|
|
Background Info:
To handle the file sharing needs of the Mac OS X and Linux clients, we will use NFS, Network File System. NFS is the traditional Unix file sharing service. NFS works well for controlled LAN situations, but is not well suited for large network distance. In addition to NFS, we also have implemented FTP on this server to allow users to access their files from off campus.
There are several major choices which you need to make before setting up your nfs server. These are:
- Disk to share
- Which systems to share with
- Where in directory tree to place shared files
- Access privileges
You first need to decide about how much space you think you will need for your system. Figure out about how many users you need to plan for, how much space you want to allocate to each user, and then plan in a bit extra for growth if you can. For our system of approximately 300 users, we allocated 1 GB per user, and have a RAID of four 120 GB drives, used in a RAID level 5 array. RAID level 5 is a good choice for this situation since it provides both striping for speed and parity for fault tolerance. You can loose any ONE disk and still have all your data. If you loose two disks simultaneously you loose all your data. So far we find that we delete about half of the user accounts per semester, and then create new ones, as students leave and new ones come. Also, with our 300 users we are using about 200 Gigs or so of space. Most users stay WELL below the 1 Gig level, and at this point in time we do not enforce the quota's of 1 Gig per user. The max any user has is about 7.5 Gigs.
It is also a good idea, for security reasons, to ONLY have the home directories you are exporting on the RAID volume you are going to make into an NFS mount. This way your other system files are more protected. You also have to determine which systems you want to share with. NFS exports uses IP addresses for security. Only IP addresses you allow will be able to mount the NFS volumes. Another security note here, is to only have the IP addresses you KNOW are for trusted client machines. If you also have a DHCP server providing IP's to other machines (like laptops) on your network, I suggest using a different subnet of IP addresses or some other means to separate those machines so they are not able to mount the NFS volume.
Next is to decide where in the directory tree to place the shared files. As stated above, it is a good idea to have a separate disk (RAID if possible) that ONLY has your NFS export on it. Nothing else. You can then mount this volume where ever you like, such as /share/home.
Finally, you have to plan out your access privileges. Also, as I stated above, only specifically allowed IP addresses can mount the NFS volume (if set up correctly), so you will need to take some time to plan out your network, IP structure, and which machines can access the mounts.
Some other important points to know about NFS are,
1) that network traffic in NFS is NOT encrypted.
2) All shared files must have the same UID/GID mappings. NFS handles permissions by UID/GID, so if a user on one machine has a different UID then on the server, he can access files that should not belong to him. Since we are getting our UID/GID information from the LDAP server this is not a problem. All information is always consistent.
3) One trusted machine being compromised is the equivalent to all being compromised. Root on a machine can put a setuid program on the share, then a simple login to other machines allows root access.
4) Also, note that the NFS server is NOT a NFS client.
Additional Notes:
 |
|
|
|
So far, we have found one major problem in our NFS setup. Apparantly there is a problem with the way Mac OS X deals with NFS mounts when they are no longer available. As long as the NFS server is available, everything functions great. If the NFS server is NOT available, ALL Mac OS X machines are NOT usable AT ALL. The will not boot, login, or function, even under a local user account.
Our plan at this point in time is to put the information for the NFS mounts into the LDAP database instead of manual putting the information into every Mac's NetInfo Database like we currently do. However, we have not yet had time to try and test this idea.
|
|
|
|
|
|
|
Now that we have spent some time explaining a bit about NFS and the things you will need to plan for, let's continue and explain how to get it set up and going.
|
