Okay Okay, so I haven’t posted in while. Well, now Its decided. In this world, one which lacks Leopard howtos, I’ll do my best to write some posts that will in the end save you the time you would spend searching google. 
NFS and OS X
Anyway, some of us have had Leopard for a couple of weeks, and i recommend it for anyone who has a fairly new mac, by which i mean that the only consideration should be if you have enough performance to get everything out of leopard. Leopard has a lot of new “features”, one of which I’ll be explaing today.
NFS isn’t something new, and its not even something new for Mac OS. The client to mount NFS is included on almost every *nix, and doesn’t require any additional installation (usually). It also has better performance than Samba (thats what windows uses to share files), and has a fairly extensive list of configuration options. Of course, nfs isn’t perfect for everything, but if your computers run *nix (aka BSD/Unix/Mac/Linux), then NFS might be the easiest file sharing protocol to configure. After all, its basically already there, so you save yourself the install.
I’m going to assume you have NFS configured on the server, this is the computer hosting the files. If not, well its actually pretty simple, and NFS has probably the best howtos out there. You can find it here. Anyway back to the client side, running OS X. So in 10.4, mounting NFS was kind of, well a pain. Mac OS connects to an “insecure” port by default. In other words it doesn’t send a request to the server for a port. This means if you run a firewall, you can’t connect via finder, because Mac OS will attempt to connect to a port that will be blocked, since its not in the firewall rules. Not only that, you have to configure your your shares to be “insecure” otherwise /var/log/messages will get something along the lines of:
russo@marx:~$ cat /var/log/messages | grep nfsd
Nov 8 16:56:15 marx kernel: nfsd: request from insecure port (192.168.0.4:49204)!
Directory Utility
There was a solution in 10.4, and it was fairly complicated and involved setting everything up with NetInfo Manager. This procedure was quite tedious, as you can see in this howto. But we’re not in 10.4 anymore (thank god!) And guess what… NetInfo is gone! And replaced by something, much more user friendly. The new replacement is called, Directory Utility. And can be found in your Utilities folder, imagine that! Fire it up, lets take a look!
So at first site, there probably won’t be much there, especially on a home network. But, this doesn’t matter we’re not configuring Directory Services, we’re here for the NFS mounts. Just click “Show Advanced Settings” and you’ll see “Mounts” appear up top. Click that. Next you should see something like this
Click the lock in the bottom left corner, to allow you to add/edit mounts. Enter the username and password of an Administrator on the computer (Chuck Norris administers mine). Now you should be able to click the + to add a mount. By the way, with Directory Utility you don’t have to reboot to see changes. You just click that apply in the corner. How sweet is that?
The syntax here is a bit different than mount in CLI, however the syntax still contains that which made many new users make a mistake. The syntax is
nfs://<hostname or ip>/<full path to directory>
Remember, /full/path/to/dir is the full path on the server!
Also enter, the directory where you want this share to be mounted. Its probably best to keep everything under either /Volumes or /Network. This way all users can easily access to the shares. You can always add aliases to your home directory, or wherever you want these mounts to actually appear. Now if you, just want to automount “insecure” mounts, than you’re basically done at this point. However we want to add “secure” mounts. This means we need to specify the “Privelaged” flag to the mount. This will cause it to use a port designated by the server. Click the little triangle next to “Advanced Mount Parameters” And you’ll see something like this:
all we have to do is add, “-P”. This makes the mount use a privelaged port. Now click “Verify”. At this point, its good to mention that if Directory Utility only checks if the server that you entered is running nfs and not if the mount is actually functional. Now click “Apply”
Nothing Happend…
Well it did, but you might not be able to see it. At the very least the mount point has been created, and you can check this by opening finder and going to either /Volumes or /Network (EDIT: or wherever you mounted you shaere). To get there you’ll have to type command (apple) + shift + G, and then type in where you want to go. Okay, so now you should see it there, BUT you probably won’t be able to write to even if you didn’t mount it read-only. Why is that, you ask? Well you don’t have permissions, silly! And even if you your user does have permissions to write, even if your user exists on both machines, he probably won’t have the same gid/uid. How can you check? Just use the id command:
lenin:~ russo$ id
uid=501(russo) gid=20(staff)
Just as a side note Mac OS begins with 500, whereas most linux distros begin with 1000. So now you can either change the gid/uid of one of the machines so that they do match, or run “chmod 777″ the directory on the server… that should be it. You should be able to write now!
EDIT: There are also ways to map IPs, hostnames and authenticated users to users on the machine. Maping ips and hostnames is fairly easy, you simply add anonuid=youruid, anongid=yourgid to the options in the /etc/exports file. (Thanks
How do i get the share in my Finder Sidebar?
Simple! Just click the folder and drag it while holding apple + option. You can place it under “Places” in this manner. Even if you’re not an admin user.
