Mac OS X Server File Server Administration Version 10.
KKApple Inc. © 2009 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Inc.
Contents 9 9 10 10 12 12 12 13 Preface: About This Guide 14 14 15 15 16 16 16 16 Chapter 1: Understanding File Services 17 17 18 18 20 22 22 23 23 23 26 27 28 29 29 Chapter 2: Setting Up File Service Permissions What’s in This Guide Using Onscreen Help Documentation Map Viewing PDF Guides Onscreen Printing PDF Guides Getting Documentation Updates Getting Additional Information Protocol Overview Protocol Security Comparison Protocol Comparison Deployment Planning Determining the Best Protocol for
30 30 30 30 30 31 31 Share Points in the Network Folder Adding System Resources to the Network Library Folder Security Considerations Restricting Access to File Services Restricting Access to Everyone Restricting Access to NFS Share Points Restricting Guest Access 32 32 33 33 33 34 34 34 35 35 35 36 36 36 37 39 40 42 43 45 46 47 47 47 48 49 49 50 57 58 58 59 60 61 63 Chapter 3: Setting Up Share Points 4 Share Points and the Mac OS X Network Folder Automounting Share Points and Network Home Folders S
64 64 65 66 66 67 Configuring Time Machine Backup Destination Configuring Share Point Quotas Monitoring Share Point Quotas Setting SACL Permissions Setting File Services SACL Permissions for Users and Groups Setting Files Services SACL Permissions for Administrators 68 68 68 69 69 70 70 70 71 73 75 77 78 78 79 79 80 80 81 82 83 84 85 87 88 89 90 91 91 91 92 93 94 94 Chapter 4: Working with AFP Service Kerberos Authentication AppleTalk Support AFP Service Specifications Setup Overview Turning AFP Service
95 95 96 97 97 98 100 102 103 105 106 106 107 107 108 108 109 Chapter 5: Working with SMB Service 110 110 111 111 112 112 113 113 113 114 115 115 Chapter 6: Working with NFS Service 116 116 117 117 117 120 121 121 122 123 123 123 Chapter 7: Working with FTP Service 6 File Locking with SMB Share Points Setup Overview Turning On SMB Service Setting Up SMB Service Configuring SMB General Settings Configuring SMB Service Access Settings Configuring SMB Service Logging Settings Configuring SMB Servic
124 Setting Up FTP Service 124 Configuring FTP General Settings 126 Configuring FTP Greeting Messages 127 Displaying FTP Banner and Welcome Messages 128 Displaying FTP Messages Using message.
142 142 143 148 150 Appendix: Command Line Parameters for File Services 154 Index 8 Creating a Share Point AFP Parameters FTP Parameters SMB Parameters Contents
Preface About This Guide This guide describes how to configure and use file services with Mac OS X Server. File sharing requires file server administrators to manage user privileges for shared folders and files. Configuring Mac OS X Server as a file server offers you reliable high-performance file sharing using native protocols for Mac, Windows, and Linux workgroups. The server fits seamlessly into any environment, including mixed-platform networks. Mac OS X Server v10.
ÂÂ Chapter 7, “Working with FTP Service,” describes how to set up and manage FTP service in Mac OS X Server. ÂÂ Chapter 8, “Solving Problems,” lists potential solutions to common problems you might encounter while working with the file services in Mac OS X Server. The Appendix , “Command Line Parameters for File Services,” provides additional command-line parameters for file services .
Getting Started Server Preferences Help Covers basic installation, setup, and management of file services using Server Preferences. Provides onscreen instructions and answers when you’re using Server Preferences to manage file services. Advanced Server Administration Information Technologies Dictionary Provides onscreen definitions of server and file services terminology.
Viewing PDF Guides Onscreen While reading the PDF version of a guide onscreen: ÂÂ Show bookmarks to see the guide’s outline, and click a bookmark to jump to the corresponding section. ÂÂ Search for a word or phrase to see a list of places where it appears in the guide. Click a listed place to see the page where it occurs. ÂÂ Click a cross-reference to jump to the referenced section. Click a web link to visit the website in your browser.
ÂÂ An RSS feed listing the latest updates to Mac OS X Server documentation and onscreen help is available. To view the feed, use an RSS reader application such as Safari or Mail and go to: feed://helposx.apple.com/rss/snowleopard/serverdocupdates.xml Getting Additional Information For more information, consult these resources: ÂÂ Read Me documents—get important updates and special information. Look for them on the server discs. ÂÂ Mac OS X Server website (www.apple.
Understanding File Services 1 Use this chapter to learn basic concepts regarding Mac OS X Server file services. Mac OS X Server includes several file services that help you manage and maintain your shared network resources. Understanding each service and its associated protocol helps you determine how to plan and configure your network for optimum performance and security.
Protocol Security Comparison When sharing network resources, configure your server to provide the necessary security. AFP and SMB provide some level of encryption to secure password authentication. AFP and SMB do not encrypt data transmissions over the network so you should only use it on a securely configured network. FTP does not provide password or data encryption. When using this protocol, make sure your network is securely configured.
Deployment Planning When planning your network, consider the protocols your network configuration requires. For example, if your network consists of multiplatform computers, consider using SMB and AFP services to permit access to both platforms. Determining the Best Protocol for Your Needs The file service protocols you use depend on your network configuration and what platforms you are supporting.
Setting Up File Service Permissions 2 Use this chapter to learn about standard permissions, Access Control Lists (ACLs), and related security issues. An important aspect of computer security is the granting and denying of permissions. A permission is the ability to perform a specific operation, such as gaining access to data or executing code. Permissions are granted at the level of folders, subfolders, files, or applications. Use Server Admin to set up file service permissions.
Therefore, new files and folders you create are not accessible by users if they are created in a folder that users don’t have privileges for. When setting up share points, make sure that items have the correct access privileges for the users you want to share them with.
Note: QuickTime Streaming Server (QTSS) and WebDAV have separate permissions settings. For information about QTSS and Web Technologies Administration see the QTSS online help, QuickTime website (www.apple.com/quicktime/products/qtss) and QuickTime Streaming and Broadcasting Administration. You’ll find information about Web permissions in Web Technologies Administration. Explicit Permissions Share points and the shared items they contain (including folders and files) have separate permissions.
ÂÂ Group—You can put users who need the same access to files and folders in group accounts. Only one group can be assigned access permissions to a shared item. For more information about creating groups, see User Management. ÂÂ Others—Others is any user (registered user or guest) who can log in to the file server. Hierarchy of Permissions If a user is included in more than one category of users, each of which has different permissions, these rules apply: ÂÂ Group permissions override Others permissions.
Apple’s ACL model supports 13 permissions for controlling access to files and folders, as described in the following table. Permission name Type Description Change Permissions Administration User can change standard permissions. Take Ownership Administration User can change the file’s or folder’s ownership to himself or herself. Read Attributes Read User can view the file’s or folder’s attributes (for example, name, date, and size).
