Multiple logins with AFP+NFS home directories?

[rkilgard]

Hi everyone. I have a relatively simple setup with an Xserve+RAID hosting home directories and such for client machines. User home directories are mounted via AFP. The machine also exports the home directories via NFS for use with a few Solaris boxes.

I have a small number of very fast machines, but mostly older G4 iMacs and eMacs. Most of the CPU-intensive stuff we do is command-line and/or X11 based, so I’d like to enable it so that users can login to the fast machines via ssh and run stuff. Here I run into the classic multi-user problem: I can’t have two users whose home directories are mounted via AFP logged in to the same machine at the same time.

Is there a solution to this problem? For example, is there a way to mount a home directory via NFS when you ssh in, but via AFP on the GUI? Should I just scrap AFP entirely? I’ve seen mention of this problem all over the place but have never seen a solution before. Any help would be greatly appreciated.

[luke]

You need to use NFS to get that functionality. And understand that you’ll be giving up all sorts of security at the same time.

NFS trusts the clients to authenticate and authorize users, which means a rogue or compromised client can pose as any user and gain access to their files. To make NFS reasonably secure, you have to make sure you trust everyone who has root access on the client computers. You also have to make sure that only your trusted client computers can connect to your NFS server, and not someone’s personal laptop that they connect to your LAN.

AFP has its own means of authentication, so once it is connected for a given user, the _server_ enforces authorization on each and every filesystem transaction based on that user’s credentials. Since there seems to be no way to have multiple connections to the same server from the same client, only one user’s credentials can be used for the home directory mount at a time. If you have multiple home directory stores on different servers, you might be able to have one user from each store logged in at the same time — I haven’t tried that.

To make AFP home directories work with multiple logins, it would need to support multiple connections from the same host, the ability to mount subdirectories of shares, and some magic glue on the client’s automounter.

[Author]

Posts