Mac OS X Server File Services Administration For Version 10.
K Apple Computer, Inc. © 2005 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Computer, Inc.
1 Contents Preface 9 9 9 10 11 12 12 About This Guide What’s New in Version 10.
Chapter 2 29 29 29 30 30 30 30 31 31 31 32 32 33 33 34 35 36 37 38 39 40 41 41 41 42 42 42 43 48 49 49 49 50 51 Setting Up Share Points Share Points and the Mac OS X Network Globe Automounting Share Points and Network Home Directories Before Setting Up a Share Point Client Privileges File Sharing Protocols Shared Information Organization Security Network Home Directories Disk Quotas Setup Overview Setting Up a Share Point Creating a Share Point Setting Privileges Changing Apple File Settings for a Shar
6 57 58 59 59 59 60 60 61 61 62 62 63 63 64 64 65 65 66 66 66 67 67 68 68 Changing Access Settings Changing Logging Settings Changing Idle User Settings Starting AFP Service Managing AFP Service Checking Service Status Viewing Service Logs Stopping AFP Service Enabling NSL and Bonjour Browsing Enabling AppleTalk Browsing Limiting Connections Keeping an Access Log Archiving AFP Service Logs Disconnecting a User Disconnecting Idle Users Automatically Sending a Message to a User Allowing Guest Access Creatin
80 81 81 82 82 83 84 84 85 85 85 86 86 86 87 87 87 88 88 88 FTP service specifications Setup Overview Before Setting Up FTP Service Server Security and Anonymous Users Setting Up FTP Service Configuring General Settings Changing the Greeting Messages Choosing Logging Options Changing Advanced Settings Creating an Uploads Folder for Anonymous Users Starting FTP Service Managing FTP Service Stopping FTP Service Allowing Anonymous User Access Changing the User Environment Changing the FTP Root Directory Vi
Index 103 Contents 7
Contents
Preface About This Guide Learn what’s new for Mac OS X Server File Services Administration. Mac OS X Server version 10.4 offers reliable, high-performance file services using native protocols for Mac, Windows, and Linux workgroups. The server is designed to fit seamlessly into virtually any environment including mixed enterprise networks. Mac OS X Server v10.
• Chapter 3, “AFP Service,” describes how to set up and manage AFP service in • • • • Mac OS X Server. Chapter 4, “NFS Service,” describes how to set up and manage the NFS service in Mac OS X Server. Chapter 5, “FTP Service,” describes how to set up and manage FTP service in Mac OS X Server. Chapter 6, “Solving Problems,” lists possible solutions to common problems you might encounter while working with the file services in Mac OS X Server.
The Mac OS X Server Suite The Mac OS X Server documentation includes a suite of guides that explain the services and provide instructions for configuring, managing, and troubleshooting the services. All of the guides are available in PDF format from: www.apple.com/server/documentation/ This guide... tells you how to: Mac OS X Server Getting Started for Version 10.4 or Later Install Mac OS X Server and set it up for the first time. Mac OS X Server Upgrading and Migrating to Version 10.
This guide... tells you how to: Mac OS X Server Java Application Server Administration For Version 10.4 or Later Configure and administer a JBoss application server on Mac OS X Server. Mac OS X Server Command-Line Administration for Version 10.4 or Later Use commands and configuration files to perform server administration tasks in a UNIX command shell. Mac OS X Server Collaboration Services Administration for Version 10.
Apple customer training—instructor-led and self-paced courses for honing your server administration skills. train.apple.com/ Apple discussion groups—a way to share questions, knowledge, and advice with other administrators. discussions.info.apple.com/ Apple mailing list directory—subscribe to mailing lists so you can communicate with other administrators using email. discussions.info.apple.com/ Apple Filing Protocol (AFP) website—manual describing AFP. developer.apple.
Preface About This Guide
1 Overview of File Services 1 This chapter provides an overview of Mac OS X Server file services, explains standard permissions and Access Control Lists (ACLs), and discusses related security issues. You can configure Mac OS X Server file services to allow clients to access shared files, applications, and other resources over a network. • AFP service uses the Apple Filing Protocol (AFP) to share resources with clients who use Macintosh computers.
Permissions in the Mac OS X Environment—Background If you’re new to Mac OS X and are not familiar with UNIX, it’s important to know that there are some differences in the way ownership and permissions are handled compared to Mac OS 9. To increase security and reliability, Mac OS X sets many system folders, such as /Library, to be owned by the root user (literally, a user named “root”). Files and folders owned by root can’t be changed or deleted by you unless you’re logged in as root.
