Mounting NFS with Kerberos 10.8.x file permission issues
I've been trying to get OSX 10.8.4 to mount our data drive using kerberos auth which works but when a user edits a file via the gui he/she becomes the owner. If the user uses vi the owner stays the same.
So test-001 was owned by tom just like test-002 and test-003. brian edited test-001 with vi then quit and the owner was still tom. Once brian edited test-001 with textedit click save he got this warning: "The document “test-001” is on a volume that does not support permanent version storage." after clicking ok the owner changed to brian.
-rw-rw----@ 1 brian grptest 31 30 Aug 15:39 test-001
-rw-rw----@ 1 tom grptest 5 23 Aug 11:38 test-002
-rw-rw----@ 1 tom grptest 11 30 Aug 18:02 test-003
ls -lart
-rw-rw----@ 1 brian grptest 31 30 Aug 15:39 test-001
-rw-rw---- 1 brian grptest 4096 30 Aug 15:39 ._test-001
-rw-rw---- 1 tom grptest 5 23 Aug 11:38 test-002
-rw-rw---- 1 tom grptest 5 23 Aug 11:38 test-003
It happens with anything Brian edits with on the gui. I'm wondering if it's something like this but effects NFS also? http://support.apple.com/kb/TS4149
My steps to configuring are below:
/Library/Preferences/edu.mit.Kerberos looks like this
[libdefaults]
default_realm = domain.com
allow_weak_crypto = true
noaddresses = TRUE
[realms]
domain.com = {
kserv = kserv0.domain.com
kserv = kserv1.domain.com
admin_server = kserv0.domain.com
}
[domain_realm]
domain.com = domain.com
.domain.com = domain.com
my unix admins has given me a keytab - /etc/krb5.keytab
I've edited /etc/pam.d/authorization to have: auth optional pam_krb5.so use_first_pass use_kcminit default_principal
this asks for a ticket at logon.
I've added a local user (brian) with the same uid (lets say 9999) as his network user and chmod -R 9999 /Users/brian
When Brian logs in and mounts our data drive the rights say:
-rw-rw---- 1 nobody nobody 31 30 Aug 15:39 test-001
-rw-rw---- 1 nobody nobody 5 23 Aug 11:38 test-002
-rw-rw---- 1 nobody nobody 11 30 Aug 18:02 test-003
So I add ldap (I've tried adding to ldap first without creating a local user but it hangs on sys prefs users and groups which doesn't allow me to create a mobile account so the user can't login offline)
in the ldap search base I have dc=domain,dc=com reboot and now when Brian mounts he get:
-rw-rw----@ 1 brian grptest 31 30 Aug 15:39 test-001
-rw-rw----@ 1 tom grptest 5 23 Aug 11:38 test-002
-rw-rw----@ 1 tom grptest 11 30 Aug 18:02 test-003
To mount I do this: sudo mkdir /Volumes/data
Then sudo mount -t nfs -o vers=3,sec=krb5,intr,soft server1:/data /Volumes/data/
If I use vers4 osx practically hangs it's unusable.