The ACL Use Model The ACL use model focuses on access control at the folder level, with most ACLs applied to files as the result of inheritance. Folder-level control determines which users have access to the contents of a folder. Inheritance determines how a defined set of permissions and rules pass from the container to the objects in it. Without use of this model, administration of access control would quickly become a nightmare: you would need to create and manage ACLs on thousands or millions of files.
What’s Stored in an ACE An ACE contains the following fields: ÂÂ User or Group. An ACE stores a universally unique ID for a group or user, which permits unambiguous resolution of identity. ÂÂ Type. An ACE supports two permission types, Allow and Deny, which determine whether permissions are granted or denied in Server Admin. ÂÂ Permission. This field stores the settings for the 13 permissions supported by the Apple ACL model. ÂÂ Inherited.
Inheritance option Description Apply to this folder Apply (Administration, Read, and Write) permissions to this folder Apply to child folders Apply permissions to subfolders Apply to child files Apply permissions to the files in this folder Apply to all descendants Apply permissions to all descendants. Note: If you want an ACE to apply to all descendants without exception, you must select the “Apply to child folders” and “Apply to child files” options in addition to this option.
ACL Inheritance Combination When you set inheritance options for an ACE in Server Admin, you can choose from 12 unique inheritance combinations for propagating ACL permissions.
ACL Permission Propagation Server Admin provides a feature that lets you force the propagation of ACLs. Although this is done automatically by Server Admin, there are cases when you might want to manually propagate permissions: ÂÂ You can propagate permissions to handle exceptions. For example, you might want ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this case, you define ACEs for the root folder and set them to propagate to descendants.
After evaluating ACEs, Mac OS X Server evaluates the standard POSIX permissions defined for the file or folder. Then, based on the evaluation of ACL and standard POSIX permissions, Mac OS X Server determines the type of access a user has to a shared file or folder. Tips and Advice Mac OS X Server combines traditional POSIX permissions with ACLs. This combination provides great flexibility and a fine level of granularity in controlling access to files and folders.
Always Propagate Permissions Inheritance is a powerful feature, so take advantage of it. By propagating permissions down a folder hierarchy, you save yourself the time and effort required to manually assign permissions to descendants. Use the Effective Permission Inspector Frequently use the Effective Permission Inspector to make sure users have the correct access to important resources. This is especially important after changing ACLs.
Folder ACL (Everyone) POSIX Drop box Permission Type: Allow Owner: read, write, execute Select the following checkboxes: Group: read, write, execute Backup share ÂÂ Traverse Folder Create Files ÂÂ Create Folder ÂÂ All inheritance options Other: write ÂÂ Example: drwxrwx-w- Permission Type: Allow Owner: read, write, execute Set the owner to root or localadmin and set the group to admin.
Share Points in the Network Folder By default, the Network folder contains at least these subfolders: ÂÂ Applications ÂÂ Library ÂÂ Servers You can mount share points in any of these subfolders. For more information, see “Automatically Mounting Share Points for Clients” on page 46. More servers and shared items are added as they are discovered on your network. Adding System Resources to the Network Library Folder The Library folder, located in /Network/, is included in the system search path.
Restricting Access to NFS Share Points NFS share points without the use of Kerberos don’t have the same level of security as AFP and SMB, which require user authentication (entering a user name and password) to gain access to a share point’s contents. If you have NFS clients, you might want to set up a share point to be used only by NFS users or configure NFS with Kerberos. NFS doesn’t support SACLs. For more information, see “Protocol Security Comparison” on page 15.
Setting Up Share Points 3 Use this chapter to learn how to share specific volumes and directories by using AFP, SMB, FTP, and NFS, and to set standard and ACL permissions. You use File Sharing in Server Admin to share information with clients of Mac OS X Server and to control access to shared information by assigning access privileges. To share folders or volumes on the server, set up share points.
Automounting You can configure client computers to automatically mount share points. These share points can be static or dynamic: ÂÂ Static share points are mounted on demand. You can assign statically mounted share points to specific folders. ÂÂ Dynamic share points are mounted on demand and are in the /Network/Servers/ server_name/ folder.
Step 4: Turn specific file services on For users to access share points, you must turn on the required Mac OS X Server file services. For example, if you use AFP with your share point, you must turn on AFP service. You can share an item using more than one protocol. For more information, see Chapter 5, “Working with SMB Service”; Chapter 6, “Working with NFS Service”; or Chapter 7, “Working with FTP Service.
Conversely, you might want to set up share points that support a single protocol even though you have different kinds of clients. For example, if most of your clients are UNIX users and only a few are Mac OS clients, you might want to share items using only NFS to keep your setup simple. However, NFS doesn’t provide AFP features that Mac OS users are accustomed to, such as Spotlight searching, native ACL, and extended attribute support.
Disk Quotas You can limit the disk space users have available to store files in the volume where their home folders reside. This quota applies to all files that the user stores in the volume where his or her home folder resides, including all files stored in the user’s drop box.
To create a share point: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Volumes to list the available volumes to share. To create a share point of an entire volume, select the volume from the list. To share a folder within a volume, select the volume in the list and click Browse to locate and select the folder. 4 Click Share. If you must create a folder for your share point, click Browse, click New Folder, enter the name of the folder, and click Create. 5 Click Save.
Setting Standard Permissions When you don’t need the flexibility and granularity that access control lists (ACLs) provide, or in cases where ACLs are not supported, use standard POSIX permissions (Read & Write, Read Only, Write Only, and None) to control access to a share point and its contents. To set standard permissions on a share point: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point from the list. 4 Click Permissions below the list.
To set ACL permissions on a share point or a folder: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point from the list. 4 Click Permissions below the list. 5 Open the Users & Groups window by clicking Add (+). 6 Drag groups and users from the Users & Groups window into the ACL Permissions list to create ACEs. By default, each new ACE gives the user or group full read and inheritance permissions.
8 Permit unregistered users to access the share point by selecting “Allow AFP guest access.” For greater security, don’t select this item. 9 To change the name that clients see when they browse for and connect to the share point using AFP, enter a name in the “Custom AFP name” field. Changing the custom AFP name does not affect the name of the share point itself, only the name that AFP clients see. 10 Click OK, then click Save.
4 Click Share Point below the list. 5 Click Protocol Options. This opens the protocol window with configuration options for AFP, SMB, FTP, and NFS. 6 Click SMB. 7 Provide SMB access to the share point by selecting “Share this item using SMB.” 8 Permit unregistered users to have access to the share point by selecting “Allow SMB guest access.” For greater security, don’t select this item.
