2009‎ > ‎

Mac OSX Server (Leopard) as a NIS Client with Automount

Thursday, March 5, 2009

Many companies use NIS to distribute authentication data (username/password, group, etc) along with automount maps to make networks of servers all authenticate and mount shared NFS drives uniformly. I’ve built hundreds of these networks, often mixing linux, solaris, bsd, and usually a few windows systems. I recently was asked to set up a Mac XServe box on a network of Linux and Solaris machines, and integrate it to work alongside them. At first this was a bit baffling, and there was really very little useful info on the net for how to do this, but I eventually figured it out and it wasn’t that hard in the end. I have very little recent Mac experience so maybe someone more familiar with the Mac would have found this to be simple but I suspect there are really very few people around with recent Mac server experience outside of Apple itself.

The goal in this project was two-fold:
  • Make the Mac X-Serve box authenticate users against either NIS or Active Directory (NIS preferred).
  • Get automount to work using the NIS automount maps such that all the NFS shares are available, including per-user home directories, matching all the other machines on the network.
I did this on an Apple X-Serve box running Mac OS-X Server 10.5.6 patched up to date as of today. Networking was already set up, using DHCP for IP address, default route, and DNS settings. I also distribute the NIS domain name and server and NTP servers via DHCP but it appears the Mac ignores those settings.

First, set up a NIS binding:

In the Mac GUI, Finder, Applications, Utilities, open the “Directory Utility”
  1. Click the lock to unlock
  2. Services tab, click “BSD Flat File and NIS” and click the pencil to edit the settings
  3. Enter the NIS domain name and servers (server hostname ok if DNS is in use, or put in the IP addresses if you’re using NIS for hostname resolution).
  4. Check the “Use NIS domain for authentication” box.
  5. Search Policy tab, Authentication
  6. Set “Search:” to “Custom Path”
  7. Drag the “BSD/<domain>” item up as high as it’ll stick
  8. Apply everything and click the Lock when you’re done.
This sets up and starts the NIS client (and appears to make it start at boot correctly). It also appears to set up the equivalent of nsswitch.conf to do the right things, although I wasn’t able to find the actual config file to confirm this. At this point from a root shell you should be able to ‘ypwhich’ and see that it found your NIS server. You can test a map lookup, for example ‘ypmatch jeff passwd’ should produce the password entry.

Second, to set up Automount:

If you’re using automount maps you’ll probably have to edit some files in the filesystem to make them work right. The Mac appears to use Solaris/BSD style automount maps by default (auto_home, auto_master etc.) so if you have a Linux infrastructure (auto.home, auto.master etc.) then you have to edit /etc/auto_master on the Mac to fix it. This may be as easy as changing the “+auto_master” to “+auto.master” and deleting the rest of the lines in the file. This will take auto.master from NIS and all it’s child maps get linked in from there. Make the auto_master file do the right thing based on your network setup, probably just copy one from another machine if yours is more complex or if you don’t distribute auto.master via NIS.
Most NFS servers require mount requests to come from “secure” ports (ports <1024) but it appears the Mac NFS client does not adhere to this by default. So, to fix this edit /etc/autofs.conf and add “resvport” to the options line:


Note you have to be root to edit that file. If you’re logged in as an admin user you can “su” or “sudo /bin/sh” to get a real root shell.
You can probably just send a HUP to automountd to make it re-read the conf file, but I rebooted the machine just to be sure everything came up correctly after all these changes.
Once rebooted, you should be able to see the automounted directories. For example, if you have an auto.home map with entries for each user you should see /home be taken over by automount:

sh-3.2# df -h /home
Filesystem      Size   Used  Avail Capacity  Mounted on
map auto.home    0Bi    0Bi    0Bi   100%    /home

and a user’s home dir should be mounted:

sh-3.2# df -h /home/jeff
Filesystem                 Size   Used  Avail Capacity  Mounted on
homer:/disk/d2/home/jeff  2.7Ti  2.1Ti  299Gi    88%    /home/jeff

You can also statically mount NFS drives, there is a tool in the Directory Services Utility to do it, just be sure to include the “resvport” option (-P in some systems) if your nfs server requires it (most do).
It appears that the mac NIS config doesn’t know about netgroups, or at least I couldn’t get sudo to work right using the netgroup-based rules I use on all the other systems. The system does see the map (ypcat on the map name does work for example) however either the OS doesn’t know about netgroup maps or whatever it uses as the equivalent of nsswitch.conf doesn’t get set up correctly to include NIS in the netgroup lookups. I use netgroups heavily with sudo, so I had to juggle things a bit to use groups instead of netgroups for this host. Luckily this is the only Mac on the network so that wasn’t a big deal.
The bottom line… the Mac X-Serve does work as a NIS client, user authentication and groups do work, as do automount via NIS automount maps. However it appears that NIS netgroups do not work on the Mac.