look like the screnshot below. Then press “OK”.
You can check whether under “Search policy” and “Authentication” it now says “Custom path” and has under “/Local/Default” the second directory domain “/LDAPv3/ldap-serv1.cl.cam.ac.uk” added. If not, click “+” to add it, then press “Apply”.
Once you have succeeded, the little bullet in front of “ldap-serv1.cl.cam.ac.uk” on the “Users & Groups” tool “Login Options” menu will have changed from grey to green, and you should now be able to look up LDAP user and group names, for example with the command line “dscacheutil -q user -a name mgk25”. Finally, try “ls -l” on a mounted filer directory and check whether each file shows a non-numeric user and group identifier.