Apple MacOSXServer File Services Administration User Manual Mac OSXServerv10.5 Admin V10.5

User Manual: Apple MacOSXServer MacOSXServerv10.5-FileServicesAdministration

Open the PDF directly: View PDF PDF.
Page Count: 143 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Mac OS X Server
File Services Administration
For Version 10.5 Leopard
K
Apple Inc.
© 2007 Apple Inc. All rights reserved.
The owner or authorized user of a valid copy of
Mac OS X Server software may reproduce this
publication for the purpose of learning to use such
software. No part of this publication may be reproduced
or transmitted for commercial purposes, such as selling
copies of this publication or for providing paid-for
support services.
Every effort has been made to ensure that the
information in this manual is accurate. Apple Inc. is not
responsible for printing or clerical errors.
Apple
1 Infinite Loop
Cupertino CA 95014-2084
www.apple.com
The Apple logo is a trademark of Apple Inc., registered
in the U.S. and other countries. Use of the “keyboard”
Apple logo (Option-Shift-K) for commercial purposes
without the prior written consent of Apple may
constitute trademark infringement and unfair
competition in violation of federal and state laws.
Apple, the Apple logo, AppleShare, AppleTalk, Bonjour,
ColorSync, Mac, Macintosh, QuickTime, Xgrid, Xsan, and
Xserve are trademarks of Apple Inc., registered in the
U.S. and other countries. Finder and Spotlight are
trademarks of Apple Inc.
Adobe and PostScript are trademarks of Adobe Systems
Incorporated.
UNIX is a registered trademark of The Open Group.
Other company and product names mentioned herein
are trademarks of their respective companies. Mention
of third-party products is for informational purposes
only and constitutes neither an endorsement nor a
recommendation. Apple assumes no responsibility with
regard to the performance or use of these products.
019-0933/2007-09-01
3
1
Contents
Preface 9 About This Guide
9
What’s New in File Services
9
What’s in This Guide
10
Using Onscreen Help
11
Mac OS X Server Administration Guides
12
Viewing PDF Guides on Screen
12
Printing PDF Guides
13
Getting Documentation Updates
13
Getting Additional Information
Chapter 1 15 Understanding File Services
15
Protocol Overview
16
Protocol Comparison
16
Protocol Security Comparison
17
Deployment Planning
17
Determining the Best Protocol for Your Needs
17
Determining Hardware Requirements for Your Needs
17
Planning for Outages and Failovers
Chapter 2 19 Setting Up File Service Permissions
19
Permissions in the Mac OS X Environment
20
Kinds of Permissions
20
Standard Permissions
22
ACLs
24
Supported Volume Formats and Protocols
24
Access Control Entries (ACEs)
24
What’s Stored in an ACE
25
Explicit and Inherited ACEs
25
Understanding Inheritance
28
Rules of Precedence
29
Tips and Advice
30
Common Folder Configurations
31
File Services Access Control
4
Contents
32
Customizing Shared Network Resources
32
Share Points in the Network Folder
32
Adding System Resources to the Network Library Folder
32
Security Considerations
32
Restricting Access to File Services
32
Restricting Access to Everyone
33
Restricting Access to NFS Share Points
33
Restricting Guest Access
Chapter 3 35 Setting Up Share Points
35
Share Points and the Mac OS X Network Folder
36
Automounting
36
Share Points and Network Home Folders
36
Setup Overview
37
Before Setting Up a Share Point
37
Client Privileges
37
File Sharing Protocols
38
Shared Information Organization
38
Security
38
Network Home Folders
39
Disk Quotas
39
Setting Up a Share Point
39
Creating a Share Point
40
Setting Privileges
41
Changing AFP Settings for a Share Point
42
Changing SMB Settings for a Share Point
43
Changing FTP Settings for a Share Point
44
Exporting an NFS Share Point
46
Resharing NFS Mounts as AFP Share Points
47
Automatically Mounting Share Points for Clients
48
Managing Share Points
48
Checking File Sharing Status
48
Disabling a Share Point
49
Disabling a Protocol for a Share Point
49
Viewing Share Point Configuration and Protocol Settings
50
Viewing Share Point Content and Privileges
50
Managing Share Point Access Privileges
55
Changing the Protocols Used by a Share Point
56
Changing NFS Share Point Client Access
56
Enabling Guest Access to a Share Point
57
Setting Up a Drop Box
58
Setting Up a Network Library
58
Using Mac OS X Server for Network Attached Storage
Contents
5
60
Configuring Spotlight for Share Points
61
Configuring Time Machine Backup Destination
61
Monitoring Share Point Quotas
62
Setting SACL Permissions
62
Setting SACL Permissions for Users and Groups
62
Setting SACL Permissions for Administrators
Chapter 4 65 Working with AFP Service
65
Kerberos Authentication
66
Automatic Reconnect
66
Find Content
66
AppleTalk Support
66
AFP Service Specifications
67
Setup Overview
67
Turning AFP Service On
68
Setting Up AFP Service
68
Configuring General Settings
69
Configuring Access Settings
70
Configuring Logging Settings
71
Configuring Idle Users Settings
72
Starting AFP Service
72
Managing AFP Service
72
Checking AFP Service Status
73
Viewing AFP Service Logs
73
Viewing AFP Graphs
74
Viewing AFP Connections
74
Stopping AFP Service
75
Enabling Bonjour Browsing
75
Limiting Connections
76
Keeping an Access Log
77
Disconnecting a User
77
Automatically Disconnecting Idle Users
78
Sending a Message to a User
78
Enabling Guest Access
79
Creating a Login Greeting
79
Integrating Active Directory and AFP Services
80
Supporting AFP Clients
80
Mac OS X Clients
80
Connecting to the AFP Server in Mac OS X
81
Changing the Default User Name for AFP Connections
82
Setting Up a Mac OS X Client to Automatically Mount a Share Point
83
Connecting to the AFP Server from Mac OS 8 and Mac OS 9 Clients
83
Setting up a Mac OS 8 or Mac OS 9 Client to Automatically Mount a Share Point
6
Contents
83
Configuring IP Failover
84
IP Failover Overview
86
Acquiring Master Address—Chain of Events
87
Releasing Master Address—Chain of Events
88
IP Failover Setup
88 Connecting the Master and Backup Servers to the Same Network
89 Connecting the Master and Backup Servers Together
89 Configuring the Master Server for IP Failover
90 Configuring the Backup Server for IP Failover
90 Configuring the AFP Reconnect Server Key
91 Viewing the IP Failover Log
Chapter 5 93 Working with SMB Service
93 File Locking with SMB Share Points
94 Setup Overview
95 Turning On SMB Service
95 Setting Up SMB Service
96 Configuring General Settings
97 Configuring Access Settings
98 Configuring Logging Settings
98 Configuring Advanced Settings
99 Starting SMB Service
100 Managing SMB Service
100 Viewing SMB Service Status
100 Viewing SMB Service Logs
101 Viewing SMB Graphs
101 Viewing SMB Connections
102 Stopping SMB Service
102 Enabling or Disabling Virtual Share Points
Chapter 6 103 Working with NFS Service
103 Setup Overview
104 Before Setting Up NFS Service
104 Turning On NFS Service
105 Setting Up NFS Service
105 Configuring NFS Settings
106 Starting NFS Service
106 Managing NFS Service
106 Checking NFS Service Status
107 Viewing NFS Connections
107 Stopping NFS Service
108 Viewing Current NFS Exports
Contents 7
Chapter 7 109 Working with FTP Service
109 A Secure FTP Environment
110 FTP Users
110 The FTP Root Folder
110 FTP User Environments
113 On-the-Fly File Conversion
114 Kerberos Authentication
114 FTP Service Specifications
114 Setup Overview
115 Before Setting Up FTP Service
116 Server Security and Anonymous Users
116 Turning On FTP Service
116 Setting Up FTP Service
116 Configuring General Settings
117 Configuring Greeting Messages
118 Displaying Banner and Welcome Messages
119 Displaying Messages Using message.txt Files
119 Using README Messages
119 Configuring FTP Logging Settings
120 Configuring FTP Advanced Settings
120 Starting FTP Service
120 Permitting Anonymous User Access
121 Creating an Uploads Folder for Anonymous Users
121 Changing the User Environment
122 Changing the FTP Root Folder
122 Managing FTP Service
122 Checking FTP Service Status
123 Viewing the FTP Service Log
123 Viewing FTP Graphs
124 Viewing FTP Connections
124 Stopping FTP Service
Chapter 8 125 Solving Problems
125 Problems with Share Points
125 If Users Can’t Access Shared Optical Media
125 If Users Can’t Access External Volumes Using Server Admin
126 If Users Can’t Find a Shared Item
126 If Users Can’t Open Their Home Folder
126 If Users Can’t Find a Volume or Folder to Use as a Share Point
126 If Users Can’t See the Contents of a Share Point
126 Problems with AFP Service
127 If Users Can’t Find the AFP Server
127 If Users Can’t Connect to the AFP Server
8Contents
127 If Users Don’t See the Login Greeting
127 Problems with SMB Service
127 If Windows Users Can’t See the Windows Server in Network Neighborhood
128 If Users Can’t Log In to the Windows Server
128 Problems with NFS Service
128 Problems with FTP Service
128 If FTP Connections Are Refused
129 If Clients Can’t Connect to the FTP Server
129 If Anonymous FTP Users Can’t Connect
129 Problems with IP Failover
130 If IP Failover Does Not Occur
130 If IP Failover Mail Notifications Are Not Working
130 If You Are Still Having Problems After Failover Occurs
Glossary 131
Index 139
9
Preface
About This Guide
This guide describes how to configure and use file services
with Mac OS X Server.