Standard Permissions There are four types of standard POSIX access permissions that you can assign to a share point, folder, or file: Read & Write, Read Only, Write Only, and None. The table below shows how these permissions affect user access to different types of shared items (files, folders, and share points).
The User Categories Owner, Group, and Everyone You can assign standard POSIX access permissions separately to three categories of users: • Owner—A user who creates a new item (file or folder) on the file server is its owner and automatically has Read & Write permissions for that folder. By default, the owner of an item and the server administrator are the only users who can change its access privileges (allow a group or everyone to use the item).
ACLs When standard POSIX permissions are not enough, you can use access control lists (ACLs). An ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user, and how these permissions are propagated throughout a folder hierarchy. ACLs in Mac OS X Server let you set file and folder access permissions to multiple users and groups, in addition to the standard POSIX permissions.
The ACL Use Model The ACL use model is centered around access control at the folder level, with ACLs applied to files as the result of inheritance. Folder-level control defines which users have access to the contents of a folder, and inheritance defines how a defined set of permissions and rules pass from the container to the objects within it.
Access Control Entries An access control entry (ACE) is an entry in an ACL that specifies, for a group or a user, access permissions to a file or folder, and the rules of inheritance. What’s Stored in an ACE An ACE contains the following fields: • User/Group • Permission Type • Permission • Inherited User/Group An ACE stores a universally unique ID for a group or user, which permits unambiguous resolution of identity.
The Apple ACL Inheritance Model The Apple ACL inheritance model defines four options that you can select or deselect in Workgroup Manager to control the application of ACEs (in other words, how to propagate permissions through a directory hierarchy): Inheritance option Description Apply to this folder Apply (Administration, Read, and Write) permissions to this folder Apply to child folders Apply permissions to subfolders Apply to child files Apply permissions to the files in this folder Apply to all
ACL Inheritance Combinations When you set inheritance options for an ACE in Workgroup Manager, you can choose from 12 unique inheritance combinations for propagating ACL permissions.
ACL Permission Propagation Workgroup Manager provides a command that lets you force the propagation of ACLs. While this is done automatically by Workgroup Manager, there are cases when this command comes in handy: • You can use this command to handle exceptions. For example, you might want ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this case, you define ACEs for the root folder and set them to propagate to all descendants.
For example, if you add an ACE for the user Mai and allow her reading permissions and then add another ACE for a group in which Mai is member and deny the group reading permissions, Workgroup Manager will reorder the permissions so that the Deny permission is above the allow permission. The result is that Mac OS X Server applies the Deny permission for Mai and ignores the Allow permission for Mai’s group.
Use the Deny Rule Only When You Need To When Mac OS X Server encounters a Deny permission, it stops evaluating other permissions the user might have for a file or folder and applies the Deny permission. Therefore, use Deny permissions only when absolutely necessary. In addition, you might want to keep a record of these Deny permissions so that you can delete them when they are not needed. Always Propagate Permissions Inheritance is a powerful feature, so take advantage of it.
Using SACLs allows you to add another layer of access control on top of standard and ACL permissions. Only users and groups listed in a SACL have access to its corresponding service. For example, if you want to prevent users from accessing a server’s AFP share points, including home directories, just remove the users from the AFP service’s SACL. See “Setting SACL Permissions” on page 51 for instructions on how to restrict access to file services using SACLs.
Restricting Access to File Services As stated in “File Services Access Control” on page 26, you can use Service Access Control Lists (SACLs) to restrict access to AFP, FTP, and Windows services. Restricting Access to Everyone Be careful when creating and granting access to share points, especially if you’re connected to the Internet. Granting access to Everyone, or to World (in NFS service), could potentially expose your data to anyone on the Internet.
2 Setting Up Share Points 2 This chapter describes how to share specific volumes and directories via the AFP, SMB/CFIS, FTP, and NFS protocols. It also shows how to set standard and ACL permissions. You use the Sharing module of Workgroup Manager to share information with clients of the Mac OS X Server and control access to shared information by assigning access privileges. To share individual folders or entire volumes that reside on the server, you set up share points.