EDIT: This wasn’t clear enough for some. You cannot create aliases for the actual mounts, however you can create a folder enclosing the mounts and create an alias for that. I.e /Volumes/Hostname and put all the mounts in /Volumes/Hostname. I hope its a little bit easier to understand now…
And if you appreciate all my hard work, please feel free to donate:
Anthony
11 November 2007 at 1:31
What if we’re a Mac only office? Is NFS of any use to us or should we stick with AFP?
russo.
11 November 2007 at 1:58
I’d just stick to AFP, then. I use AFP between my macs. Its just, its easiest to use NFS when you have some non-mac servers. Again this is just IMHO…
but i can tell you that compiling AFP for some linux distros is more work than it should be.
paul
11 November 2007 at 16:18
“So now you can either change the gid/uid of one of the machines so that they do match” – On my remote *nix machine changing the uid/gid has many negative ramifications (outside the scope of this question). What are the ramifications of changing the uid/gid (particularly gid) on the Mac side?
russo.
11 November 2007 at 16:48
I didn’t notice any difference, or rather, i didn’t find anything that had gone awry when i did it on 10.4. However, i still think the most simple solution is having some directories with read/write for all. Remember, you can control IP-access with hosts.allow and hosts.deny as explained in the NFS-Howto.
Skip
14 November 2007 at 19:31
Hi,
Great article, Thanks. One thing that is a real problem is that 10.5 does not show nfs mounts in the finder. I can see them in the terminal and if I make all files visible but how can I make nfs mounts visible by the finder? Not like the old days where a .hidden file would have worked in the root dir.
Regards
Skip
russo.
14 November 2007 at 19:36
Hi Skip,
Did you read the part i wrote about, “Nothing Happend”? Thats exactly what i meant, by nothing happened. My tip would be press apple + shift + G, then type /Volumes and you should see your mounts there. Now just make aliases to them under “My Places” in finder.
Ben
15 November 2007 at 12:39
Nice one.
Some extra stuff the I found useful was to download the Apple Server Tools (http://www.apple.com/downloads/macosx/apple/macosx_updates/serveradmintools105.html) and use it to add a new group with a particular gid to your local machine (ie. mac).
(as described at: http://www.macosxhints.com/article.php?story=20071029181159291)
Then on your linux (etc) box, just create a group matching the gid and set and use this group on any files/folders than need to be written to…
John T
20 November 2007 at 8:44
I’ve been struggling with getting NFS to work with 10.5 since I installed it.
In Tiger, all I had to do to mount an NFS shared volume (from my own Ubuntu system) was do a Connect to Server and put in the URL: nfs://10.1.1.1/home/john and the Finder opened the mounted folder.
Trying the same thing in 10.5 will result in the Finder opening the folder/volume, but I cannot copy any file that has “extended attributes” (resource forks). If I try, the Finder returns: “The operation cannot be completed because you do not have sufficient privileges for some of the items.”
My /etc/exports on the Ubuntu system is: (which worked fine in Tiger)
/home/john 10.1.1.0/255.255.255.0(rw,subtree_check,all_squash,async,insecure,anonuid=1000,anongid=1000)
Note however – using the exact same mounted volume, I can use the Terminal to copy any file to the NFS shared volume (the cp command by default preserves the “extended attributes”). This leads me to believe there’s a problem with the Finder and NFS shares.
Brent
20 November 2007 at 18:28
Great tip, thanks!
Almost everything is working perfectly, I’m just having one small problem that I’m almost ashamed to admit: I can’t create aliases for these shares. The Make Alias option is greyed out in the File menu in Finder. Any ideas out there? Thanks!
B0rkdox
23 November 2007 at 12:03
How do i get the share in my Finder Sidebar?
I’m a Linux user, just got my first macbook. What the is to “drag it while holding apple + option”? I’ve got my NFS mount in /Network, how do I make it accessible the “mac way”?
Mark
25 November 2007 at 21:08
I tried adding the share to my places however, i just get a white rejection sign when i try to place it in my places. i tried option apple, and the apple T command to move it to my places.
Marcus
30 November 2007 at 18:43
Hi Brent,
I too had the same problem, until I realized that you cannot create an alias of the mount point, but you can create aliases for any and all directories under the NFS mount point.
russo.
7 December 2007 at 11:45
Sorry guys Marcus, is right. What i did was created a folder and it works when you have a folder enclosing all the mounts, and thus i didn’t notice that this doesn’t work untill just now.
So Just mount all the mounts /Volumes/Host or /Network/Host and or /Volumes/Mounts or whatever you want. Then in Volumes you will see the folder with the mountnames, these can be dragged into places. If you only have one mount, then i’m not sure that this is that practical.
You could try to create a symlink in command line, i haven’t tried this though… yet.
Iain Houston
14 December 2007 at 12:23
Great article! Thanks.
Problem that remains for me is gaining rw access to NFS mounts from Leopard.
I use anonuid and anongid in server’s exports and export only to local network.
These exports give me rw access from other *nix machines but not from Leopard.
Tried unsuccessfully the -P option you suggested … but am thrashing a bit now!