File sharing requires file server administrators to manage user privileges for all shared
folders and files. Configuring Mac OS X Server as a file server offers you reliable
high-performance file sharing using native protocols for Mac, Windows, and Linux
workgroups. The server fits seamlessly into any environment, including mixed-platform
networks.
Mac OS X Server v10.5 delivers expanded functions of current features and introduces
enhancements to support heterogeneous networks, maximize user productivity, and
make file services more secure and easier to manage.
What’s New in File Services
File services contain several changes and enhancements that provide ease of use and
greater functionality, such as:
ÂSharing functionality has been relocated to Server Admin. This combines the share
point configuration with the configuration of the file service protocols in one tool.
ÂSpotlight is now supported in AFP. Spotlight indexing allows you to do quick
searches of network volumes. You can turn on Spotlight indexing for a share point in
Server Admin.
ÂNFS supports Kerberos authentication. Kerberos is a standard network authentication
protocol used to provide secure authentication and communication over open
networks.
What’s in This Guide
This guide includes the following chapters:
ÂChapter 1, “Understanding File Services,” provides an overview of Mac OS X Server
file services.
10 Preface About This Guide
ÂChapter 2, “Setting Up File Service Permissions,” explains standard permissions and
ACLs and discusses related security issues.
ÂChapter 3, “Setting Up Share Points,” describes how to share specific volumes and
directories by using Apple Filing Protocol (AFP), Server Message Block (SMB)/
Common Internet File System (CIFS) protocol, File Transfer Protocol (FTP), and
Network File System (NFS) protocol. It also describes how to set standard and ACL
permissions.
ÂChapter 4, “Working with AFP Service,” describes how to set up and manage AFP
service in Mac OS X Server and also describes how you can set up IP Failover in
Mac OS X Server.
ÂChapter 5, “Working with SMB Service,” describes how to set up and manage SMB
service in Mac OS X Server.
ÂChapter 6, “Working with NFS Service,” describes how to set up and manage NFS
service in Mac OS X Server.
ÂChapter 7, “Working with FTP Service,” describes how to set up and manage FTP
service in Mac OS X Server.
ÂChapter 8, “Solving Problems,” lists potential solutions to common problems you
might encounter while working with the file services in Mac OS X Server.
In addition, the Glossary provides brief definitions of terms used in this guide.
Note: Because Apple periodically releases new versions and updates to its software,
images shown in this book may be different from what you see on your screen.
Using Onscreen Help
You can get task instructions onscreen in Help Viewer while youre managing
Mac OS X Server. You can view help on a server or an administrator computer.
(An administrator computer is a Mac OS X computer with Mac OS X Server
administration software installed on it.)
To get help for an advanced configuration of Mac OS X Server:
mOpen Server Admin or Workgroup Manager and then:
ÂUse the Help menu to search for a task you want to perform.
ÂChoose Help > Server Admin Help or Help > Workgroup Manager Help to browse
and search the help topics.
The onscreen help contains instructions taken from Server Administration and other
advanced administration guides described in “Mac OS X Server Administration Guides,”
next.
Preface About This Guide 11
Mac OS X Server Administration Guides
Getting Started covers basic installation and initial setup methods for a standard,
workgroup, or covers installation and setup for standard and workgroup configurations
of Mac OS X Server. For advanced configurations, Server Administration covers planning,
installation, setup, and general server administration. A suite of additional guides, listed
below, covers advanced planning, setup, and management of individual services. You
can get these guides in PDF format from the Mac OS X Server documentation website:
www.apple.com/server/documentation
This guide ... tells you how to:
Getting Started and
Installation & Setup Worksheet
Install Mac OS X Server and set it up for the first time.
Command-Line Administration Install, set up, and manage Mac OS X Server using UNIX command-
line tools and configuration files.
File Services Administration Share selected server volumes or folders among server clients
using the AFP, NFS, FTP, and SMB protocols.
iCal Service Administration Set up and manage iCal shared calendar service.
iChat Service Administration Set up and manage iChat instant messaging service.
Mac OS X Security Configuration Make Mac OS X computers (clients) more secure, as required by
enterprise and government customers.
Mac OS X Server Security
Configuration
Make Mac OS X Server and the computer it’s installed on more
secure, as required by enterprise and government customers.
Mail Service Administration Set up and manage IMAP, POP, and SMTP mail services on the
server.
Network Services Administration Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall,
NAT, and RADIUS services on the server.
Open Directory Administration Set up and manage directory and authentication services, and
configure clients to access directory services.
Podcast Producer Administration Set up and manage Podcast Producer service to record, process,
and distribute podcasts.
Print Service Administration Host shared printers and manage their associated queues and print
jobs.
QuickTime Streaming and
Broadcasting Administration
Capture and encode QuickTime content. Set up and manage
QuickTime streaming service to deliver media streams live or on
demand.
Server Administration Perform advanced installation and setup of server software, and
manage options that apply to multiple services or to the server as a
whole.
System Imaging and Software
Update Administration
Use NetBoot, NetInstall, and Software Update to automate the
management of operating system and other software used by
client computers.
Upgrading and Migrating Use data and service settings from an earlier version of Mac OS X
Server or Windows NT.
12 Preface About This Guide
Viewing PDF Guides on Screen
While reading the PDF version of a guide onscreen:
ÂShow bookmarks to see the guide’s outline, and click a bookmark to jump to the
corresponding section.
ÂSearch for a word or phrase to see a list of places where it appears in the document.
Click a listed place to see the page where it occurs.
ÂClick a cross-reference to jump to the referenced section. Click a web link to visit the
website in your browser.
Printing PDF Guides
If you want to print a guide, you can take these steps to save paper and ink:
ÂSave ink or toner by not printing the cover page.
ÂSave color ink on a color printer by looking in the panes of the Print dialog for an
option to print in grays or black and white.
ÂReduce the bulk of the printed document and save paper by printing more than one
page per sheet of paper. In the Print dialog, change Scale to 115% (155% for Getting
Started). Then choose Layout from the untitled pop-up menu. If your printer supports
two-sided (duplex) printing, select one of the Two-Sided options. Otherwise, choose
2 from the Pages per Sheet pop-up menu, and optionally choose Single Hairline from
the Border menu. (If you’re using Mac OS X v10.4 or earlier, the Scale setting is in the
Page Setup dialog and the Layout settings are in the Print dialog.)
You may want to enlarge the printed pages even if you don’t print double sided,
because the PDF page size is smaller than standard printer paper. In the Print dialog or
Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has CD-
size pages).
User Management Create and manage user accounts, groups, and computers. Set up
managed preferences for Mac OS X clients.
Web Technologies Administration Set up and manage web technologies, including web, blog,
webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV.
Xgrid Administration and High
Performance Computing
Set up and manage computational clusters of Xserve systems and
Mac computers.
Mac OS X Server Glossary Learn about terms used for server and storage products.
This guide ... tells you how to:
Preface About This Guide 13
Getting Documentation Updates
Periodically, Apple posts revised help pages and new editions of guides. Some revised
help pages update the latest editions of the guides.
ÂTo view new onscreen help topics for a server application, make sure your server or
administrator computer is connected to the Internet and click “Latest help topics” or
“Staying current” in the main help page for the application.
ÂTo download the latest guides in PDF format, go to the Mac OS X Server
documentation website:
www.apple.com/server/documentation
Getting Additional Information
For more information, consult these resources:
ÂRead Me documents—important updates and special information. Look for them on
the server discs.
ÂMac OS X Server website (www.apple.com/server/macosx)—gateway to extensive
product and technology information.
ÂMac OS X Server Support website (www.apple.com/support/macosxserver)—access to
hundreds of articles from Apple’s support organization.
ÂApple Training website (www.apple.com/training)—instructor-led and self-paced
courses for honing your server administration skills.
ÂApple Discussions website (discussions.apple.com)—a way to share questions,
knowledge, and advice with other administrators.
ÂApple Mailing Lists website (www.lists.apple.com)—subscribe to mailing lists so you
can communicate with other administrators using email.
ÂApple Filing Protocol (AFP) website (developer.apple.com/documentation/Networking/
Conceptual/AFP)—manual describing AFP.