Dynamic share points always reside inside the Network globe in /Network/Servers/server_name and don’t mount until a client selects them. The benefit of static share points is that they can be assigned to specific directories as mentioned above, while dynamic share points use fewer server resources when they’re not in use.
Note: Unified locking across AFP, SMB/CIFS, and NFS protocols lets users working on multiple platforms simultaneously share files without worrying about file corruption. In some cases you might want to share an item using more than one protocol. For example, Mac OS and Windows users might want to share graphics or word processing files that can be used on either file protocol. In a case such as this, you can create a single share point that supports both platforms.
• The share point should be in the same Open Directory domain where the user accounts are defined. • To provide service to all types of clients, the complete pathname of an AFP or NFS network home directory must not contain spaces and must not exceed 89 characters. For more information, see the Apple Knowledge Base article107695 at docs.info.apple.com/article.html?artnum=107695.
Step 4: Turn specific file services on For users to access share points, you must turn on the required Mac OS X Server file services. For example, if you use Apple File Protocol with your share point, you must turn on AFP service. You can share an item using more than one protocol. See Chapter 3, “AFP Service,” on page 53; Windows Services administration guide; Chapter 4, “NFS Service,” on page 69; or Chapter 5, “FTP Service,” on page 75.
Setting Privileges Mac OS X Server provides two methods of access control to files and folders: • Standard POSIX permissions • Access Control Lists (ACLs) These methods are described in the following sections.
To set ACL permissions on a share point or a folder: 1 Open Workgroup Manager and click Sharing. 2 Click All and select the share point or folder. 3 Click Access. 4 Click Users & Groups to open the Users & Groups drawer. 5 Drag groups and users in the order you want them in the Access Control List. Note: The first entry in the list takes precedence over the second, which takes precedence over the third, and so on.
7 If using only POSIX permissions, choose a default permissions option for new files and folders. To have new or copied items keep their original privileges while inheriting the user and group ID of the user who creates or copies them, select “Use Standard POSIX behavior.” To have new or copied items adopt the privileges of the enclosing folder, select “Inherit permissions from parent.” Note: Don’t select the “Inherit permissions” option for share points that contain home directories. 8 Click Save.
To have new items adopt the privileges of the enclosing item, select “Inherit permissions from parent.” To assign specific privileges, select “Assign as follows” and set the Owner, Group, and Everyone privileges using the pop-up menus. 9 Click Save. From the Command Line You can also change a share point’s SMB/CIFS settings using the sharing command in Terminal. For more information, see the file services chapter of the command-line administration guide.
Exporting an NFS Share Point You can use NFS to export share points to UNIX clients. (Export is the NFS term for sharing.) To export an NFS share point: 1 Open Workgroup Manager and click Sharing. 2 Click Share Points and select the share point. 3 Click Protocols and choose NFS Export Settings from the pop-up menu. 4 Select “Export this item and its contents to” and choose an audience from the pop-up menu.
File and file range locking (standard POSIX advisory locks) are enabled by default for NFS share points in Mac OS X Server. From the Command Line You can also set up an NFS share point by using the niutil command in Terminal to add an entry to the NetInfo /exports directory. For more information, see the file services chapter of the command-line administration guide.
Automatically Mounting Share Points for Clients You can mount share points automatically on client computers using network mounts. You can automatically mount AFP or NFS share points. When you set a share point to automatically mount, a mount record is created in the Open Directory database. Be sure you create these records in the same shared domain in which the user and computer records exist. Note: All users have guest access to network automounted AFP share points.
Managing Share Points This section describes typical day-to-day tasks you might perform after you have set up share points on your server. Initial setup information appears in “Setting Up a Share Point” on page 33. Disabling a Share Point To stop sharing a particular share point, you use the Sharing module of Workgroup Manager to remove it from the Share Points list. You may want to notify users that you are removing a share point so that they know why the share point is no longer available.
Viewing Share Points You can use the Sharing module of Workgroup Manager to view share points and their contents. To view share points on a server: 1 Open Workgroup Manager and click Sharing. 2 Click Share Points. Select an item in the list to see its contents. Use the scroll bar at the bottom to move up or down in the directory hierarchy. From the Command Line You can also view share points and their contents by using the sharing and ls commands in Terminal.
