I know this was an APF thread and now that it's trouble is mostly settled (whether you re-enable
DHCAST128 in Mac OS X 10.7 Lion or use the fw3.4.4 with dhx2 support) and time machine + slowness to be fixed in fw3.5 with netatalk 2.2 etc).
Thought I'd make this thread aware of 2 other other lion gotchas:
Thought my SMB was broken for a second (as apple ditched samba in lion since they didn't agree with gplv3 move - it's now SMBX but combatible with SMB2) can't mount via the finder auto discovered sidebar links/bonjour, but if I use finder > go > connect to server it's fine.
NFS mounts on the other hand are a no go without using command line. Can't mount via Finder > Go > Connect to Server OR Disk Utility > File > NFS Mounts (at one point that was the only way to do it in some 10.6.x version since finder > go > connect to server was broken for NFS - makes me wonder if they forked 10.7 and forgot to apply it to that branch when they fixed 10.6.x (sry don't remember exact version), and intial attempts at command line mount -t nfs and so forth were unsuccessful at first.
So the only way I could get NFS to work was with -P to force the use of a reserved port number:
Code: Select all
sudo mount_nfs -P <host>:<remote shared dir> <local mount point>
(Unless of course you use the 'insecure' argument in your server's /etc/exports instead if you're the admin.)
The questions:
A) Does anyone have an open bug report with apple on SMB (bonjoure) or NFS (2 graphical tools/nfs reserved ports)? Regular apple id accounts can only see their own bugs, though might end up purchasing developer account again with a bug I just found with directory utility it's openldap configuration/search base since that always seems to be the only way to be taken seriously.
B) Should we add a checkbox in QNAP to apply 'insecure' (default off)? Dropping to the command line isn't always great for offices, and the idea is to have things as simple as possible qnap administration side rather than having to edit the qnap exports config manually.
While:
The TCP ports 1-1024 are reserved for root's use (and therefore sometimes referred to as "secure ports") A non-root user cannot bind these ports. Adding the secure option to an /etc/exports means that it will only listed to requests coming from ports 1-1024 on the client, so that a malicious non-root user on the client cannot come along and open up a spoofed NFS dialogue on a non-reserved port.
Apple's manpage:
resvport - Use a reserved socket port number. This is useful for mounting servers that require clients to use a reserved port number on the mistaken belief that this makes NFS more secure. (For the rare case where the client has a trusted root account but untrustwor-thy users and the network cables are in secure areas this does help, but for normal desktop clients this does not apply.)