ÂSamba website (www.samba.org)—information about Samba, the open source
software on which SMB service in Mac OS X Server are based.
ÂCommon Internet File System (CIFS) website (www.ubiqx.org/cifs)—detailed description
of how CIFS works.
ÂFile Transfer Protocol (FTP) website (www.faqs.org/rfcs/rfc959.html)—home of the FTP
Request for Comments (RFC) document.
ÂFile Transfer Protocol (TFTP) website (asg.web.cmu.edu/rfc/rfc1350.html)—home of the
TFTP RFC document.
Note: RFC documents provide an overview of a protocol or service that can be helpful
for novice administrators, and more detailed technical information for experts. You can
search for RFC documents at www.faqs.org/rfcs.
14 Preface About This Guide
1
15
1Understanding File Services
This chapter provides an overview of Mac OS X Server file
services.
Mac OS X Server includes several file services that help you manage and maintain your
shared network resources. Understanding each service and its associated protocol
helps you determine how to plan and configure your network for optimum
performance and security.
Protocol Overview
File services provide a way for client computers to access and share files, applications,
and other resources on a network. Each file service uses a protocol to communicate
between the server and client computers. Depending on your network configuration,
you can choose from the following file services:
ÂAFP service uses Apple Filing Protocol (AFP) to share resources with clients who use
Macintosh computers.
ÂSMB service uses the Server Message Block/Common Internet File System
(SMB/CIFS) protocol to share resources with and provide name resolutions for clients
who use Windows or Windows-compatible computers.
ÂFTP service uses File Transfer Protocol (FTP) to share files with anyone using FTP
client software.
ÂNFS service uses the Network File System (NFS) protocol to share files and folders
with users (typically UNIX users) who have NFS client software.
After configuring your file services, you can manage your shared network resources by
monitoring network activity and controlling access to each service.
16 Chapter 1 Understanding File Services
Protocol Comparison
When sharing network resources, you may have more than one service turned on
depending on the platforms that require access to these resources. The following table
describes which service protocols are supported for each platform.
Protocol Security Comparison
When sharing network resources, configure your server to provide the necessary
security.
AFP and SMB provide some level of encryption to secure password authentication.
SMB does not encrypt data transmissions over the network so you should only use it
on a securely configured network.
FTP does not provide password or data encryption. When using this protocol,
make sure your network is securely configured. Instead of using FTP, consider using
the scp or sftp command-line tools. These tools securely authenticate and securely
transfer files.
The following table provides a comparison of the protocols and their authentication
and encryption capabilities.
Protocol Platform Default Ports
AFP Mac OS X and Mac OS X Server 548
SMB Mac OS X, Mac OS X Server, Windows, UNIX, and Linux 137, 138, and 139
FTP Mac OS X, Mac OS X Server, Windows, UNIX, and Linux 21
NFS Mac OS X, Mac OS X Server, Windows, UNIX, and Linux 2049
Protocol Authentication Data Encryption
AFP Cleartext and encrypted (Kerberos)
passwords.
Can be configured to encrypt all data
transmission.
NFS Encrypted (Kerberos) password and
system authentication.
Can be configured to encrypt all data
transmission.
SMB Cleartext and encrypted (NTLM v1,
NTLM v2, LAN Manager, and
Kerberos) passwords.
Not encrypted and data is visible during
transmission.
FTP All passwords are sent as cleartext.
No encryption.
All data is sent as cleartext. No encryption.
Chapter 1 Understanding File Services 17
Deployment Planning
When planning your network, consider the protocols your network configuration
requires. For example, if your network consists of multiplatform computers, consider
using SMB and AFP services to permit access to both platforms.
Determining the Best Protocol for Your Needs
The file service protocols you use depend on your network configuration and what
platforms you are supporting.
Determining Hardware Requirements for Your Needs
If youre sharing network resources with other networks or Ethernet, your firewall must
permit communication through all ports associated with your service.
Planning for Outages and Failovers
When planning for outages and failovers, consider eliminating as many single points of
failure throughout your network as possible. A basic example of a single point of failure
would be a single computer with a single hard disk and a single power source.
If you have a single computer, you can eliminate the single points of failure by:
ÂConfiguring your computer with more disk drives using a redundant array of
independent disks (RAID). By configuring a RAID you can help prevent data loss. For
example, if the main disk fails, the system can still access the data from the other disk
drives in the RAID.
ÂConnecting the power source of the computer to a backup power source.
ÂProviding another computer with the same configuration to eliminate the computer
as the single point of failure. If you don’t have another computer, you can configure
your computer to automatically reboot on power failure. This ensures your computer
will reboot as soon as power is restored.
You can also help diminish the possibility of failure by ensuring that your equipment
has proper operational conditions (for example, adequate temperature and humidity
levels). A more advanced method of eliminating a single point of failure would involve
link aggregation, load balancing, Open Directory replication, data backup, and using
Xserve and RAID devices.
For more information about these topics, see Xgrid Administration and High Performance
Computing.
18 Chapter 1 Understanding File Services
2
19
2Setting Up File Service
Permissions
This chapter explains standard permissions and Access
Control Lists (ACLs), and discusses related security issues.
An important aspect of computer security is the granting and denying of permissions.
A permission is the ability to perform a specific operation, such as gaining access to
data or executing code. Permissions are granted at the level of folders, subfolders, files,
or applications. Use Server Admin to set up file service permissions.
In this guide, the term privileges refers to the combination of ownership and
permissions, while the term permissions refers to the permission settings that each user
category can have (Read & Write, Read Only, Write Only, and None).
Permissions in the Mac OS X Environment
If youre new to Mac OS X and are not familiar with UNIX, there are differences in the
way ownership and permissions are handled compared to Mac OS 9.
To increase security and reliability, Mac OS X sets many system folders, such as /Library/,
to be owned by the root user (literally, a user named root). Files and folders owned by
root can’t be changed or deleted by you unless you’re logged in as root.
Be careful—there are few restrictions on what you can do when you log in as root, and
changing system data can cause problems. An alternative to logging in as root is to use
the sudo command.
Note: The Finder calls the root user system.
By default, files and folders are owned by the user who creates them. After theyre
created, items keep their privileges (a combination of ownership and permissions) even
when moved, unless the privileges are explicitly changed by their owners or an
administrator.
20 Chapter 2 Setting Up File Service Permissions
Therefore, new files and folders you create are not accessible by client users if they are
created in a folder that the users don’t have privileges for. When setting up share
points, make sure that items have the correct access privileges for the users you want
to share them with.
Kinds of Permissions
Mac OS X Server supports two kinds of file and folder permissions:
ÂStandard Portable Operating System Interface (POSIX) permissions
ÂAccess Control Lists (ACLs)
Standard POSIX permissions enable you to control access to files and folders based on
three categories of users: Owner, Group, and Others. Although these permissions give
you adequate control over who can access a file or a folder, they lack the flexibility and
granularity that many organizations require to deal with elaborate user environments.
This is where ACLs come in handy. An ACL provides an extended set of permissions for
a file or folder and enables you to set multiple users and groups as owners. In addition,
ACLs are compatible with Windows Server 2003 and Windows XP, giving you added
flexibility in a multiplatform environment.
Standard Permissions
There are four types of standard POSIX access permissions that you can assign to a
share point, folder, or file: Read & Write, Read Only, Write Only, and None. The table
below shows how these permissions affect user access to different types of shared
items (files, folders, and share points).
Note: QuickTime Streaming Server (QTSS) and WebDAV have separate permissions
settings. For information about QTSS, see the QTSS online help and the QuickTime
website (www.apple.com/quicktime/products/qtss). You’ll find information about Web
permissions in Web Technologies Administration.
Users can Read & Write Read Only Write Only None
Open a shared file Yes Yes No No
Copy a shared file Yes Yes No No
Open a shared folder or share point Yes Yes No No
Copy a shared folder or share point Yes Yes No No
Edit a shared file Yes No No No
Move items to a shared folder or share point Yes No Yes No
Move items from a shared folder or share point Yes No No No
Chapter 2 Setting Up File Service Permissions 21
Explicit Permissions
Share points and the shared items they contain (including folders and files) have
separate permissions. If you move an item to a different folder, it retains its permissions
and doesn’t adopt the permissions of the folder where you moved it.
In the following illustration, the second folder (Designs) and the third folder
(Documents) were assigned permissions that are different from those of their parent
folders:
When ACLs are not enabled, you can also set up an AFP or SMB share point so new files
and folders inherit the permissions of their parent folder. See “Changing AFP Settings
for a Share Point” on page 41, or “Changing SMB Settings for a Share Point” on page 42.
The User Categories Owner, Group, and Others
You can assign standard POSIX access permissions separately to three categories of
users:
ÂOwner—A user who creates an item (file or folder) on the file server is its owner and
automatically has Read & Write permissions for that folder. By default, the owner of
an item and the server administrator are the only users who can change its access
privileges (enable a group or others to use the item). The administrator can also
transfer ownership of the shared item to another user.