Managing Share Point Access Privileges Managing access privileges to share points involves the following: • “Changing Standard Permissions” on page 43 • “Adding ACEs to ACLs” on page 44 • “Removing ACEs” on page 44 • “Editing ACEs” on page 45 • “Removing a Folder’s Inherited ACEs” on page 45 • “Making a Folder’s Inherited ACE Entries Explicit” on page 46 • “Propagating Permissions” on page 46 • “Removing a File’s ACL” on page 47 • “Applying ACL Inheritance to a File” on page 47 • “Determining User or Group
Adding ACEs to ACLs You control access to a share point by adding or removing access control entries (ACEs) to the share point’s access control list (ACL). Each ACE defines the access permissions for a user or a group. To add an ACE to an ACL: 1 Open Workgroup Manager and click Sharing. 2 Click Share Points and select the share point. 3 Click Access. 4 Click Users & Groups to open the Users & Groups drawer. 5 Drag groups and users in the order you want them in the Access Control List. 6 Click Save.
Editing ACEs If you need change the settings of an access control entry (ACE) to allow or restrict what a user or group can do in a share point, use the “Edit selected item” button in the Access pane of the Sharing pane in Workgroup Manager. To edit an ACE: 1 Open Workgroup Manager and click Sharing. 2 Click Share Points and select the share point. 3 Click Access. 4 Select the entry. 5 Click the “Edit selected item button” (button with a pencil icon below the list).
From the Command Line You can also remove inherited ACEs using the chmod command in Terminal. For more information, see the file services chapter of the command-line administration guide. Making a Folder’s Inherited ACE Entries Explicit Inherited access control entries (ACEs) appear dimmed in the Access Control List in the Access pane of the Sharing pane of Workgroup Manager and you can’t edit them.
Workgroup Manager automatically propagates the selected permissions to all descendants. Removing a File’s ACL To remove a file’s inherited access control entries (ACEs), use the “Remove access control list” command in Workgroup Manager. Note: Because a file’s ACEs are always inherited, they appear dimmed in the file’s ACL. To remove a file’s ACL: 1 Open Workgroup Manager and click Sharing. 2 Click All and select the file. 3 Click Access.
To determine user or group permissions to a file or folder: 1 Open Workgroup Manager and click Sharing. 2 Click All and select a file or a folder. 3 Click Access. 4 Choose “Show Effective Permission Inspector” from the Action menu (bottom right). Note: In the inspector, all permissions and inheritance settings appear dimmed to indicate that you can’t edit them. 5 Drag a user or group from the Users & Groups drawer to the “File/Folder name” field. To open the drawer, click Users & Groups.
Changing NFS Share Point Client Access You can use the Protocols pane of Workgroup Manager to restrict the clients that can access an NFS export. To change authorized NFS clients: 1 Open Workgroup Manager and click Sharing. 2 Click Share Points and select the NFS share point. 3 Click Protocols and choose NFS Export Settings from the pop-up menu. 4 To limit clients to specific computers, choose Client and click Add to specify the IP addresses of computers that can access the share point.
To create a drop box: 1 Create the folder that will act as a drop box within an AFP share point. 2 Open Workgroup Manager and click Sharing. 3 Click Share Points and select the folder in the AFP share point that you want to use as a drop box. 4 Click Access. 5 Set write only permissions using POSIX permissions or a combination of POSIX permissions and Access Control Entries (ACEs). • To create a drop box using standard permissions, set Write Only permissions for Owner, Group, and Everyone.
If you are not logged in as a root user, you can’t make changes using Workgroup Manager. If possible, you should upgrade servers on your network to use Mac OS X Server version 10.2 or later. Note: You wont be able to use Workgroup Manager to create share points on a computer running Mac OS X Server v10.1.5. Setting SACL Permissions Service access control lists (SACLs) allow you to specify which users and groups have access to AFP, FTP, and Windows file services.
Chapter 2 Setting Up Share Points
3 AFP Service 3 This chapter describes how to set up and manage AFP service in Mac OS X Server. AFP (Apple Filing Protocol) service allows Mac OS clients to connect to your server and access folders and files as if they were located on their own computers. Non-Mac OS clients can also connect to your server over AFP using third-party AFP client software. AFP service uses version 3.2 of AFP, which supports new features such as Unicode file names, ACLs, and 64-bit file sizes.
Automatic Reconnect Mac OS X Server provides the ability to automatically reconnect Mac OS X clients that have become idle or gone to sleep. When clients become idle or go to sleep, the Mac OS X Server disconnects those clients to free up server resources. Mac OS X Server can save Mac OS X client sessions, however, allowing these clients to resume work on open files without loss of data. You configure this setting in the Idle Users pane of the AFP service configuration window in Server Admin.