Parameter Description path The full path to the share point. customname The name of the share point. If you don’t specify the custom name, it’s set to the name of the folder, the last name in path. guestflags A group of flags indicating which protocols allow guest access. The flags are written as a three-digit binary number with the digits representing, from left to right, AFP, FTP, and SMB. 1=guests allowed, 0=guests not allowed. For greater security, do not allow guest access.
From the command line: mm To change FTP settings: $ sudo sharing -e path -s 010 -A customname -g guestflags Parameter Description path The full path to the share point. customname The name of the share point. If you don’t specify the custom name, it’s set to the name of the folder, the last name in path. guestflags A group of flags indicating which protocols allow guest access. The flags are written as a three-digit binary number with the digits representing, from left to right, AFP, FTP, and SMB.
Important: Make sure the subnet address you enter is the IP network address that corresponds to the subnet mask you chose, and not a client address. Otherwise, your clients can’t access the share point. A network calculator helps you select the subnet address and mask for the range of client addresses you want to serve, and you should use one to validate your final address/mask combination. If needed, network calculators are available on the Web.
Note: If you export more than one NFS share point, you cannot have nested exports on a single volume, which means one exported directory cannot be the child of another exported directory on the same volume. From the command line: You can also set up an NFS share point using the command line in Terminal. For information, see the man pages exports (5) , nfs.conf (5), and nfsd (8). For the basics of command-line tool usage, see Introduction to Command-Line Administration.
Automatically Mounting Share Points for Clients You can mount share points automatically on client Mac OS X computers using network mounts. You can automatically mount AFP or NFS share points. When you set a share point to automatically mount, a mount record is created in the Open Directory domain. Be sure you create these records in the same shared domain where the user and computer records exist. Note: All users have guest access to network automounted AFP share points.
Mounting a user’s home folder To mount a user’s home folder, use mnthome. The mnthome tool unmounts the AFP home folder that was automounted as guest, and remounts it with the correct privileges by logging into the AFP server using the current user name and password. ÂÂ To mount a user’s shared home folder on an AFP server: $ mnthome -p password For more information, see the mnthome man page.
3 Click Share Points and select the share point you want to remove. 4 Click Unshare. 5 Click Save. Protocol and network mount settings you made for the item are discarded. From the command line: mm To delete a share point: $ sudo sharing -r path Parameter Description path The full path to the share point. For information about command-line parameters, see “Creating a Share Point” on page 142. For information about sharing, see its man page.
Parameter Description path The full path to the share point. shareflags A three-digit binary number indicating the protocols used to share the folder. The digits represent, from left to right, AFP, FTP, and SMB. 1=shared, 0=not shared. For information about command-line parameters, see “Creating a Share Point” on page 142. For information about sharing, see its man page. For the basics of command-line tool usage, see Introduction to Command-Line Administration.
3 Click Share Points and select a share point in the list. 4 Click Browse. 5 Click Permissions below the list. You can now view the contents of the selected share point and access items in the folder hierarchy. You can also view the privilege settings (POSIX and ACL) of the share point and each item in the folder hierarchy. From the command line: mm To view share points: $ sudo sharing -l mm To view share point content: $ ls path Parameter Description path The full path to the share point.
5 To change the permissions for the Owner, Group, and Others (Everyone), use the Permissions pop-up menu in the related row of the permissions table. Others is any user who is not the owner and does not belong to the group but can log in to the file server.
By default, each new ACE gives the user or group full read permissions. In addition, all four inheritance options are selected. For more information about inheritance options, see “Understanding Inheritance” on page 23. To change ACE settings, see “Editing ACEs” on page 52. From the command line: mm To add an ACE: $ sudo chmod +a file1 Parameter Description file1 The name of the file you are adding. For information about about chmod, see its man page.
To edit an ACE: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point you want to update from the list. 4 Click Permissions below the list. 5 In the Access Control List, select the ACE. 6 Click the Edit (/) button. 7 From the Permission Type pop-up menu, choose “Allow” or “Deny.” 8 In the Permission list, select permissions. 9 Click OK. 10 Click Save.
Removing a Folder’s Inherited ACEs If you don’t want to apply inherited ACEs to a folder or a file, you can remove these entries using Server Admin. Inherited ACEs appear dimmed unless you chose to make them explicit, as described in “Changing Inherited ACEs for a Folder to Explicit” on page 54. To remove a folder’s inherited ACEs: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point you want to update from the list.
Propagating Permissions Server Admin enables you to specify which permissions to propagate to descendant files and folders. In the case of POSIX permissions, you can specify the following to propagate: ÂÂ Owner name ÂÂ Group name ÂÂ Owner permissions ÂÂ Group permissions ÂÂ Others permissions The ability to select which information to propagate gives you specific control over who can access files and folders. For ACL permissions, you can only propagate the entire ACL. You can’t propagate individual ACEs.
6 Select all ACEs in the ACL Permissions list and click Delete (–). 7 Click Save. Server Admin removes all ACEs from the ACL of a file. The only permissions that now apply are standard POSIX permissions. From the command line: mm To remove a file’s ACL: $ chmod -a file1 Parameter Description file1 The name of the file whose ACL you are removing. For information about chmod, see its man page. For the basics of command-line tool usage, see Introduction to Command-Line Administration.
6 Open the Users & Groups window by clicking the Add (+) button (below the Permissions list). 7 From the Users & Groups window, drag a user to the Effective Permission Inspector. If you don’t see a recently created user, click the Refresh button (below the Servers list). After dragging the user from the list, the inspector shows the permissions the user has for the selected file or folder. An entry with a checkmark means the user has the indicated permission (equivalent to Allow).
For information about command-line parameters, see “Creating a Share Point” on page 142. For information about sharing, see its man page. For the basics of command-line tool usage, see Introduction to Command-Line Administration. You can’t configure NFS protocols using the sharing command. For more about changing NFS protocols, see the man pages exports (5), nfs.conf (5), and nfsd (8). Changing NFS Share Point Client Access You can use Server Admin to restrict the clients that can access an NFS export.
7 Click OK, then click Save. Note: Make sure guest access is also enabled at the service level in Server Admin. From the command line: mm To enable guest access to a share point: $ sudo sharing -a path -g 1 Parameter Description path The full path to the share point. For information about command-line parameters, see “Creating a Share Point” on page 142. For information about sharing, see its man page. For the basics of command-line tool usage, see Introduction to Command-Line Administration.
ÂÂ If you want users to have full control of the drop box, add ACEs that give them full Administration, Read, Write, and inheritable permissions. For more information, see “Setting ACL Permissions” on page 38. 8 Click Save. From the command line: 1 Create the folder that will act as a drop box in an AFP share point: $ sudo mkdir path/folder1 2 Add permissions for the folder: $ chmod securitygroup + permissionfolder1 Parameter Description path The full path to the share point.