Note: When you copy an item to a drop box on an Apple file server, ownership of the
item doesn’t change. Only the owner of the drop box or root has access to its
contents.
ÂGroup—You can put users who need the same access to files and folders in group
accounts. Only one group can be assigned access permissions to a shared item. For
more information about creating groups, see User Management.
ÂOthers—Others is any user (registered user or guest) who can log in to the file server.
Engineering
Read & Write
Designs
Documents
Read Only
Read & Write
22 Chapter 2 Setting Up File Service Permissions
Hierarchy of Permissions
If a user is included in more than one category of users, each of which has different
permissions, these rules apply:
ÂGroup permissions override Others permissions.
ÂOwner permissions override Group permissions.
For example, when a user is both the owner of a shared item and a member of the
group assigned to it, the user has the permissions assigned to the owner.
Client Users and Permissions
Users of AppleShare Client software can set access privileges for files and folders they
own. Users who use Windows file sharing services can also set access privileges.
Standard Permission Propagation
Server Admin lets you specify which standard permissions to propagate. For example,
you can propagate only the permission for Others to all descendants of a folder, and
leave the permissions for Owner and Group unchanged. For more information, see
“Propagating Permissions” on page 53.
ACLs
When standard POSIX permissions are not enough, use access control lists (ACLs). An
ACL is a list of access control entries (ACEs), each specifying the permissions to be
granted or denied to a group or user and how these permissions are propagated
throughout a folder hierarchy.
ACLs in Mac OS X Server enable you to set file and folder access permissions to
multiple users and groups in addition to standard POSIX permissions. This makes it
easy to set up collaborative environments with smooth file sharing and uninterrupted
workflows, without compromising security.
ACLs provide an extended set of permissions for a file or folder to give you more
granularity when assigning privileges than standard permissions would provide. For
example, rather than giving a user full writing permissions, you can restrict him or her
to create only folders and not files.
Apples ACL model supports 13 permissions for controlling access to files and folders, as
described in the following table.
Permission name Type Description
Change Permissions Administration User can change standard permissions.
Take Ownership Administration User can change the file’s or folders ownership to
himself or herself.
Read Attributes Read User can view the file’s or folder’s attributes (for
example, name, date, and size).
Chapter 2 Setting Up File Service Permissions 23
In addition to these permissions, the Apple ACL model defines four types of inheritance
that specify how these permissions are propagated:
ÂApply to this folder: Apply (Administration, Read, and Write) permissions to this folder.
ÂApply to child folders: Apply permissions to subfolders.
ÂApply to child files: Apply permissions to the files in this folder.
ÂApply to all descendants: Apply permissions to all descendants. To learn how this
option works with the previous two, see “Understanding Inheritance” on page 25.
The ACL Use Model
The ACL use model focuses on access control at the folder level, with most ACLs
applied to files as the result of inheritance.
Folder-level control determines which users have access to the contents of a folder;
inheritance determines how a defined set of permissions and rules pass from the
container to the objects in it.
Without use of this model, administration of access control would quickly become a
nightmare: you would need to create and manage ACLs on thousands or millions of
files. In addition, controlling access to files through inheritance frees applications from
maintaining extended attributes or explicit ACEs when saving a file because the system
automatically applies inherited ACEs to files. For information about explicit ACEs, see
“Explicit and Inherited ACEs on page 25.
Read Extended
Attributes
Read User can view the file’s or folder’s attributes added by
third-party developers.
List Folder Contents
(Read Data)
Read User can list folder contents and read files.
Traverse Folder
(Execute File)
Read User can open subfolders and run a program.
Read Permissions Read User can view the file’s or folder’s standard permissions
using the Get Info or Terminal commands.
Write Attributes Write User can change the file’s or folder’s standard attributes.
Write Extended
Attributes
Write User can change the file’s or folder’s other attributes.
Create Files (Write
Data)
Write User can create files and change files.
Create Folder (Append
Data)
Write User can create subfolders and add data to files.
Delete Write User can delete file or folder.
Delete Subfolders and
Files
Write User can delete subfolders and files.
Permission name Type Description
24 Chapter 2 Setting Up File Service Permissions
ACLs and Standard Permissions
You can set ACL permissions for files and folders in addition to standard permissions.
For more information about how Mac OS X Server uses ACL and standard permissions
to determine what users can and cannot do to a file or folder, see “Rules of Precedence
on page 28.
ACL Management
In Mac OS X Server, you create and manage ACLs in the Permissions pane of File
Sharing in Server Admin. The Get Info window in Finder displays the logged-in user’s
effective permissions. For information about setting up and managing ACLs, see
“Setting ACL Permissions” on page 40 and “Managing Share Point Access Privileges” on
page 50.
In addition to using Server Admin to set and view ACL permissions you can also use
the command-line tools ls and chmod. For more information, see the corresponding
man pages and Command-Line Administration.
You define ACLs for share points, files, and folders using Server Admin.
Supported Volume Formats and Protocols
Only HFS+ provides local file system support for ACLs. In addition, only SMB and AFP
provide network file system support for ACLs in Windows and Apple networks
respectively.
Access Control Entries (ACEs)
An access control entry (ACE) is an entry in an ACL that specifies, for a group or a user,
access permissions to a file or folder, and the rules of inheritance.
What’s Stored in an ACE
An ACE contains the following fields:
ÂUser or Group. An ACE stores a universally unique ID for a group or user, which
permits unambiguous resolution of identity.
ÂType. An ACE supports two permission types, Allow and Deny, which determine
whether permissions are granted or denied in Server Admin.
ÂPermission. This field stores the settings for the 13 permissions supported by the
Apple ACL model.
ÂInherited. This field specifies whether the ACE is inherited from the parent folder.
ÂApplies To. This field specifies what the ACE permission is for.
Chapter 2 Setting Up File Service Permissions 25
Explicit and Inherited ACEs
Server Admin supports two types of ACEs:
ÂExplicit ACEs, which are those you create in an ACL. See “Adding ACEs to ACLs on
page 51.
ÂInherited ACEs, which are ACEs you created for a parent folder that were inherited by
a descendant file or folder.
Note: Inherited ACEs cannot be edited unless you make them explicit. Server Admin
enables you to convert an inherited ACE to an explicit ACE. For more information, see
“Changing the Inherited ACEs for a Folder to Explicit” on page 53.
Understanding Inheritance
ACL inheritance lets you determine how permissions pass from a folder to its
descendants.
The Apple ACL Inheritance Model
The Apple ACL inheritance model defines four options that you select or deselect in
Server Admin to control the application of ACEs (in other words, how to propagate
permissions through a folder hierarchy):
Mac OS X Server propagates ACL permissions at two well-defined times:
ÂBy the kernel at file or folder creation time—when you create a file or folder, the
kernel determines what permissions the file or folder inherits from its parent folder.
ÂWhen initiated by administrator tools—for example, when using the Propagate
Permissions option in Server Admin.
Inheritance option Description
Apply to this folder Apply (Administration, Read, and Write) permissions to this folder
Apply to child folders Apply permissions to subfolders
Apply to child files Apply permissions to the files in this folder
Apply to all descendants Apply permissions to all descendants1
1If you want an ACE to apply to all descendants without exception, you must select the “Apply to child folders” and
“Apply to child files” options in addition to this option. For more information, see “ACL Inheritance Combination”
on page 27.
26 Chapter 2 Setting Up File Service Permissions
The figure below shows how Server Admin propagates two ACEs (managers and
design_team) after ACE creation. Bold text represents an explicit ACE and regular text
an inherited ACE.
managers
managers
Jupiter
Docs Design Notes
Projects
Lander
Model
Spec
managers
design_team
managers
managers
managers
lander_team
managers
lander_team
managers
design_team
Chapter 2 Setting Up File Service Permissions 27
ACL Inheritance Combination
When you set inheritance options for an ACE in Server Admin, you can choose from 12
unique inheritance combinations for propagating ACL permissions.
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
Inheritance
Apply to this folder
Apply to child folders
Apply to child files
Apply to all descendants
28 Chapter 2 Setting Up File Service Permissions
ACL Permission Propagation
Server Admin provides a feature that lets you force the propagation of ACLs. Although
this is done automatically by Server Admin, there are cases when you may want to
manually propagate permissions:
ÂYou can propagate permissions to handle exceptions. For example, you might want
ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this
case, you define ACEs for the root folder and set them to propagate to all
descendants. Then, you select the root folder of the subtree and propagate
permissions to remove the ACLs from all descendants of that subtree.
In the example below, the items in white had their ACLs removed by manually
propagating ACLs.
ÂYou can propagate permissions to reapply inheritance in cases where you removed a
folder’s ACLs and decided to reapply them.
ÂYou can propagate permissions to clear all ACLs at once instead of having to go
through a folder hierarchy and manually remove ACEs.
ÂWhen you propagate permissions, the permissions of bundles and root-owned files
and folders are not changed.