Setting Up AFP Service If you allowed the Server Assistant to start AFP service when you installed Mac OS X Server, you don’t have to do anything else. However, you should check to see if the default service settings meet your needs. The following section steps you through each of the Apple file service settings. You set up Apple file service by configuring four groups of settings on the Settings pane for AFP service in Server Admin: • General.
3 To advertise the AFP share point using both Network Service Location (NSL) and Bonjour, select “Enable Bonjour registration.” This option lets clients browse for the share point using the Mac OS X “Connect to Server” command or the Mac OS 9 Network Browser. For NSL registration to work, you must also enable IP multicasting on your network routers. See the network services administration guide for more information about Service Location Protocol (SLP) and IP multicasting.
Note: After you allow guest access for Apple file service in general, you can still selectively enable or disable guest access for individual share points. 5 To allow clients to connect using secure AFP (using SSH), select “Enable secure connections.” 6 To allow an administrator to log in using a user’s name with an administrator password (and thereby experience the AFP service as the user would), select “Enable administrator to masquerade as any registered user.
The server closes the active log at the end of each archive period, renames it to include the current date, and then opens a new log file. You can keep the archived logs for your records or delete them to free disk space when they’re no longer needed. The default setting is 7 days. Log files are stored in /Library/ Logs/AppleFileService. You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files.
Starting AFP Service You start the AFP service to make AFP share points available to your client users. To start Apple file service: 1 Open Server Admin and select AFP in the Computers & Services list. 2 Click Start Service (near the top of the window). The service will run until you stop it and will restart automatically if your server is restarted for any reason. From the Command Line You can also start the AFP service using the serveradmin command in Terminal.
Viewing Service Logs You use Server Admin to view the error and access logs for AFP service (if you have enabled them). To view logs: 1 Open Server Admin and select AFP in the Computers & Services list. 2 Click Logs and use the Show pop-up menu to choose between the access and error logs. To enable logging, click Settings (near the bottom of the window), then click Logging.
Enabling NSL and Bonjour Browsing You can register the service with Network Service Locator (NSL) and Bonjour to allow users to find the server by browsing through available servers. Otherwise, users who cannot browse via AppleTalk (see below) must type the server’s host name or IP address when connecting. To register with NSL and Bonjour: 1 Open Server Admin and select AFP in the Computers & Services list. 2 Click General, select “Enable Bonjour registration,” and click Save.
Limiting Connections If your server provides a variety of services, you can prevent a flood of users from affecting the performance of those services by limiting the number of clients and guests who can connect at the same time. To set the maximum number of connections: 1 Open Server Admin and select AFP in the Computers & Services list. 2 Click Settings, then click Access and look under “Maximum Connections.
Archiving AFP Service Logs You can periodically save the active logs and open new logs. To set how often logs are archived: 1 Open Server Admin and select AFP in the Computers & Services list. 2 Click Settings (near the bottom of the window), then click Logging. 3 Select “Archive every __ days” and type the number of days to specify how often the log file contents are saved to an archive.
Disconnecting Idle Users Automatically You can set AFP service to automatically disconnect users who have not used the server for a period of time. To set how the server handles idle users: 1 Open Server Admin and select AFP in the Computers & Services list. 2 Click Settings (near the bottom of the window), then click Idle Users.
Allowing Guest Access Guests are users who can see information on your server without using a name or password to log in. For better security, don’t allow guest access. After enabling guest access for the service, you’ll need to enable guest access for specific share points. See “Allowing Guest Access to a Share Point” on page 49. To enable guest access: 1 Open Server Admin and select AFP in the Computers & Services list. 2 Click Settings (near the bottom of the window), then click Access.
Supporting AFP Clients This section describes how client computers can access Mac OS X Server AFP share points. Note: Non-Apple clients can also connect over AFP using third-party AFP client software. Mac OS X Clients AFP service requires the following Mac OS X system software: • TCP/IP connectivity • AppleShare 3.7 or later Go to the Apple support website at www.apple/support/ to find out the latest version of AppleShare client software supported by Mac OS X.
Setting Up a Mac OS X Client to Mount a Share Point Automatically As an alternative to using the network mount feature of AFP or NFS, Mac OS X clients can set their computers to mount server volumes automatically. To set a Mac OS X version 10.2.6 or earlier client computer to mount a server volume automatically: 1 Log in to the client computer as the user and mount the volume. 2 Open System Preferences and click Login Items.