To configure a network library: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point you want to become a network library. To create a share point for your network library, see “Creating a Share Point” on page 36. 4 Click Share Point below the list. 5 Select the Enable Automount checkbox. 6 From the Directory pop-up menu, choose the directory domain that contains your users and computers.
To assure that connecting the system to the network does not disrupt network operations, work with the system administrator or other expert. Follow the instructions in the Xserve guide, if applicable, to install the system properly in a rack. Step 2: Establish volumes, partitions, and RAID sets on the drive modules Plan how you want to divide the total storage on the Xserve NAS system, taking into account the number of users, likely demands for NAS, and future growth.
Step 4: Configure file services for AFP, NFS, FTP, and SMB Assuming that you turned on the file services with Server Admin, you can configure AFP, NFS, FTP, and SMB so that clients on the network can share their files. The summary instructions that follow provide an overview of configuring these file services. For more information about configuring these protocols, see the related chapter in this guide.
From the command line: mm To enable Spotlight for a volume: $ sudo mdutil -i on volume mm To disable Spotlight for a volume: $ sudo mdutil -i off volume Configuring Time Machine Backup Destination Time Machine is a backup application that keeps an up-to-date copy of everything on your computer, which includes system files, applications, accounts, preferences, and documents. Time Machine can restore files, folders, or your entire computer by putting everything back the way it was and where it should be.
4 Click Home, specify the disk quota using the Disk Quota field and the adjacent pop-up menu, and then click Save. 5 Make sure disk quotas are enabled for the volume where the share point resides. 6 In Server Admin, select the server hosting home folders and then click File Sharing. 7 Click Volumes and then select the volume that stores home folders. 8 Click Quotas, select “Enable quotas on this volume,” and then click Save.
To monitor share point quotas: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Volumes and select the volume you want to monitor. 4 Click Quotas below the list. 5 Select the “Enable quotas on this volume” checkbox. The disk quota information for the enabled volumes is listed in the Quota Monitor. This includes user name, space used (KB), free space (KB), and limit (KB). 6 Click Save.
Setting Files Services SACL Permissions for Administrators Use Server Admin to set SACL permissions for administrators to monitor and manage file services. To set administrator SACL permissions for a file service: 1 Open Server Admin and connect to the server. 2 Click Access. 3 Click Administrators. 4 Select the level of restriction that you want for the services: ÂÂ To restrict access to all services, select “For all services.
Working with AFP Service 4 Use this chapter to set up and manage AFP service in Mac OS X Server. Apple Filing Protocol (AFP) service enables Mac OS clients to connect to your server and access folders and files. Non-Mac OS clients can also connect to your server over AFP using third-party AFP client software. AFP service supports new features such as Unicode file names, access control lists (ACLs), 64-bit file sizes, extended attributes, and Spotlight searching.
AFP Service Specifications AFP service has the following default specifications: ÂÂ Maximum number of connected users, depending on your license agreement: Unlimited (hardware dependent) ÂÂ Maximum volume size: 16 terabytes ÂÂ TCP port number: 548 ÂÂ Location of log files: /Library/Logs/AppleFileService/ ÂÂ Bonjour registration type: afpserver Setup Overview Here is an overview of the basic steps for setting up AFP service.
Turning AFP Service On Before you can configure AFP settings, you must turn on AFP service in Server Admin. To turn AFP service on: 1 Open Server Admin and connect to the server. 2 Click Settings, then click services. 3 Select the AFP checkbox. 4 Click Save. Setting Up AFP Service If you enabled the Server Assistant to start AFP service when you installed Mac OS X Server, you don’t need to do anything else. Verify that the default service settings meet your needs.
6 Enter the message you want users to see in the Login Greeting field. The message does not appear when a user logs in to their home folder. To prevent users from seeing the greeting repeatedly, select “Do not send same greeting twice to the same user.” 7 Click Save.
5 Choose the authentication method you want to use from the Authentication pop-up menu: Standard, Kerberos, or Any Method. 6 If necessary, permit unregistered users to access AFP share points by selecting “Enable Guest access.” Guest access is a convenient way to provide occasional users with access to files and other items, but for better security, don’t select this option.
Parameter Description authenticationMode Authentication mode. Can be: standard kerberos standard_and_kerberos Default = "standard_and_kerberos" guestAccess Allow guest users access to the server. Default = yes attemptAdminAuth Allow administrator user to masquerade as another user. Default = yes maxConnections Maximum simultaneous user sessions allowed by the server. Default = -1 (unlimited) maxGuests Maximum simultaneous guest users allowed.
7 Select the events you want AFP service to log. An entry is added to the log when a user performs an action you select. When you choose the number of events to log, consider available disk space. The more events you choose, the faster the log file will grow. 8 To specify how often the error log file contents are saved to an archive, select “Error Log: Archive every __ days” and enter the number of days. 9 Click Save.
Parameter Description loggingAttributes: logOpenFork Log file opens in the activity log. Default = yes loggingAttributes: logCreateFile Record file creations in the activity log. Default = yes loggingAttributes: logCreateDir Record folder creations in the activity log. Default = yes loggingAttributes: logDelete Record file deletions in the activity log. Default = yes activityLogTime Rollover time (in days) for the activity log.
6 To specify the idle time limit, select “Disconnect idle users after __ minutes” and enter the number of minutes after which the AFP session of an idle connection is disconnected. To prevent specific types of users from being disconnected, select them under “Except.” 7 In the “Disconnect Message” field, enter the message you want users to see when they are disconnected.
Parameter Description idleDisconnectTime Idle time (in minutes) allowed before disconnect. Default = 10 idleDisconnectFlag: guestUsers Enforce idle disconnect for guest users. Default = yes idleDisconnectFlag: adminUsers Enforce idle disconnect for administrator users. Default = yes idleDisconnectFlag: registeredUsers Enforce idle disconnect for registered users. Default = yes idleDisconnectFlag: usersWithOpenFiles Enforce idle disconnect for users with open files.
Managing AFP Service This section describes typical day-to-day tasks you perform after you set up AFP service on your server. Initial setup information appears in “Setting Up AFP Service” on page 70. Checking AFP Service Status Use Server Admin to check the status of AFP service. To view AFP service status: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select AFP.
Viewing AFP Service Logs Use Server Admin to view the error and access logs for AFP service, if you have enabled them. To view logs: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select AFP. 4 Choose between access and error logs by clicking Logs, then use the View pop-up menu. Use the Filter field in the upper right to search for specific entries.
Viewing AFP Connections Use Server Admin to view the clients that are connected to the server through AFP service. To view AFP connections: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select AFP. 4 To see a list of connected users, click Connections.
3 From the expanded Servers list, select AFP. 4 Click Connections, then click Stop. 5 Enter the amount of time that users have to save their files before AFP service stops. 6 If you want users to know why they must disconnect, enter a message in the Additional Message field. Otherwise, a default message is sent indicating that the server will shut down in the specified number of minutes. 7 Click Stop.
