Working with macOS Directory Nodes

As mentioned in the introduction, NFS is particularly useful for large networks with a high number of shares and servers. By using automounts, the automatic connection to one or more NFS servers can be implemented without any intervention. Typically, many computers in a network should access the same shares, so it is straightforward to store the automount list itself at a central location in the network as well. When a new automount entry is added or changed, all computers of the network automatically learn about this change. This way, it is not necessary to configure all NFS clients separately.

The chapter about NFS security has explained already that macOS is using directory services to store and share accounts or similar configuration data. With the reasoning outlined above, automount entries are also stored in such a directory. The object which is keeping directory data is called directory node.

A directory node does not need to be shared. Every macOS system has its own directory node solely used by itself. This node stores the local user accounts for example. Accessing this directory node is controlled by the technology Apple Open Directory which is part of every macOS system. The local directory node always has the name /Local/Default.

Even in a network consisting of two computers only, Open Directory and a directory node have to be used to stored the automount list. In the simplest case, the computer which should work as NFS client stores the automount entries in its own directory node /Local/Default. It is the only computer accessing this list.

Open Directory is also capable of storing configuration data about NFS shares into a directory node. However, because even in large networks, each NFS server is the only computer which has to “know” its own share list, sharing these share lists via a directory system is not necessary. For this reason, Apple and NFS Manager use directory services only to store automount entries, they don’t use it for share lists although this would be technically possible.

Names of directory nodes

macOS uses names following a certain scheme to refer to local or network-based directory nodes. The names are built after the following pattern:

/<name of access method>/<source of directory database>

Examples:

• /Local/Default: The default directory database of the local computer.
• /LDAPv3/192.168.4.23: The directory of the computer with IP address 192.168.4.23, accessed via the LDAPv3 protocol.

The application Directory Utility from the folder /System/Library/CoreServices/Applications is used to set up which directory services this macOS computer should access. The node /Local/Default will always be used and cannot be switched off. Setting up directories and nodes is beyond the scope of this manual and will not be described further.

Authenticating to a directory node

Directory nodes hold configuration and account data which are of paramount importance for the operation of the computer and the network. To prevent misuse, directory nodes are usually protected by passwords. Only legitimate users, the directory administrators, have permission to change the contents of a directory.

For this reason you’ll need name and password of a directory administrator to get permission to store automount entries onto a directory node using NFS Manager. There is a simple rule for the local directory of macOS: Each administrator of the macOS computer is also directory administrator of its respective node /Local/Default. The same name and password can be used to authenticate to that node.

In the general case, macOS cannot “know” which operating system is used to operate a directory node. If authenticating via Open Directory, it will always be assumed that the node’s operating system does not support the extra login features available in macOS (namely to allow logins with the full user name in a case-insensitive way). When specifying the user name for a directory node login, only the short user name with exactly matching case will be accepted!

Example: The directory administrator has the user account John Doe with the short name johnd. The standard login screen of macOS will accept all the names John Doe, john doe, JOHND, or johnd, but the directory node will only accept the spelling johnd.

If Open Directory is also used on the computer hosting the directory node —this is usually the case if computers with macOS are used—, remote configuration of this computer will additionally be possible: NFS Manager running on one Mac can access a directory node of another computer running macOS, even if the first Mac is not configured to use that directory node.

Example: Computer A uses a directory node of computer B. Computer B uses a directory node on computer C. Although A does not use the directory of C, A can remote-control B to indirectly change the data in directory C.

This feature of NFS Manager can be used by selecting the menu item File > New remote window.

Read-only nodes

A directory service may be configured not to permit any write access. Some directory service protocols (such as NIS) are intentionally designed never to support any change operations via an Open Directory connection. The data is made available for reading only. Changes have to be conducted by other methods. NFS Manager uses the icon below to indicate that a directory node is read-only. In this case, the restriction to allow read operations only can never be lifted, no matter what password you are using to authenticate.