Any attempt by Leopard to change directory names on server results in “you do not have sufficient privileges”
russo.
14 December 2007 at 12:30
Even if you use anongid and all that, you still have to change the permissions for the folder to allow that gid/uid to write. Just do an ls -l and check the owner and group.
-P might not work if you’re running debian, there you have to compile it yourself so that it has the secure authentication used by Mac OS.
Also “doesn’t work” isn’t helpful, NFS is very well documented just check your logs, and you’ll probably find the problem… eg. tail /var/log/messages
D.
Iain Houston
14 December 2007 at 15:24
I think my solution is simple enough.
I was missing the step to map all uids and gids to the anonymous user.
Now the anonuid and anongid will take effect as I had hoped!
In the event:
The Ubuntu clients actually don’t need gid uid mapping, but
the Mac clients need id mapping offered by the ‘all_squash’ option
Now we all have rw access to the nfs exports … great!
I came across http://linux.die.net/man/5/exports which explained well.
Hope this helps other Leopard users mounting (Ubuntu) nfs exports.
Kyle
20 December 2007 at 7:08
Thanks for the info… I wish Mac OSX would just use the secure port by default.
Bob
5 January 2008 at 16:10
So my problem seems a little more basic. Directory utility works fine and the linux computer shows up as /Volumes/potter. However, I can’t even change to the directory on the iMac because I do not have permissions.
I am using a login/user that does not nave administrative privileges. However, if I login under an administrative account everything seems works fine.
VM
8 January 2008 at 23:54
Just can’t get Leopard to work with my Debian shares… “#%#”.
Could someone say what switches in /etc/exports are required to get Leopard SOME access to them.. nice blog but I just can’t get ANY access to the shares. Nada. From terminal I get “access denied” basically.. and from Finder after setting up in Directory Utility I just get “alias couldn’t be opened because the original item can’t be found”..
What am I missing here.. and yeah I’ve checked the full path too..
russo.
9 January 2008 at 1:28
Umm, i’d say check the host by using
rpcinfo -pIf you can’t map the host then check hosts.allow and hosts.denySometimes configuring nfs is hard the first time, but if you read the manual carefully (the best manual i’ve ever seen for something of this type) then you can usually find a solution.
Again, I got this working with debian with no problems at all other than the fact that you maybe have to work with the privileged flag (-P in leopard or make the shares insecure on debian)
Good luck!
D.
VM
9 January 2008 at 13:28
Ok thanks.. I’m pretty sure the problem is something along the lines you suggested above. Something to do with privileges in any case.
Paolo
17 January 2008 at 16:33
#/etc/exports
/shares/PINO/ 192.168.1.0/255.255.255.0(insecure,insecure_locks,rw,sync,all_squash,anonuid=33,anongid=33)
/shares/ 192.168.1.0/255.255.255.0(rw,sync,no_root_squash)
in this way works with tiger (first share) and leopard (second share). Finally!
Chris
10 June 2008 at 20:23
Looking for a howto on changing the uid/gid in leopard, anyone found one that works?
syrabo
26 June 2008 at 12:40
My solution for “secure”-mounts with a Linux-NAS (qnap 209 Pro) is the option:
resvport=2049 (NFS on Linux works on port 2049 by default; look at /etc/services
Syntax in the CLI:
sudo mount_nfs -o resvport=2049 :/qusb /Volumes/qusb
In the appication “Directory Utility” set in “Advanced Mount Parameters”:
resvport=2049
Stephane Blackburn
20 July 2008 at 16:25
Voila! It was the -P option! Damn! Thanks for your hint page!
Server: Ubuntu 8.04, working ok with a ubuntu client. I’ve change my uid on the Mac side last night doing test… can’t tell if it’s a combination of uid/-P or just the -P option, thanks!
Roy Miller
4 October 2008 at 0:52
For those wondering about how to change UID and GID values – check out the Directory Services Command Line tool (dscl). This is/was available in Tiger as well, which I didn’t find out about until Leopard came along and NetInfo disappeared!
Read the man page.
Try:
dscl . -list /Users to see a list of users.
dscl . -list /Users PrimaryGroupID to see a list of users and their associated primary group
dscl . -read /Users/username to see all the details of a particular user
dscl . -change /Users/username PrimaryGroupID oldID newID to change the GID value.
I recommend using the -change option for changes, rather than the -create option. Create will go ahead and overwrite or create a new field with the assigned value, while Change will complain if you make a typo on the field or old value.
Now if I could only get my Linux export to mount! Does anyone know if the Linux export works for USB attached disks on a Linux box?
Cheers!
Ted M
31 December 2008 at 18:23
For what it’s worth, the mount_nfs man page recommends using “-o resvport” rather than “-P” So my options are
-o resvport -o rw,bg,intr,soft,tcp
where “soft,intr” allows commands to be interrupted if the file system becomes unavailable. (tcp is the default first choice, anyway, after which udp is attempted)