For more information about how to manually propagate permissions, see “Propagating
Permissions” on page 53.
Rules of Precedence
Mac OS X Server uses the following rules to control access to files and folders:
ÂWithout ACEs, POSIX permissions apply. If a file or folder has no ACEs defined for it,
Mac OS X Server applies standard POSIX permissions.
ÂWith ACEs, order is important. If a file or folder has one or more ACEs defined for it,
Mac OS X Server starts with the first ACE in the ACL and works its way down the list
until the requested permission is satisfied or denied.
The ACE order can be changed from the command line using the chmod command.
ÂDeny permissions override other permissions. When you add ACEs, Server Admin
lists Deny permissions above Allow permissions because Deny permissions have
precedence over Allow permissions. When evaluating permissions, if Mac OS X Server
finds a Deny permission, it ignores remaining permissions the user has in the same
ACL and applies the Deny permission.
Chapter 2 Setting Up File Service Permissions 29
For example, if you add an ACE for the user Mei and enable her reading permissions
and then add another ACE for a group in which Mei is a member and deny the group
reading permissions, Server Admin reorders the permissions so that the Deny
permission is above the Allow permission. The result is that Mac OS X Server applies
the Deny permission for Mei’s group and ignores the Allow permission for Mei.
ÂAllow permissions are cumulative. When evaluating Allow permissions for a user in
an ACL, Mac OS X Server defines the user’s permissions as the union of all
permissions assigned to the user, including standard POSIX permissions.
After evaluating ACEs, Mac OS X Server evaluates the standard POSIX permissions
defined on the file or folder. Then, based on the evaluation of ACL and standard POSIX
permissions, Mac OS X Server determines what type of access a user has to a shared file
or folder.
Tips and Advice
Mac OS X Server combines traditional POSIX permissions with ACLs. This combination
provides great flexibility and a fine level of granularity in controlling access to files and
folders. However, if youre not careful in how you assign privileges, it’ll be very hard for
you to keep track of how permissions are assigned.
Note: With 17 permissions, you can choose from a staggering 98,304 combinations.
Add to that a sophisticated folder hierarchy, many users and groups, and many
exceptions, and you have a recipe for considerable confusion.
This section offers useful tips and advice to help you get the most out of access control
in Mac OS X Server and avoid the pitfalls.
Manage Permissions at the Group Level
Assign permissions to groups first, and assign permissions to individual users only
when there is an exception.
For example, you can assign all teachers in a school district Read and Write permissions
to a certain share point, but deny Anne Johnson, a temporary teacher, permission to
read a certain folder in the share point’s folder hierarchy.
Using groups is the most efficient way of assigning permissions. After creating groups
and assigning them permissions, you can add and remove users from groups without
reassigning permissions.
Gradually Add Permissions
Assign only necessary permissions and then add permissions only when needed. As
long as youre using Allow permissions, Mac OS X Server combines the permissions. For
example, you can assign the Students group partial reading permissions on an entire
share point. Then, where needed in the folder hierarchy, you can give the group more
reading and writing permissions.
30 Chapter 2 Setting Up File Service Permissions
Use the Deny Rule Only When Necessary
When Mac OS X Server encounters a Deny permission, it stops evaluating other
permissions the user might have for a file or folder and applies the Deny permission.
Therefore, use Deny permissions only when absolutely necessary. Keep a record of
these Deny permissions so that you can delete them when they are not needed.
Always Propagate Permissions
Inheritance is a powerful feature, so take advantage of it. By propagating permissions
down a folder hierarchy, you save yourself the time and effort required to manually
assign permissions to descendants.
Use the Effective Permission Inspector
Frequently use the Effective Permission Inspector to make sure users have the correct
access to important resources. This is especially important after changing ACLs.
Sometimes, you might inadvertently give someone more or fewer permissions than
needed. The inspector helps you detect these cases. For more information about the
inspector, see “Determining a Users File or Folder Permissions” on page 55.
Protect Applications from Being Modified
If you are sharing applications, make sure you set permissions for applications so that
no one, except a trusted few, can change them. This is a vulnerability that attackers can
exploit to introduce viruses or Trojan horses in your environment.
Keep It Simple
You can unnecessarily complicate file access management if you’re not careful. Keep it
simple. If standard POSIX permissions do the job, use those, but if you must use ACLs,
avoid customizing permissions unless you need to.
Also, use simple folder hierarchies when feasible. A little strategic planning can help
you create effective and manageable shared hierarchies.
Common Folder Configurations
When sharing files and folders between computers, custom permissions can be set to
grant or restrict access to those files and folders. Before you begin setting custom file
and folder permissions, you might want to investigate how the file and folder will be
shared, who has access, and what type of access you want users to have. A
recommended way to manage file and folder permissions is to create groups of users
who share the same privileges.
Chapter 2 Setting Up File Service Permissions 31
Depending on your network environment you can use either POSIX, ACL, or both to
manage file or folder access. The following table shows examples of the POSIX
permissions and the ACL permissions necessary to configure some common folder
sharing settings.
File Services Access Control
Server Admin in Mac OS X Server enables you to configure service access control lists
(SACLs), which enable you to specify which users and groups have access to AFP, FTP,
and SMB file services.
Using SACLs enables you to add another layer of access control on top of standard
POSIX and ACL permissions. Only users and groups listed in a SACL have access to its
corresponding service. For example, if you want to prevent users from accessing a
servers AFP share points, including home folders, remove the users from the AFP
service’s SACL.
For information about restricting access to file services using SACLs, see “Setting SACL
Permissions” on page 62.
Folder ACL (Everyone) POSIX
Drop box Permission Type: Allow
Select the following
checkboxes:
ÂTraverse Folder
ÂCreate Files
ÂCreate Folder
ÂAll inheritance options
Owner: read, write, execute
Group: read, write, execute
Other: write
For example: drwxrwx-w-
Set the owner to root or localadmin and set the
group to admin.
Backup share Permission Type: Allow
Select the following
checkboxes:
ÂList Folder Contents
ÂCreate Files
ÂCreate Folder
Owner: read, write, execute
Group: read, write, execute
Other: no permissions
For example: drwxrwx---
Set the owner to root and set the group to admin.
Home folder Permission Type: Deny
ÂDelete
ÂApply to this folder
ÂApply to all descendants
Owner: read, write, execute
Group: read only
Other: read only
For example: drwxr--r--
32 Chapter 2 Setting Up File Service Permissions
Customizing Shared Network Resources
The Network folder (/Network/), accessible from the Mac OS X Finder sidebar, contains
shared network resources. You can customize the contents of the Network folder for
client computers by setting up automatically mounting share points.
Share Points in the Network Folder
By default, the Network folder contains at least these subfolders:
ÂApplications
ÂLibrary
ÂServers
You can mount share points in any of these subfolders. For more information, see
Automatically Mounting Share Points for Clients on page 47.
More servers and shared items are added as they are discovered on your network.
Adding System Resources to the Network Library Folder
The Library folder, located in /Network/, is included in the system search path. This
gives you the ability to make any type of system resource (usually found in the local
Library folder) available on the network. These resources could include fonts,
application preferences, ColorSync profiles, desktop pictures, and so forth. You can use
this capability to customize your managed client environment.
For example, suppose you want a specific set of fonts to be available to each user in an
Open Directory domain. You would create a share point containing the fonts and then
set the share point to mount automatically as a shared library on client computers in /
Network/Library/Fonts/. For more information, see “Automatically Mounting Share
Points for Clients” on page 47.
Security Considerations
The most effective method of securing your network is to assign correct privileges for
each file, folder, and share point you create.
Restricting Access to File Services
As stated in “File Services Access Control” on page 31, you can use Service Access
Control Lists (SACLs) to restrict access to AFP, FTP, and SMB services.
Restricting Access to Everyone
Be careful when creating and granting access to share points, especially if youre
connected to the Internet. Granting access to Everyone, or to World (in NFS service),
could expose your data to anyone on the Internet. For NFS, it is recommended that you
do not export volumes to World and that you use Kerberos to provide security of NFS
volumes.
Chapter 2 Setting Up File Service Permissions 33
Restricting Access to NFS Share Points
NFS share points without the use of Kerberos don’t have the same level of security as
AFP and SMB, which require user authentication (entering a user name and password)
to gain access to a share point’s contents. If you have NFS clients, you may want to set
up a share point to be used only by NFS users or configure NFS with Kerberos. NFS
doesn’t support SACLs. For more information, see “Protocol Security Comparison on
page 16.
Restricting Guest Access
When you configure any file service, you can turn on guest access. Guests are users
who connect to the server anonymously without entering a user name or password.
Users who connect anonymously are restricted to files and folders that have privileges
set to Everyone.
To protect your information from unauthorized access, and to prevent people from
introducing software that might damage your information or equipment, take the
following precautions by using File Sharing in Server Admin:
ÂDepending on the controls you want to place on guest access to a share point,
consider the following options:
ÂSet privileges for Everyone to None for files and folders that guest users shouldn’t
access. Items with this privilege setting can be accessed only by the items owner
or group.
