Alastair’s Place

Software development, Cocoa, Objective-C, life. Stuff like that.

AFP, NFS and Mountain Lion

If you’re unlucky enough to be attempting to use Mac OS X Server to host users’ home directories, you’ll know that in recent versions the native AFP implementation has been getting worse and worse.

We’ve been seeing problems for a long time now, including files that you can’t delete, failures to save files, and even (occasionally) actual data corruption. Last Monday, everything came to a head; I tried to log-in, and after about a minute and a half, my machine was beachball city. Checking the log files, the culprit was quite clearly AFP (which had disconnected the AFP share in which my home folder exists, and was attempting to reconnect).

This ruined my day; I did nothing other than attempt to troubleshoot AFP. I tried reinstalling Mac OS X. No joy. Then I tried reinstalling it from scratch, having wiped the disk. Same problem. Next, I tried moving my preferences folder aside. That seemed to work, but today the beachballing was back. In fact, today, it was worse — it was affecting one of the other guys in the office too.

We’ve filed bug reports about most of these issues, though I wasn’t actually able to file the most recent bug because (ironically) Bug Reporter failed to respond every time I hit Submit.

Anyway, today, in order to let Ed, the other person seeing this problem, get on with his work, I had his home mounted over SMB for most of the day. Which was sort-of OK aside from the fact he couldn’t see files in his Downloads folder. At all. And a few other folders too. Turns out this is a known problem with SMB on Mac OS X.

So AFP doesn’t work. SMB doesn’t work. What other network filesystem can I use on Mac OS X (without messing about, and without going for non-POSIX-ish options like Coda or AFS)? Answer: that old UNIX staple, NFS.

On the server side, NFS was actually pretty easy to set-up; I just edited /etc/exports to add our users folder, then did sudo nfsd update.

The client side was a little more annoying.

We use Open Directory (basically LDAP, but with some sugar over the top to make it look more like Netinfo). OD has an attribute HomeDirectory, which looks like this:

<home_dir>
    <url>afp://server.example.com/Volumes/MyDisk/Users</url>
    <path>fred</path>
</home_dir>

Now, it turns out that Apple installs a neat tool called od_user_homes into /usr/libexec that can be used together with the default auto_master and auto_home configuration to automatically pick up the correct NFS share from Open Directory. All you need to do is ensure that the <path> part of the HomeDirectory is empty—i.e. this should work:

<home_dir>
    <url>nfs://server.example.com/Users/fred</url>
    <path></path>
</home_dir>

You also need to update the NFSHomeDirectory path to /home/fred, since we’re now using the auto_home system, but that’s straightforward.

However, and it’s a big however, if you do this, you’ll find that you can log-in just fine via ssh. What you can’t do, though, is log-in to a GUI session, and as usual with Mac OS X you get a cryptic message about not being able to log-in at the moment. Looking in the log files, we find

10/09/2012 16:41:07.039 authorizationhost[436]: ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | Unknown URL attribute in user's home_loc (nfs://server.example.com/Users/fred)

GAH!

The problem is that the HomeDirMechanism bundle, which contains code to mount AFP and SMB-based home directories, doesn’t know what to do when it sees a URL starting nfs://, and, rather than doing nothing, it barfs, preventing users from logging in. HomeDirMechanism is the thing that was recently the subject of a security problem because it was logging passwords in plaintext. It is also the usual cause of the cryptic can’t-log-in-now problems. In fact, it’s just plain pants.

Since we’re using NFS now, we don’t need it!

We can just go to /etc/authorization and comment it out:

<!-- <string>HomeDirMechanism:login,privileged</string>
 <string>HomeDirMechanism:status</string> -->

Much better. Now we can log-in.

An unexpected and happy side-effect of switching to NFS has been improved performance. Vastly improved. When I did ls in my Source folder over AFP, the machine used to take several seconds to return with a directory listing. Now it’s instant.

There are, of course, some downsides to using NFS over AFP, but at least it’s reliable.