Connecting to the AFP Server from Mac OS 8 or Mac OS 9 Apple file service does not support AppleTalk connections, so clients need to use TCP/IP to access file services. You can use AppleTalk to find Apple file servers, but the connection must be made using TCP/IP. For this to work, AppleTalk Browsing must be enabled on the servers and the clients must have a valid TCP/IP configuration as well as the most recent version of the AppleShare Client software.
4 NFS Service 4 This chapter describes how to set up and manage the NFS file service in Mac OS X Server. Network File System is the protocol used for file services on UNIX computers. Use the NFS service in Mac OS X Server to provide NFS file service for UNIX clients (including Mac OS X clients). You can export a shared item to a set of client computers or to “World.” Exporting an NFS volume to World means that anyone who can access your server can also access that volume.
Step 3: Create share points and share them using NFS Use the Sharing module of Workgroup Manager to specify the share points you want to export (share) using NFS. You must explicitly configure a share point to use NFS in order for NFS users to be able to access the share point. See “Creating a Share Point” on page 33, “Exporting an NFS Share Point” on page 38, and “Automatically Mounting Share Points for Clients” on page 40.
NFS allows access to information based on the computer’s IP address. This means that a particular client computer will have access to certain share points regardless of who is using the computer. Whenever that computer is started up, some volumes or folders are automatically mounted or made available, and anyone using that computer can access those volumes or folders. With NFS, it’s possible for a user to spoof ownership of another person’s files.
User Datagram Protocol (UDP) is a connection-less transport protocol. UDP doesn’t break data into packets, so it uses fewer system resources. It’s more scalable than TCP, and a good choice for a heavily used server. Do not use UDP, however, if remote clients are using the service. 5 Click Save. From the Command Line You can also change the NFS service settings using the serveradmin command in Terminal. For more information, see the file services chapter of the command-line administration guide.
The portmap process allows client computers to find nfs daemons (always one process). The rpc.lockd is a daemon that provides file and record-locking services in an NFS environment. The rpc.statd cooperates with rpc.statd daemons on other hosts to provide a status monitoring service. If a local NFS service crashes and restarts, the rpc.statd daemon will notify the hosts being monitored at the time of the crash.
Chapter 4 NFS Service
5 FTP Service 5 This chapter describes how to set up and manage File Transfer Protocol (FTP) service in Mac OS X Server. FTP (File Transfer Protocol) is a simple way for computers of any type to transfer files over the Internet. Someone using any computer that supports FTP or an FTP client application can connect to your FTP server and upload or download files (depending on the permissions you set).
FTP Users FTP supports two types of users: • Authenticated users. These users have accounts on your server (and might even have their home directories stored on the server). Some FTP software refers to these as real users. An authenticated user must provide a user name and password to access server files using FTP. You use the Accounts module of Workgroup Manager to review or set up authenticated users. • Anonymous users. These users do not have accounts on your server.
FTP Root and Share Points The “FTP Root and Share Points” option gives access—for both authenticated and anonymous users—to the FTP root and any FTP share points to which the users have access privileges, as shown in the following figure.
Home Directory With Share Points When the user environment option is set to “Home Directory with Share Points,” authenticated users log in to their home directories and have access to the FTP root by means of a symbolic link automatically created in their home directories. Users access other FTP share points through symbolic links in the FTP root. As always, access to the FTP share points is controlled by user access privileges.
Home Directory Only When you choose the Home Directory Only option, authenticated users are confined to their home directories and do not have access to the FTP root or other FTP share points, as shown in the following illustration.
On-the-Fly File Conversion FTP service in Mac OS X Server allows users to request compressed or decompressed versions of information on the server. A file-name suffix such as “.Z” or “.gz” indicates that the file is compressed. If a user requests a file called “Hamlet.txt” and the server only has a file named “Hamlet.txt.Z,” it knows that the user wants the decompressed version, and delivers it to the user in that format.
Setup Overview Here is an overview of the basic steps for setting up FTP service. Step 1: Before you begin Read “Before Setting Up FTP Service” on page 81 for issues you should keep in mind when you set up FTP service. Step 2: Configure FTP General settings The General settings let you display banner and welcome messages, set the number of login attempts, and provide an administrator email address. See “Configuring General Settings” on page 83.
