Securing Nfs on Apple - Not!

I didn't blog for the last few days as I have been flat out in business meetings. That and trying to secure nfs at my workplace. Nfs, is good but is a security nightmare. Anyway I ended up building a kerberos system here which works well however......
As is the usual problem I have to link Windows with Linux and with OSX.
I am sure you know where this is going.
Windows has only one true commercial nfs client from hummingbird, this borked on my XP x64.
Linux no problem , I built and modified the lot from source.
OSX well, it has kerberos with nfsv3 and there is a great nfsv4 version from Rick Macklem however the problem lies with Apples gssd implementation. To put a long story short you must log in to get a ticket. So this leaves my dream of having deamons using kerberized nfs in the background gone.
here is our discussion on the OpenBSD-NFSv4 mailing list:

On Thu, 6 Mar 2008, Bernard Edlington wrote:

> Great!!, works well on my leopard (10.5.2)
> However the apple gssd implementation seems to only allow mounts after
> login (due to the caching system)
> I was trying to get nfsv4 mounts pre-login.
> Yes I have tried tickets with k5start, and self built kinit.
> The problem seems to be with mount_newnfs and gssd will never look at
> a File based cache.
> Have you had any luck with pre mounting nfsv4 on apple?
With Kerberos, I'm afraid not and I don't think it's possible. As you
note, the Apple gssd (and the entire Apple Kerberos subsystem, I believe)
uses an in-memory credentials cache that seems only accessible from
processes within the login session. (I don't know if it done via the POSIX
process session or some mechanism on the Mach side, but I haven't been
able to get daemons to access it, even when the upcall specifies the uid
of the user currently logged in with a valid TGT.)

I actually use static nfsv4 mounts in my Mac lab, but they only use
AUTH_SYS. I ended up writing a cheezey little daemon fired up by launchd
to get the mounts done. (You are welcome to that, but it's useless for
Kerberos mounts.)

You might try filing a bug report with Apple and see what they say, since
I'm pretty sure their Kerberized NFSv3 mounts work the same way (use the
same gssd).

ps: I hope you didn't mind me adding the mailing list as a cc, since I
thought others might find the info useful.