ÂPut all files available to guests in one folder or set of folders and then assign the
Read Only privilege to the Everyone category for that folder and each file in it.
ÂAssign Read & Write privileges to the Everyone category for a folder only if guests
must be able to change or add items in the folder. Make sure you keep a backup
copy of information in this folder.
ÂDon’t export NFS volumes to World. Restrict NFS exports to a subnet or a specific list
of computers.
ÂDisable access to guests or anonymous users over AFP, FTP, and SMB using Server
Admin.
ÂShare individual folders instead of entire volumes. The folders should contain only
those items you want to share.
34 Chapter 2 Setting Up File Service Permissions
3
35
3Setting Up Share Points
This chapter describes how to share specific volumes and
directories by using AFP, SMB, FTP, and NFS, and it shows how
to set standard and ACL permissions.
You use File Sharing in Server Admin to share information with clients of Mac OS X
Server and to control access to shared information by assigning access privileges.
To share folders or volumes on the server, set up share points. A share point is a folder,
hard disk, hard disk partition, CD, or DVD whose files are available for access across a
network. It’s the point of access at the top level of a hierarchy of shared items.
Users with access privileges to share points see them as volumes mounted on their
desktops or in their Finder windows.
Share Points and the Mac OS X Network Folder
If you configure your computer to connect to LDAP directory domains and you set it
with specific data mappings, you can control the access and availability of network
services by using Server Admin to:
ÂIdentify share points and shared domains that you want to mount automatically in a
users /Network/ folder, accessible by clicking Network in the Finder sidebar.
ÂAdd user records and group records (as defined in Workgroup Manager) and
configure their access.
When configuring share points, you must define the users or groups that will access
the share points. You can use Workgroup Manager to:
ÂDefine user and group records and configure their settings.
ÂDefine lists of computers that have the same preference settings and that are
available to the same users and groups.
For more information about configuring users and groups, see User Management.
36 Chapter 3 Setting Up Share Points
Automounting
You can configure client computers to automatically mount share points. These share
points can be static or dynamic:
ÂStatic share points are mounted on demand. You can assign statically mounted
share points to specific folders.
ÂDynamic share points are mounted on demand and are in the /Network/Servers/
server_name/ folder.
Share Points and Network Home Folders
Network authenticated users can have their home folder stored locally on the client
computer they are using or on a network server. Network home folders are an
extension of simple automounts.
A home folder share point is mounted when the user logs in, and provides the user the
same environment to store files as if the folders were on the local computer.
The benefit of network home folders is that they can be accessed by any client
computer that logs in to a specific server that provides network home folder services
for that user.
For more information, see “Network Home Folders” on page 38.
Setup Overview
You use File Sharing in Server Admin to create share points and set privileges for them.
Here is an overview of the basic steps for setting up share points:
Step 1: Read “Before Setting Up a Share Point”
For issues you should consider before sharing information about your network, read
“Before Setting Up a Share Point” on page 37.
Step 2: Locate or create the information you want to share
Decide which volumes, partitions, or folders you want to share.
You may want to move folders and files to different locations before setting up the
share point. You may want to partition a disk into volumes so you can give each
volume different access privileges or create folders that have different levels of access.
See “Shared Information Organization on page 38.
Step 3: Set up share points and set privileges
When you designate an item to be a share point, you also set its privileges. You create
share points and set privileges using File Sharing in Server Admin. See “Setting Up a
Share Point on page 39.
Chapter 3 Setting Up Share Points 37
Step 4: Turn specific file services on
For users to access share points, you must turn on the required Mac OS X Server file
services. For example, if you use Apple File Protocol with your share point, you must
turn on AFP service. You can share an item using more than one protocol.
See Chapter 5, “Working with SMB Service,” on page 93; Chapter 6, “Working with NFS
Service,” on page 103; or Chapter 7, Working with FTP Service,” on page 109.
Before Setting Up a Share Point
Before you set up a share point, consider the following topics:
ÂClient privileges
ÂFile sharing protocols
ÂShared information organization
ÂSecurity
ÂNetwork home folders
ÂDisk quotas
Client Privileges
Before you set up a share point, you should understand how privileges for shared items
work. Determine which users need access to shared items and what permissions you
want those users to have. Permissions are described in Chapter 2 (see “Kinds of
Permissions” on page 20).
File Sharing Protocols
You also must know which protocols clients use to access the share points. In general,
you should set up unique share points for each type of client and share them using a
single protocol:
ÂMac OS clients—Apple Filing Protocol (AFP)
ÂWindows clients—Server Message Block (SMB)
ÂUNIX clients—Network File System (NFS)
ÂFTP clients—File Transfer Protocol (FTP)
Note: With unified locking, applications can use locks to coordinate access to files even
when using different protocols. This permits users working on multiple platforms to
share files across AFP, SMB, and NFS protocols without worrying about file corruption
caused by locking issues between protocols.
In some cases you might want to share an item using more than one protocol. For
example, Mac OS and Windows users might want to share graphics or word processing
files that either file protocol can use. If so, you can create a single share point that
supports both platforms.
38 Chapter 3 Setting Up Share Points
Conversely, you might want to set up share points that support a single protocol even
though you have different kinds of clients.
For example, if most of your clients are UNIX users and only a few are Mac OS clients,
you may want to share items using only NFS to keep your setup simple. However, keep
in mind that NFS doesn’t provide many AFP features that Mac OS users are accustomed
to, such as Spotlight searching, native ACL, and extended attribute support.
Also, if you share applications or documents that are exclusively for Windows users, you
can set up an SMB share point to be used only by them. This provides a single point of
access for your Windows users and lets them take advantage of opportunistic and strict
file locking. For more information about file locking, see “File Locking with SMB Share
Points on page 93.
Note: If you enable AFP and SMB services on your server, Mac OS clients can connect
to the server over AFP or SMB. If Windows users want to connect to your server over
AFP, they must use third-party AFP client software.
Shared Information Organization
Organize shared information before you set up the share points, especially if you’re
setting up network home folders.
After you create share points, users form mental maps of the organization of the share
points and the items they contain. Changing share points and moving information
around can cause confusion.
Security
Review the issues discussed in “Security Considerations” on page 32.
Network Home Folders
If youre setting up a share point on your server to store user home folders, keep these
points in mind:
ÂThe /Users share point is set up by default to be used for storing home folders when
you install Mac OS X Server. You can use this preconfigured share point for user
home folders or you can create one on a local volume.
ÂThe Automount settings for the share point should indicate that it’s used for user
home folders.
ÂThe share point should be in the same Open Directory domain where user accounts
are defined.
ÂTo provide service to all types of clients, the complete pathname of an AFP or NFS
network home folder must not contain spaces and must not exceed 89 characters.
For more information, see Apple Knowledge Base article 107695 at
docs.info.apple.com/article.html?artnum=107695.
Chapter 3 Setting Up Share Points 39
Disk Quotas
You can set the maximum size of a user’s home folder by setting a quota on the Home
pane of the users account settings in Workgroup Manager.
To set space quotas for other share points, you must use the command line. See the file
services chapter of Command-Line Administration.
Setting Up a Share Point
This section describes how to create share points and set share point access privileges.
It also describes how to share using specific protocols (AFP, SMB, FTP, or NFS) and how
to automatically mount share points on clients desktops
For more tasks that you might perform after you set up sharing on your server, see
“Managing Share Points on page 48.
Creating a Share Point
You use File Sharing in Server Admin to share volumes (including disks, CDs, and DVDs),
partitions, and individual folders by setting up share points.
Note: Don’t use a slash (/) in the name of a folder or volume you plan to share. Users
trying to access the share point might have trouble seeing it.
To create a share point:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Volumes to list the available volumes to share.
To create a share point of an entire volume, select the volume from the list.
To share a folder within a volume, select the volume in the list and click Browse to
locate and select the folder.
4Click Share.
If you must create a folder for your share point, click Browse, click New Folder, enter the
name of the folder, and click Create.
5Click Save.
By default, the new share point is shared using AFP, SMB, and FTP, but not NFS.
To configure your share point for a specific protocol or to export the share point using
NFS, click Protocol Options and choose the protocol. Settings specific to each protocol
are described in the following sections.
From the Command Line
You can also set up a share point using the sharing command in Terminal. For more
information, see the file services chapter of Command-Line Administration.
40 Chapter 3 Setting Up Share Points
Setting Privileges
Mac OS X Server provides two methods of access control to files and folders: Standard
permissions and ACL permissions. These methods are described in the following
sections.
Setting Standard Permissions
When you don’t need the flexibility and granularity that access control lists (ACLs)
provide, or in cases where ACLs are not supported, use the standard POSIX permissions
(Read & Write, Read Only, Write Only, and None) to control access to a share point and
its contents.
To set standard permissions on a share point:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point from the list.