Limiting Connections to AFP Service If your server provides a variety of services, you can prevent a flood of users from affecting the performance of those services by limiting the number of clients and guests who can connect at the same time. To set the maximum number of connections: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select AFP.
Keeping an Access Log for AFP Service The access log records the times when a user connects or disconnects, opens a file, or creates or deletes a file or folder. To set up access logging: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select AFP. 4 Click Settings, then click Logging. 5 Select “Enable access log.” 6 Select the events you want to record.
Parameter Description activityLog Turn activity logging on or off. Default = no loggingAttributes: logLogin Record user logins in the activity log. Default = yes loggingAttributes: logLogout Log user logouts in the activity log. Default = yes loggingAttributes: logOpenFork Log file opens in the activity log. Default = yes loggingAttributes: logCreateFile Record file creations in the activity log. Default = yes loggingAttributes: logCreateDir Record folder creations in the activity log.
7 Click Disconnect. From the command line: mm To set up access logging: $ sudo serveradmin settings afp:command = disconnectUsers afp:message = "message-text" afp:minutes = minutes-until afp:sessionIDsArray:_array_index:0 = sessionid1 afp:sessionIDsArray:_array_index:1 = sessionid2 afp:sessionIDsArray:_array_index:2 = sessionid3 Control-D Parameter Description message-text The message that appears on client computers in the disconnect announcement dialog.
Although the server disconnects sleeping clients, the clients’ sessions are maintained for the specified period. When a user resumes work within that time, the client is reconnected with no apparent interruption. 6 To specify the idle time limit, select “Disconnect idle users after __ minutes” and enter the number of minutes after which an idle computer should be disconnected. A sleeping Mac OS X v10.2 (or later) client can resume work on open files within the limits of the “Allow clients to sleep” setting.
Parameter Description idleDisconnectTime Idle time (in minutes) allowed before disconnect. Default = 10 idleDisconnectFlag: guestUsers Enforce idle disconnect for guest users. Default = yes idleDisconnectFlag: adminUsers Enforce idle disconnect for administrator users. Default = yes idleDisconnectFlag: registeredUsers Enforce idle disconnect for registered users. Default = yes idleDisconnectFlag: usersWithOpenFiles Enforce idle disconnect for users with open files.
afp:sessionIDsArray:_array_index:1 = sessionid2 afp:sessionIDsArray:_array_index:2 = sessionid3 [...] Control-D Parameter Description message-text Message that appears on client computers. sessionidn Session ID of the user you want to receive the message. To list the session IDs of connected users, use the getConnectedUsers command. For more information about command-line parameters for AFP, see “AFP Parameters” on page 143. For information about serveradmin, see its man page.
From the command line: mm To change several settings: $ sudo serveradmin settings afp:guestAccess = value afp:maxConnections = value afp:maxGuests = value Control-D Parameter Description guestAccess Allow guest users access to the server. Default = yes maxConnections Maximum simultaneous user sessions allowed by the server. Default = -1 (unlimited) maxGuests Maximum simultaneous guest users allowed.
$ sudo serveradmin settings afp:loginGreeting = "value" afp:loginGreetingTime = value Control-D Parameter Description loginGreeting Login greeting message. Default = "" loginGreetingTime Last time the login greeting was set or updated. For more information about command-line parameters for AFP, see “AFP Parameters” on page 143. For information about serveradmin, see its man page. For the basics of command-line tool usage, see Introduction to Command-Line Administration.
ÂÂ If practical, make the server name match its unqualified DNS host name. For example, if your DNS server has an entry for your server as “server.example.com,” give your server the name “server.” ÂÂ AD Administrator Username and Password: Enter the user name and password of the Active Directory administrator. 8 Click OK and then click Done.
3 Click Connect. 4 Enter your user name and password or select Guest, then click Connect. 5 Select the share point you want to use and click OK. Changing the Default User Name for AFP Connections When you use the Connect to Server command in the Finder to connect to an AFP server, the login panel populates your full user name by default. In Mac OS X v10.5 and later, you can customize this panel to present your short name, a custom name, or no user name at all.
To set no name: $ defaults write /Library/Preferences/com.apple.NetworkAuthorization UseDefaultName -bool YES $ defaults write /Library/Preferences/com.apple.NetworkAuthorization DefaultName "" To set the current user’s long name: This is only necessary if you have made any of the changes listed above. $ defaults write /Library/Preferences/com.apple.NetworkAuthorization UseDefaultName -bool NO $ defaults write /Library/Preferences/com.apple.
Connecting to the AFP Server from Mac OS 8 and Mac OS 9 Clients AFP service requires the following Mac OS 8 or 9 system software: ÂÂ Mac OS 8 v8.6 or Mac OS 9 v9.2.2 ÂÂ TCP/IP ÂÂ AppleShare Client 3.7 or later To find the latest version of AppleShare client software supported by Mac OS 8 and Mac OS 9, go to the Apple support website at www.apple.com/support. Note: AFP service does not support AppleTalk connections, so clients must use TCP/IP to access file services.
Working with SMB Service 5 Use this chapter to set up and manage SMB service in Mac OS X Server. Mac OS X Server can provide the following native services to Windows clients: ÂÂ Domain login. Enables each user to log in using the same user name, password, roaming profile, and network home folder on any Windows computer capable of logging in to a Windows NT domain. ÂÂ File service.
In Mac OS X Server, SMB share points support oplocks. To enable oplocks, change SMB protocol settings for a share point using Workgroup Manager. For more information, see “Changing SMB Settings for a Share Point” on page 40. Important: Do not enable oplocks unless the share point is using only SMB. If the share point uses any other protocol, data can become corrupt. Setup Overview Here is an overview of the basic steps for setting up SMB service.
Step 7: Start SMB service After you configure SMB, start the services to make them available. See “Starting SMB Service” on page 105. Turning On SMB Service Before you can configure SMB settings, you must turn on SMB service. To turn on SMB service: 1 Open Server Admin and connect to the server. 2 Click Settings, then click services. 3 Click the SMB checkbox. 4 Click Save.
Configuring SMB General Settings Use the General settings to select the server role and provide the description, computer name, and workgroup for the server. To configure SMB General settings: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select SMB. 4 Click Settings, then click General.
6 Enter a description, computer name, and domain or workgroup: ÂÂ For Description, enter a description of the computer. This appears in the Network Places window on Windows computers, and is optional. ÂÂ For Computer Name, enter the name you want Windows users to see when they connect to the server. This is the server’s NetBIOS name. The name should contain no more than 15 characters, no special characters, and no punctuation. If practical, make the server name match its unqualified DNS host name.