Server Security and Anonymous Users Enabling anonymous FTP poses a security risk to your server and data because you open your server to users that you do not know. The access privileges you set for the files and folders on your server are the most important way you can keep information secure. Anonymous FTP users are only allowed to upload files into a special folder named “uploads” in the FTP root. If the uploads folder doesn’t exist, anonymous users will not be able to upload files at all.
Configuring General Settings You can use the General settings to limit the number of login attempts, provide an administrator email address, and limit the number and type of users. To configure the FTP General settings: 1 Open Server Admin and select FTP in the Computers & Services list. 2 Click Settings (near the bottom of the window), then click General. 3 To change the number of times a user can try to connect before they are disconnected, type a number in “Disconnect after __ failed login attempts.
Changing the Greeting Messages Users see the banner message when they first contact your server (before they log in) and the welcome message when they log in. To change the banner and welcome messages: 1 Open Server Admin and select FTP in the Computers & Services list. 2 Click Settings (near the bottom of the window), then click Messages. 3 Edit the message text. 4 Select “Show banner message” and “Show welcome message.” 5 Click Save.
Changing Advanced Settings The Advanced settings let you specify the directories that FTP users can access. You can change the FTP root directory and choose whether users see the FTP root and share points, home directories and share points, or home directories only. To configure the FTP Advanced settings: 1 Open Server Admin and select FTP in the Computers & Services list. 2 Click Settings (near the bottom of the window), then click Advanced.
From the Command Line You can also start the FTP service using the serveradmin command in Terminal. For more information, see the file services chapter of the command-line administration guide. Managing FTP Service This section describes how to perform typical day-to-day management tasks for FTP service once you have it up and running. Stopping FTP Service You stop FTP service using Server Admin. Important: When you stop FTP service, users are disconnected without warning.
Changing the User Environment You use the Advanced pane of Configure FTP Service to change the user environment. To change the FTP user environment: 1 Open Server Admin and select FTP in the Computers & Services list. 2 Click Settings (near the bottom of the window), then click Advanced. 3 Choose the type of user environment you want to provide from the “Authenticated users see” pop-up menu. “FTP Root and Share Points” sets up the Users directory as a share point.
To view FTP log: 1 Open Server Admin and select FTP in the Computers & Services list. 2 Click Log (near the bottom of the window). To choose the types of events that are recorded, open Server Admin, select AFP, click Settings, then click Logging. From the Command Line You can also view the FTP log using the cat or tail commands in Terminal. For more information, see the file services chapter of the command-line administration guide.
6 Solving Problems 6 This chapter lists possible solutions to common problems you might encounter while working with the file services in Mac OS X Server. Problems are listed in the following categories: • Problems with share points • Problems with AFP service • Problems with Windows service • Problems with NFS service • Problems with FTP service Problems With Share Points There are several ways to diagnose and solve problems with share points.
Users Can’t Find a Shared Item • If a user can’t find a shared item, check the access privileges for the item. The user must have Read access privileges to the share point where the item is located and to each folder in the path to the item. • Keep in mind that server administrators don’t see share points the same way a user does over AFP because administrators see everything on the server.
• If the user is searching for the server via AppleTalk (in the Chooser), make sure you’ve enabled browsing over AppleTalk in the General pane of the AFP service settings, and that AppleTalk is active on both the server and the user’s computer. • Check the name you assigned to the file server and make sure users are looking for the correct name. User Can’t Connect to the AFP Server • Make sure the user has entered the correct user name and password.
User Can’t Log in to the Windows Server • If you’re using Password Server to authenticate users, check to make sure that it is configured correctly. • If you have user accounts created in a previous version of Mac OS X Server (version 10.1 or earlier) that are still configured to use Authentication Manager, make sure that Authentication Manager is enabled. Then reset the passwords of existing users who will be using Windows services. Reset the user’s password and try again.
• See if there are any problems with directory services, and if the directory services server is operating and connected to the network. For help with directory services, see the Open Directory administration guide. • Verify that IP filter service is configured to allow access to the appropriate ports. If clients still can’t connect, see if the client is using FTP passive mode and turn it off.