4Click Permissions below the list.
5To set the owner or group of the shared item, enter names or drag names from the
Users and Groups drawer to the owner or group records in the permissions table.
The owner and group records are listed under the POSIX heading. The owner record is
the one with the single user icon and the group record is the one with the group icon.
To open the drawer, click the Add (+) button. If you don’t see a recently created user or
group, click the Refresh button (below the Servers list).
Owner and group names can also be edited by double clicking the proper permissions
record and dragging into or typing in the User/Group field in the window that is
displayed.
Note: To change the autorefresh interval, choose Server Admin > Preferences and
change the value of the Auto-refresh status every” field.
6To change the permissions for the Owner, Group, and Others, use the Permission pop-
up menu in the appropriate row of the permissions table.
Others is any user that logs in to the file server who is not the owner and does not
belong to the group.
7Click Save.
The new share point is shared using the AFP, SMB, and FTP protocols, but not NFS.
Setting ACL Permissions
To configure ACL permissions for a share point or folder, you create a list of access
control entries (ACEs).
Chapter 3 Setting Up Share Points 41
For each ACE, you can set 17 permissions with Allow, Deny, and Static inheritance, so
you have fine-grain control over access permissions, something that you don’t have
when using standard permissions. For example, you can separate delete permissions
from write permissions so that a user can edit a file but cannot delete it.
To set ACL permissions on a share point or a folder:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point from the list.
4Click Permissions below the list.
5Open the Users and Groups drawer by clicking the Add (+) button.
6Drag groups and users from the drawer into the ACL Permissions list to create ACEs.
By default, each new ACE gives the user or group full read and inheritance permissions.
To change ACE settings, see “Editing ACEs on page 52.
The first entry in the list takes precedence over the second, which takes precedence
over the third, and so on. For example, if the first entry denies a user the right to edit a
file, other ACEs that allow the same user editing permissions are ignored. In addition,
the ACEs in the ACL take precedence over standard permissions.
For more information about permissions, see “Rules of Precedence on page 28.
7To set the appropriate permissions, use the arrows in the column fields for each entry
in the list.
The ACE order in the list changes depending on the level of access when the
permissions are saved.
8Click Save.
Changing AFP Settings for a Share Point
You can use Server Admin to choose whether a share point is available through AFP
and to change settings such as the share point name that AFP clients see and whether
guest access is permitted.
The default settings for a new share point should make it readily accessible to
Mac OS 8, Mac OS 9, and Mac OS X clients.
To change the settings of an AFP share point:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point from the list.
4Click Share Point below the list.
5Click Protocol Options.
42 Chapter 3 Setting Up Share Points
This opens the protocol window with configuration options for AFP, SMB, FTP, and NFS
protocols.
6Click AFP.
7Provide AFP access to the share point by selecting “Share this item using AFP.”
8Permit unregistered users to access the share point by selecting Allow AFP guest
access.”
For greater security, don’t select this item.
9To change the name that clients see when they browse for and connect to the share
point using AFP, enter a name in the “Custom AFP name” field.
Changing the custom AFP name does not affect the name of the share point itself, only
the name that AFP clients see.
10 If you are using only POSIX permissions, choose a method for assigning default access
privileges for new files and folders in the share point:
To have new items use default POSIX permissions, select “Use standard POSIX
behavior.”
To have new items adopt the privileges of the enclosing item, select “Inherit
permissions from parent.”
11 Click OK, then click Save.
From the Command Line
You can also change AFP settings for a share point using the sharing command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Changing SMB Settings for a Share Point
You can use Server Admin to set share point availability through SMB and to change
settings such as the share point name that SMB clients see. You can also use Server
Admin to set guest access permissions and the default privileges for new files and
folders, and to enable opportunistic locking.
For more information about opportunistic locking, see “File Locking with SMB Share
Points on page 93.
To change the settings of an SMB share point:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point from the list.
4Click Share Point below the list.
5Click Protocol Options.
Chapter 3 Setting Up Share Points 43
This opens the protocol window with configuration options for AFP, SMB, FTP, and NFS
protocols.
6Click SMB.
7Provide SMB access to the share point by selecting “Share this item using SMB.”
8Permit unregistered users to have access to the share point by selecting Allow SMB
guest access.”
For greater security, don’t select this item.
9To change the name that clients see when they browse for and connect to the share
point using SMB, enter a new name in the “Custom SMB name field.
Changing the custom SMB name doesn’t affect the name of the share point itself, only
the name that SMB clients see.
10 If the share point is only using SMB protocol, select the type of locking for the share
point:
To permit clients to use opportunistic file locking, select “Enable oplocks.”
To have clients use standard locks on server files, select “Enable strict locking.”
11 If you are using only POSIX permissions, choose a method for assigning default access
privileges for new files and folders in the share point:
To have new items adopt the privileges of the enclosing item, select “Inherit
permissions from parent.”
To assign specific privileges, select Assign as follows and set the Owner, Group, and
Others privileges using the pop-up menus.
12 Click OK, then click Save.
From the Command Line
You can also change a share point’s SMB settings using the sharing command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Changing FTP Settings for a Share Point
You can use Server Admin to set share point availability through FTP and to change
settings such as guest access permissions and the share point name that FTP clients
see.
To change the settings of an FTP share point:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point from the list.
4Click Share Point below the list.
44 Chapter 3 Setting Up Share Points
5Click Protocol Options.
This opens the protocol window with configuration options for AFP, SMB, FTP, and NFS
protocols.
6Click FTP.
7Make the share point available to FTP clients by selecting “Share this item using FTP.”
8Permit anonymous FTP users to open this item by selecting Allow FTP guest access.”
For greater security, don’t select this item.
9To change the name clients see when they browse for and connect to the share point
using FTP, enter a new name in the “Custom FTP name field.
Changing the custom FTP name doesn’t affect the name of the share point itself, only
the name that FTP clients use.
10 Click OK, then click Save.
From the Command Line
You can also change a share point’s FTP settings using the sharing command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Exporting an NFS Share Point
You can use NFS to export share points to UNIX clients. (Export is the NFS term for
sharing.)
To export an NFS share point:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point from the list.
4Click Share Point below the list.
5Click Protocol Options.
This opens the protocol window with configuration options for AFP, SMB, FTP, and NFS
protocols.
6Click NFS.
7Select “Export this item and its contents to and choose an audience from the pop-up
menu.
To limit clients to specific computers, choose “Client List and click Add (+) to specify
the IP addresses of computers that can access the share point.
To limit clients to the entire subnet, choose “Subnet” and enter the IP address and
subnet mask for the subnet.
Chapter 3 Setting Up Share Points 45
Important: Make sure the subnet address you enter is the actual IP network address
that corresponds to the subnet mask you chose, and not a client address. Otherwise,
your clients can’t access the share point.
A network calculator helps you select the subnet address and mask for the range of
client addresses you want to serve, and you should use one to validate your final
address/mask combination. If needed, network calculators are available on the Web.
For example, suppose you want to export to clients that have IP addresses in the range
192.168.100.50 through 192.168.100.120. Using a subnet calculator, you discover that the
mask 255.255.255.128 applied to any address in this range defines a subnet with a
network address of 192.168.100.0 and a range of usable IP addresses from 192.168.100.1
through 192.168.100.126, which includes the desired client addresses. So, in Server
Admin you enter subnet address 192.168.100.0 and subnet mask 255.255.255.128 in the
NFS Export Settings for the share point.
To permit unlimited (and unauthenticated) access to the share point, choose “World.”
8From the Mapping pop-up menu, set the privilege mapping for the NFS share point:
Choose “Root to Root if you want the root user to have root privileges to read, write,
and carry out commands.
Choose All to Nobody” if you want users to have minimal privileges to read, write, and
carry out commands.
Choose “Root to Nobody if you want the root user on a remote client to have only
minimal privileges to read, write, and carry out commands.
Choose “None” if you don’t want privileges mapped.
9From the Minimum Security pop-up menu, set the level of authentication:
Choose “Standard” if you don’t want to set a level of authentication.
Choose Any” if you want NFS to accept any method authentication.
Choose “Kerberos v5” if you want NFS to only accept Kerberos authentication.
Choose “Kerberos v5 with data integrity if you want NFS to accept Kerberos
authentication and validate the data (checksum) during transmission.
Choose “Kerberos v5 with data integrity and privacy to have NFS accept Kerberos
authentication, to validate with checksum, and to encrypt data during transmission.
10 If you don’t want client users to change the contents of the shared item, select the
Read Only checkbox.
11 Select Allow subdirectory mounting
This permits clients to mount subfolders of an exported NFS share point. For example,
if you export the /Users/ folder, all its subfolders can be mounted directly.
12 Click OK, then click Save.
46 Chapter 3 Setting Up Share Points
Note: If you export more than one NFS share point, you cannot have nested exports on
a single volume, which means one exported directory cannot be the child of another
exported directory on the same volume.