Parameter Description adminCommands:serverRole The authentication role played by the server. Can be set to: ÂÂ standalone ÂÂ domainmember ÂÂ primarydomaincontroller ÂÂ backupdomaincontroller This corresponds to the Role pop-up menu in the General pane of Windows service settings in the Server Admin application. server string Text that helps identify the server in the network browsers of client computers. Can be set to a maximum of 15 bytes of UTF-8 characters.
5 To permit Windows or other SMB users to connect to Windows file services without providing a user name or password, select “Allow Guest access.” Guest access is a convenient way to provide occasional users with access to files and other items, but for better security, don’t select this option. 6 To limit the number of users who can be connected to the SMB service at one time, select “__ maximum” and enter a number in the field. 7 Select the kinds of authentication Windows users can use.
Configuring SMB Service Logging Settings Use the Logging pane of SMB service settings in Server Admin to specify how much information is recorded in the SMB log file. To configure the SMB service logging level: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select SMB. 4 Click Settings, then click Logging.
Configuring SMB Service Advanced Settings Use the Advanced pane of SMB service settings in Server Admin to choose a client code page, set the server to be a workgroup or domain master browser, specify the server’s WINS registration, and enable virtual share points for user homes. To configure SMB service Advanced settings: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select SMB.
From the command line: mm To configure SMB service access settings: $ sudo serveradmin settings smb:dos charset = value smb:domain master = value smb:local master = value smb:wins support = value smb:wins server = value Control-D Parameter Description dos charset The code page being used.
Parameter Description wins support Whether the server provides WINS support. Can be set to: yes | no This corresponds to the WINS Registration “Off” and “Enable WINS” server options in the Advanced pane of the Windows service settings in the Server Admin application. wins server The name of the WINS server used by the server. This corresponds to the WINS Registration “Register with WINS server” option and field in the Advanced pane of the Windows service settings in the Server Admin application.
Managing SMB Service This section describes typical tasks you might perform after you set up SMB service on your server. Initial setup information appears in “Setting Up SMB Service” on page 97. Viewing SMB Service Status Use Server Admin to view the status of SMB service. To view SMB service status: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select SMB.
Viewing SMB Service Logs Use Server Admin to view SMB service logs. To view SMB logs: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select SMB. 4 Click Logs and use the View pop-up menu to choose between “SMB File Service Log” and “SMB Name Service Log.” To choose the types of events that are recorded, see “Configuring SMB Service Logging Settings” on page 102.
Viewing SMB Connections Use Server Admin to view the clients that are connected to the server through SMB service. To view SMB connections: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select SMB. 4 To see a list of connected users, click Connections. The list includes the user name, user IP address or domain name, and the duration of connection.
From the command line: mm To view connected user information: $ sudo serveradmin stop smb For more information about command-line parameters for SMB, see “SMB Parameters” on page 150. For information about serveradmin, see its man page. For the basics of command-line tool usage, see Introduction to Command-Line Administration.
Working with NFS Service 6 Use this chapter to learn how to set up and manage NFS service in Mac OS X Server. Network File System (NFS) is the protocol used for file services on UNIX computers. Use NFS service in Mac OS X Server to provide file services for UNIX clients (including Mac OS X clients). You can share a volume (or export it, in standard NFS terminology) to a set of client computers or to “World.
See “Creating a Share Point” on page 36, “Exporting an NFS Share Point” on page 43, and “Automatically Mounting Share Points for Clients” on page 46. When you export a share point, NFS service starts. When you delete exports, NFS service stops. To see if NFS service is running, open Server Admin, select NFS from the list of services for your server, and click Overview. Before Setting Up NFS Service Mac OS X v10.5 and later offers NFS with Kerberos, providing another secure file sharing service.
Setting Up NFS Service Use Server Admin to change NFS service settings. The following sections describe the tasks for configuring and starting NFS service. Configuring NFS Service Settings NFS service settings enable you to set the maximum number of daemons and choose how you want to serve clients—using TCP, UDP, or both. To configure NFS service settings: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears.
$ sudo serveradmin settings nfs:nbDaemons = value nfs:useTCP = value nfs:useUDP = value Control-D Parameter (nfs:) Description nbDaemons To reduce the number of daemons, restart the server after changing this value. Default = 6. useTCP Restart the server after changing this value. Default = yes. useUDP Restart the server after changing this value. Default = yes. For information about serveradmin, see its man page.
3 From the expanded Servers list, select NFS. 4 Click Overview. The Overview pane tells you whether the service is running and whether nfsd, portmap, rpc.lockd, and rpc.statd processes are running. The nfsd process responds to NFS protocol and mount protocol requests from client computers that have mounted folders. The portmap process enables client computers to find nfs daemons (always one process). The rpc.lockd daemon provides file and record-locking services in an NFS environment. The rpc.
Stopping NFS Service Use Server Admin to stop NFS service and disconnect users. Users who are connected when you stop NFS service might lose unsaved changes in open files. To stop NFS service after warning users: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select NFS. 4 Click Connections, then see if users are connected to an NFS shared volume.
Working with FTP Service 7 Use this chapter to set up and manage FTP service in Mac OS X Server. File Transfer Protocol (FTP) is a simple way for computers of any type to transfer files over the Internet. Someone using a computer that supports FTP or an FTP client application can connect to your FTP server and upload or download files, depending on the permissions you set. Most Internet browsers and a number of freeware and shareware applications can be used to access your FTP server.
FTP Users FTP supports two types of users: ÂÂ Authenticated users. These users have accounts on your server, and might have home folders stored on the server. Some FTP software refers to these as real users. An authenticated user must provide a user name and password to access server files using FTP. You review or set up authenticated users using the Accounts module of Workgroup Manager. ÂÂ Anonymous users. These users do not have accounts on your server.
FTP Root and Share Points The “FTP Root and Share Points” environment option gives access to the FTP root and any FTP share points that users have access privileges to, as shown in the following illustration.
Users access other FTP share points through symbolic links in the FTP root. As always, access to FTP share points is controlled by user access privileges.
Home Folder Only When you choose the “Home Folder Only” option, authenticated users are confined to their home folders and do not have access to the FTP root or other FTP share points, as shown in the following illustration: etc Users bin Library system Volumes FTP share point incorporated within virtual root Bob Betty Data Photos FTP server Share point Projects Reports Looks like “/ ” to anonymous FTP users FTP root Symbolic link Data Photos Anonymous users and users without home folders st
The following table shows common file extensions and the type of compression they designate. File extension What it means .gz DEFLATE compression .Z UNIX compress .bin MacBinary encoding .tar UNIX tar archive .tZ UNIX compressed tar archive .tar.Z UNIX compressed tar archive .crc UNIX checksum file .
Setup Overview Here is an overview of the basic steps for setting up FTP service. Step 1: Before you begin For issues to keep in mind when you set up FTP service, read “Before Setting Up FTP Service” on page 123. Step 2: Turn on FTP service Before configuring FTP service, FTP must be turned on. See “Turning On FTP Service” on page 123.