Chapter 6 Solving Problems
Glossary Glossary AFP Apple Filing Protocol. A client/server protocol used by Apple file service on Macintosh-compatible computers to share files and network services. AFP uses TCP/IP and other protocols to communicate between computers on a network. access control A method of controlling which computers can access a network or network services. access control list See ACL. ACL Access Control List. A list maintained by a system that defines the rights of users and groups to access resources on the system.
command-line interface A way of interfacing with the computer (for example, to run programs or modify file system permissions) by entering text commands at a shell prompt. Common Internet File System See SMB/CIFS. daemon A program that runs in the background and provides important system services, such as processing incoming email or handling requests from the network. DHCP Dynamic Host Configuration Protocol. A protocol used to dynamically distribute IP addresses to client computers.
drop box A shared folder with privileges that allow other users to write to, but not read, the folder’s contents. Only the owner has full access. Drop boxes should be created only using AFP. When a folder is shared using AFP, the ownership of an item written to the folder is automatically transferred to the owner of the folder, thus giving the owner of a drop box full access to and control over items put into it.
Internet Generally speaking, a set of interconnected computer networks communicating through a common protocol (TCP/IP). The Internet (note the capitalization) is the most extensive publicly accessible system of interconnected computer networks in the world. Internet Protocol See IP. IP Internet Protocol. Also known as IPv4. A method used with Transmission Control Protocol (TCP) to send data between computers over a local network or the Internet.
mount (verb) In general, to make a remote directory or volume available for access on a local system. In Xsan, to cause an Xsan volume to appear on a client’s desktop, just like a local disk. mulitcast DNS A protocol developed by Apple for automatic discovery of computers, devices, and services on IP networks. This proposed Internet standard protocol is sometimes referred to as “ZeroConf.” For more information, visit www.apple.com or www.zeroconf.org.
pathname The location of an item within a file system, represented as a series of names separated by slashes (/). permissions Settings that define the kind of access users have to shared items in a file system. You can assign four types of permissions to a share point, folder, or file: read/write, read-only, write-only, and none (no access). See also privileges. port A sort of virtual mail slot. A server uses port numbers to determine which application should receive data packets.
single sign-on An authentication strategy that relieves users from entering a name and password separately for every network service. Mac OS X Server uses Kerberos to enable single sign-on. SLP DA Service Location Protocol Directory Agent. A protocol that registers services available on a network and gives users easy access to them. When a service is added to the network, the service uses SLP to register itself on the network. SLP/DA uses a centralized repository for registered network services.
volume A mountable allocation of storage that behaves, from the client’s perspective, like a local hard disk, hard disk partition, or network volume. In Xsan, a volume consists of one or more storage pools. See also logical disk. WebDAV Web-based Distributed Authoring and Versioning. A live authoring environment that allows client users to check out webpages, make changes, and then check the pages back in while a site is running. WINS Windows Internet Naming Service.
.bin (MacBinary) format 80, 83 FTP auto-conversion 83 A access control entries (ACEs) 19 Access Control Lists (ACLs) 15, 16 access control lists (SACLs) 26 access logs AFP service 57 ACE 19 adding 44 defined 21 editing 45 ACL 15, 16, 19 inheritance 23 removing 47 rules of precedence 24 setting up 34 administrator privileges 18 advisory locks for NFS 39 AFP (Apple Filing Protocol) setting up share points using 35 AFP service access log 62 Access settings 56 allowing guest access 65 archiving logs 63 automat
overview 75 planning 81, 82 preparing for setup 81 README messages 88 setup overview 81 solving problems 92 specifications 80 starting 85 stopping 86 user environment 87 viewing logs 87 disconnect messages 58, 64 DNS service problems with 92 documentation 11 DOS prompt 91 drop box setting up 49 E error logs AFP service 57, 63 everyone privileges 18 explicit permissions 17 exporting NFS share point 38 extensions, filename 80 F file name extensions 80 files compressed 80 conversion in FTP 80 with resource
M MacBinary (.bin) format 80, 83 FTP auto-conversion 83 masquerading 57 mounting share points network (automatic) mounts 27, 40 N naming share points don’t include slash 33 for home directories 40 naming share points for 40 network making fonts available over 27 Network File System.
FTP General settings 83 FTP Logging settings 84 FTP logs 88 FTP user environment 87 FTP user messages 88 monitoring NFS 72 NFS settings 71 sending messages to AFP users 64 setting up anonymous FTP 86 starting AFP service 59 starting FTP service 85 stopping AFP service 60 stopping FTP service 86 server administration guides 11 Server Message Block.