Before Setting Up FTP Service When determining whether to offer FTP service, consider the type of information you will share and who your clients are. FTP works well when you want to transfer large files such as applications and databases. In addition, if you want to permit guest (anonymous) users to download files, FTP is a secure way to provide this service.
Setting Up FTP Service There are four groups of settings on the Settings pane for FTP service in Server Admin: ÂÂ General. Use to set information about access, file conversion, and login attempts for FTP service. ÂÂ Messages. Use to configure messages that appear to clients using FTP service. ÂÂ Logging. Use to configure and manage logs for FTP service. ÂÂ Advanced. Use to configure and administer advanced settings.
10 To limit the number of anonymous users who can connect to your server at the same time, enter a number in the “Allow a maximum of __ anonymous users” field. 11 If you want to have files that have resource forks listed with a .bin suffix so that clients can take advantage of automatic file conversion when transferring them, select “Enable MacBinary and disk image auto-conversion.” 12 Click Save. From the command line: You can view or configure the FTP service settings using the serveradmin command.
Parameter (ftp:) Description enableMacBinAndDmgAutoConversion Default = yes loginFailuresPermitted Default = 3 maxAnonymousUsers Default = 50 maxRealUsers Default = 50 For information about command-line parameters for FTP, see “FTP Parameters” on page 148. For information about serveradmin, see its man page. For the basics of command-line tool usage, see Introduction to Command-Line Administration.
Parameter (ftp:) Description bannerMessage Displays a banner message that appears when you are prompted to log in to FTP. Customize to your own preferences. Default ="----------------------------------This is the "Banner" message for the Mac OS X Server's FTP server process. FTP clients will receive this message immediately before being prompted for a name and password. PLEASE NOTE: Some FTP clients may exhibit problems if you make this file too long.
To display banner and welcome messages to users: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select FTP. 4 Click Settings, then click Messages. 5 Select “Show welcome message.” 6 Select “Show banner message.” 7 Click Save.
Configuring FTP Logging Settings Logging settings enable you to choose which FTP-related events to record. For authenticated or anonymous users, you can record: ÂÂ Uploads ÂÂ Downloads ÂÂ FTP commands ÂÂ Rule violation attempts To configure FTP Logging settings: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select FTP. 4 Click Settings, then click Logging.
Parameter (ftp:) Description logSecurity:real Default = no logTransfers:anonymous:inbound Default = yes logTransfers:anonymous:outbound Default = yes logTransfers:real:inbound Default = yes logTransfers:real:outbound Default = yes For information about command-line parameters for FTP, see “FTP Parameters” on page 148. For information about serveradmin, see its man page. For the basics of command-line tool usage, see Introduction to Command-Line Administration.
Starting FTP Service You must start FTP service to make it available to users. To start FTP service: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select FTP. 4 Click Start FTP (below the Servers list). From the command line: mm To start FTP service: $ sudo serveradmin start ftp For information about serveradmin, see its man page.
Creating an FTP Uploads Folder for Anonymous Users The uploads folder provides a place for anonymous users to upload files to the FTP server. It must exist at the top level of the FTP root folder and be named “uploads.” If you change the FTP root folder, the uploads folder must also be changed. To create an uploads folder for anonymous users: 1 Use the Finder to create a folder named “uploads” at the top level of your server FTP root folder.
Anonymous users and authenticated users who don’t have home folders (or whose home folders are not located in a share point they have access to) are always logged in at the root level of the FTP environment. Changing the FTP Root Folder Use the Advanced pane of FTP service settings to change the path to the FTP root folder. To specify a different FTP root: 1 Select the folder you want to use. If the folder doesn’t exist, create it and configure it as an FTP share point.
4 To see whether the service is running, when it started, the number of authenticated and anonymous connections, and whether anonymous access is enabled, click Overview. 5 To review the event log, click Log. 6 To see a graph of connected users, click Graphs. To choose the duration of time to graph data for, use the pop-up menu. 7 To see a list of connected users, click Connections. The list includes the user name, type of connection, user IP address or domain name, and event activity.
From the command line: You can also view the FTP log using the cat or tail commands in Terminal. mm To view the FTP log: $ tail log-file By default, the log-file is located in the /Library/Logs/FTP.transfer.log. To see where the current transfer log is located, use the serveradmin getLogPaths command. For the basics of command-line tool usage, see Introduction to Command-Line Administration. Viewing FTP Graphs Use Server Admin to view FTP graphs.
From the command line: mm To view FTP connections: $ ftpcount or $ sudo serveradmin command ftp:command = getConnectedUsers For information about serveradmin, see its man page. For the basics of command-line tool usage, see Introduction to Command-Line Administration. Stopping FTP Service You stop FTP service using Server Admin. To stop FTP service: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears.
Solving Problems 8 Use this chapter to find solutions to common problems you might encounter while working with file services in Mac OS X Server. Problems are listed in the following categories: ÂÂ Problems with share points ÂÂ Problems with AFP service ÂÂ Problems with SMB service ÂÂ Problems with NFS service ÂÂ Problems with FTP service Problems with Share Points This section describes potential problems with share points and ways to diagnose and resolve the problems.
ÂÂ Server administrators don’t see share points the same way a user does over AFP because administrators see everything on the server. To see share points from a user’s perspective, select “Enable administrator to masquerade as any registered user” in the Access pane of the Settings pane of AFP service in Server Admin. You can also log in using a user’s name and password. ÂÂ Although DNS is not required for file services, an incorrectly configured DNS could cause a file service to fail.
ÂÂ Make sure the file server is running. Use the Ping pane in Network Utility to check whether the server at the specified IP address can receive packets from clients over the network. ÂÂ Check the name you assigned to the file server and make sure users are looking for the correct name. If Users Can’t Connect to the AFP Server If users can’t connect to the AFP server: ÂÂ Make sure the user has entered the correct user name and password. The user name is not case sensitive, but the password is.
If Users Can’t Log In to the Windows (SMB) Server If users can’t log in to the Windows (SMB) Server, use the dirt command to make sure Password Server is configured correctly (if you are using Password Server to authenticate users). Also, verify the hash methods you enabled in Server Admin. Problems with NFS Service Following are general issues and recommendations to keep in mind when using NFS service: ÂÂ Not entering the full path to the NFS share point causes errors on the client side.
ÂÂ Verify that the user is correctly entering his or her short name and password. User names and passwords with special characters or double-byte characters don’t work. To find the user’s short name, double-click the user’s name in the Users & Groups list. ÂÂ See if there are problems with directory services, and make sure the directory services server is operating and connected to the network. For help with directory services, see Open Directory Administration.
Creating a Share Point You can include the following parameters when creating a share point using the sharing command in Terminal.command Parameter Description path The full path to the folder you want to share. customname The name of the share point. If you don’t specify the custom name, it’s set to the name of the folder, the last name in path. afpname The share point name shown to and used by AFP clients. This name is not the same as the share point name.
Parameter Description guestflags A group of flags indicating which protocols allow guest access. The flags are written as a three-digit binary number with the digits representing, from left to right, AFP, FTP, and SMB. 1=guests allowed, 0=guests not allowed. inheritflags A group of flags indicating whether new items in AFP or SMB share points inherit the ownership and access permissions of the parent folder.
Parameter (afp:) Description activityLogTime Rollover time (in days) for the activity log. Default = 7 admin31GetsSp Set to yes to force administrator users on Mac OS X to see share points instead of volumes. Default = yes adminGetsSp Set to yes to force administrator users on Mac OS 9 to see share points instead of volumes. Default = no afpServerEncoding Encoding used with Mac OS 9 clients. Default = 0 afpTCPPort TCP port used by AFP on server.
Parameter (afp:) Description errorLogPath Location of the error log. Default = /Library/Logs/ AppleFileService/ AppleFileServiceError.log errorLogSize ÂÂ Rollover size (in kilobytes) for the error log. Use only if errorLogTime isn’t specified. Default = 1000 errorLogTime Rollover time (in days) for the error log. Default = 0 guestAccess Allow guest users access to the server. Default = yes idleDisconnectFlag: adminUsers Enforce idle disconnect for administrator users.
Parameter (afp:) Description loggingAttributes: logLogin Record user logins in the activity log. Default = yes loggingAttributes: logLogout Log user logouts in the activity log. Default = yes loggingAttributes: logOpenFork Log file opens in the activity log. Default = yes loginGreeting Login greeting message. Default = "" loginGreetingTime Last time the login greeting was set or updated. maxConnections Maximum simultaneous user sessions allowed by the server.
Parameter (afp:) Description registerAppleTalk Advertise the server using AppleTalk NBP. Default = yes registerNSL Advertise the server using Bonjour. Default = yes sendGreetingOnce Send the login greeting only once. Default = no shutdownThreshold Don’t modify. Internal use only. specialAdminPrivs Grant administrator users root user read/write privileges. Default = no TCPQuantum TCP message quantum.
Command (afp:command=) Description syncSharePoints Update share point information after changing settings. writeSettings Equivalent to the standard serveradmin settings command, but also returns a setting indicating whether the service must be restarted. FTP Parameters The following sections provide additional details about FTP parameters. FTP Service Settings You can configure the following FTP service settings using the serveradmin tool in Terminal.
Parameter (ftp:) Description enableMacBinAndDmgAutoConversion Default = yes ftpRoot The directory where the FTP content is stored.
FTP serveradmin Commands To manage FTP service, use the following commands with serveradmin. Command (ftp:command=) Description getConnectedUsers View connected users. getLogPaths Show location of the FTP transfer log file. writeSettings Equivalent to the standard serveradmin settings command, but also returns a setting indicating whether the service must be restarted. SMB Parameters The following sections provide additional details about SMB parameters.
Parameter (smb:) Description dos charset The code page being used. Can be set to: ÂÂ 437 (Latin US) ÂÂ 737 (Greek) ÂÂ 775 (Baltic) ÂÂ 850 (Latin1) ÂÂ 852 (Latin2) ÂÂ 861 (Icelandic) ÂÂ 866 (Cyrillic) ÂÂ 932 (Japanese SJIS) ÂÂ 936 (Simplified Chinese) ÂÂ 949 (Korean Hangul) ÂÂ 950 (Traditional Chinese) ÂÂ 1251 (Windows Cyrillic) This corresponds to the Code Page pop-up menu on the Advanced pane of Windows service settings in Server Admin.
Parameter (smb:) Description map to guest Whether guest access is allowed. Can be set to: ÂÂ "Never" (No guest access) ÂÂ "Bad User" (Allow guest access) This corresponds to the “Allow Guest access” checkbox in the Access pane of Window service settings in Server Admin. max smbd processes The maximum allowed number of smbd server processes. Each connection uses its own smbd process, so this is the same as specifying the maximum number of SMB connections. 0 means unlimited.
SMB serveradmin Commands To manage SMB service, use the following commands with serveradmin. Command (smb:command=) Description disconnectUsers Disconnect SMB users. getConnectedUsers List users connected to an SMB service. getHistory List connection statistics. getLogPaths Show location of service log files. syncPrefs Update the service to recognize changes in share points.
A access ACEs 20, 23, 38, 51 AFP 71 anonymous 117, 120, 123, 124, 131, 141 NFS 110, 111 precedence rules 26 share point 30, 34, 38, 46, 51, 58 SMB 100 See also ACLs, FTP, permissions access control entries. See ACEs access control lists. See ACLs accounts.
AFP settings 85 command-line tools AFP settings 71, 74, 76, 80, 81, 82, 83, 86, 87, 89, 143, 147 disk quotas 65 FTP settings 125, 126, 128, 129, 130, 131, 132, 133, 134, 135, 136, 148, 150 log viewing 79 NFS mounts 115 NFS settings 112, 114 permissions 51, 52, 54, 56, 60 security 15 share points 37, 40, 41, 43, 48, 49, 50, 57, 59, 142 SMB settings 99, 101, 102, 104, 106, 107, 108, 150, 153 status checking 78 compressed files 120 conversion to 120 graphs 135 Kerberos 121 logs 129, 134 manag
L Library folder, network 30, 60 locking files 95 opportunistic 40, 95 strict 40, 95 unified 34 login 89, 139, 140 logs AFP 73, 79, 83 FTP 129, 134 SMB 102, 107 M Mac OS 9, client management 94 Mac OS X, client management 91, 93 master browser 103 mkdir tool 132 mobile accounts, disk quotas 36 mounting automounting 33, 46 command-line method 115 share points 33, 45, 93 N naming conventions share points 36 users 92 NAS (network attached storage) 61 NetBios name 103 Network File Syst
S SACLs (service access control lists) 29, 66 security 15, 30 See also access, authentication, permissions Server Admin access control 22, 31, 32 file service permissions 17 permission propagation 23, 26 Server Message Block protocol. See SMB serveradmin tool AFP 70, 71, 74, 76, 80, 81, 82, 83, 85, 86, 87, 89, 143, 147 FTP 125, 126, 128, 129, 130, 131, 133, 134, 136, 148, 150 NFS 112, 114 SMB 99, 101, 102, 104, 106, 107, 108, 150, 153 service access control lists.
unregistered 31 See also clients, guest accounts, home folders V virtual share points 103, 109 volumes exporting NFS 43, 58, 115 permissions 22 W WebDAV (Web-Based Distributed Authoring and Versioning) 19 Windows services.