From the Command Line
You can also set up an NFS share point by using the command line in Terminal. For
more information, see the man pages exports (5), nfs.conf (5), and nfsd (8), and the file
services chapter of Command-Line Administration.
Resharing NFS Mounts as AFP Share Points
Resharing NFS mounts (NFS volumes that have been exported to Mac OS X Server)
enables Mac OS 9 clients to access NFS file services on traditional UNIX networks.
To reshare an NFS mount as an AFP share point:
1On the NFS server that’s exporting the original share point, make sure the NFS export
maps root-to-root so that AFP (which runs as root) can access the files for the clients.
2Restrict the export to the single AFP server (seen as the client to the NFS server). For
even greater security, set up a private network for the AFP-to-NFS connection.
3Open Server Admin and connect to the server.
4Click File Sharing.
5Control-click in the Volumes or Share Points list, select Mount NFS Share, then enter the
URL of the NFS server you intend to reshare.
This is the URL that connects to the reshared NFS server. For example, to connect to the
reshared NFS mount “widgets” on the root level of the server corp1, use the following
URL:
nfs://corp1/widgets
6Click OK.
Server Admin creates the NFS mount point.
7Follow steps 1 through 4 for each NFS volume you want to reshare.
8Using Server Admin, share the NFS mounts as AFP share points.
The NFS mounts appear as normal volumes in the Share Point list. (You can also share
the NFS mounts using SMB and FTP, but you should use only AFP.)
You can change privileges and ownership, but you can’t enable quotas (because quotas
work only on local volumes). However, if quotas are enabled on the NFS server, they
apply to the reshared volume.
Note: Quotas set on the original NFS export are enforced on the AFP reshare.
Chapter 3 Setting Up Share Points 47
Automatically Mounting Share Points for Clients
You can mount share points automatically on client Mac OS X computers using
network mounts. You can automatically mount AFP or NFS share points.
When you set a share point to automatically mount, a mount record is created in the
Open Directory database. Be sure you create these records in the same shared domain
where the user and computer records exist.
Note: All users have guest access to network automounted AFP share points.
Authenticated access is permitted only for a user’s own home folder or if you have
Kerberos set to support single sign-on (SSO) authentication.
To set up a network mount:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point from the list.
4Click Share Point below the list.
5Select the Enable Automount checkbox and click Edit.
This opens a configuration window for the automount.
6From the Directory pop-up menu, choose the directory domain that contains your
users and computers.
7From the Protocol pop-up menu, choose the sharing protocol (AFP or NFS).
If you choose AFP, guest access has to be enabled for automounted AFP share points to
work, except when all users have access to their home folders using Kerberos SSO
authentication. For more information, see “Configuring Access Settings” on page 69.
8Choose how you want the share point to be used and mounted on client computers:
User Home Folders: Select to have the home folders on the share point listed on a
users computer in /Network/Servers/.
Shared Applications folder: Select to have the share point appear in /Network/
Applications/ on the user’s computer.
Shared Library folder: Select to have the share point appear in /Network/Library/. This
creates a network library.
Custom mount path: Select to have the share point appear in the folder you specify.
Before you mount the share point, be sure this folder exists on the client computer.
9Click OK.
10 Authenticate when prompted.
11 Click Save.
48 Chapter 3 Setting Up Share Points
Managing Share Points
This section describes day-to-day tasks you might perform after you set up share points
on your server. Initial setup information appears in “Setting Up a Share Point on
page 39.
Checking File Sharing Status
Use Server Admin to check the status of volumes and share points.
To view File Sharing status:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Volumes to see a list of volumes.
Each volume includes the disk space used, whether quotas are enabled or disabled,
and the type of volume.
4Click Share Points to see a list of share points.
Each share point includes the disk space used, and whether sharing, guest access,
automount, and Spotlight indexing are enabled or disabled.
5To monitor the quotas setup for a volume, select the volume and click Quotas below
the volume list.
Disabling a Share Point
To stop sharing a share point, use File Sharing in Server Admin to remove it from the
Share Points list.
Note: Before you delete or rename a share point in Finder, disable the share point in
Server Admin first.
To remove a share point:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point you want to remove.
4Click Unshare.
5Click Save.
Protocol and network mount settings you have made for the item are discarded.
From the Command Line
You can also disable a share point by using the sharing command in Terminal. For
more information, see the file services chapter of Command-Line Administration.
Chapter 3 Setting Up Share Points 49
Disabling a Protocol for a Share Point
You can use File Sharing in Server Admin to stop sharing a share point using a specific
protocol and still permit sharing to continue through other protocols.
To stop sharing through a particular protocol:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point you want to reconfigure.
4Click Share Point below the list.
5Click Protocol Options and select the protocol.
6Deselect the “Share this item using” checkbox.
You can disable a protocol for all share points by stopping the underlying service that
provides support for the protocol. For more information, see “Stopping AFP Service on
page 74, “Stopping NFS Service” on page 107, or “Stopping FTP Service on page 124.
From the Command Line
You can also disable a protocol for a share point by using the sharing command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Viewing Share Point Configuration and Protocol Settings
You can view share point configuration and protocol settings in Server Admin from the
Share Points list.
To view the share point configuration and protocol settings on a server:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points.
You can view the share point name, path, disk space, sharing, guest access, automount,
and Spotlight settings.
Use tooltips to quickly display the shared and guest access protocols for a share point.
4Select the share point and click Share Point below the list.
5View the protocol settings by clicking Protocol Options and selecting the protocol (AFP,
SMB, FTP, or NFS).
From the Command Line
You can also view share point settings using the sharing command in Terminal. For
more information, see the file services chapter of Command-Line Administration.
50 Chapter 3 Setting Up Share Points
Viewing Share Point Content and Privileges
You can use File Sharing in Server Admin to view share point content and access
privileges.
To view share point content and access privileges on a server:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select a share point in the list.
4Click Permissions below the list.
You can now view the contents of the selected share point and access items in the
folder hierarchy.
You can also view the privilege settings (POSIX and ACL) of the share point and each
item in the folder hierarchy.
From the Command Line
You can also view share points and their contents by using the sharing and ls
commands in Terminal. For more information, see the file services chapter of
Command-Line Administration.
Managing Share Point Access Privileges
This section describes typical tasks you might perform to manage access privileges for
your share point.
Changing POSIX Permissions
You use Server Admin to view and change the standard POSIX permissions for a share
point.
To change standard POSIX permissions for a share point:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Permissions below the list.
To alter the POSIX permissions, change the owner and group of the shared item,
dragging names from the Users and Groups drawer to the owner or group records in
the permissions table. The owner and group records are listed under the POSIX
heading. The owner record is the one with the single user icon and the group record is
the one with the group icon.
Open the drawer by clicking the Add (+) button.
5To change the permissions for the Owner, Group, and Others (everyone), use the
Permissions pop-up menu in the appropriate row of the permissions table.
Chapter 3 Setting Up Share Points 51
Others is any user who is not the owner and does not belong to the group but can log
in to the file server.
From the Command Line
You can also change a share point’s privileges using the chmod, chgrp, and chown
commands in Terminal. For more information, see the file services chapter of
Command-Line Administration.
Adding ACEs to ACLs
You control access to a share point by adding or removing ACEs to the share point ACL.
Each ACE defines the access permissions for a user or a group.
To add an ACE to an ACL:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Permissions below the list.
5Open the Users and Groups list by clicking the Add (+) button.
6Drag users and groups you want to add to the access control list.
7Click Save.
By default, each new ACE gives the user or group full read permissions. In addition, all
four inheritance options are selected. For more information about inheritance options,
see “Understanding Inheritance on page 25. To change ACE settings, see “Editing
ACEs on page 52.
From the Command Line
You can also add ACEs using the chmod command in Terminal. For more information,
see the file services chapter of Command-Line Administration.
Removing ACEs
You control access to a share point by adding or removing ACEs to the share point ACL.
Each ACE defines the access permissions for a user or a group.
To delete an ACE from an ACL:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Permissions below the list.
5In the Access Control List, select the ACE.
6Click the Delete (–) button.
7Click Save.
52 Chapter 3 Setting Up Share Points
From the Command Line
You can also remove ACEs using the chmod command in Terminal. For more
information, see the file services chapter of Command-Line Administration.
Editing ACEs
Use Server Admin if you to need change the settings of an ACE to permit or restrict a
user or group from performing certain tasks in a share point.
To edit an ACE:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Permissions below the list.
5In the Access Control List, select the ACE.
6Click the Edit (/) button.
7From the Permission Type pop-up menu, choose Allow or “Deny.”
8In the Permissions list, select permissions.
9Click OK.
10 Click Save.
You can also edit an ACE’s Type and Permission fields by clicking the field and choosing
an option from the pop-up menu. The Permission field provides five options:
ÂFull Control
ÂRead and Write
ÂRead
ÂWrite
ÂCustom (This option displays if the permissions set don’t match any of the other
options.)
For more information about permissions and permission types, see “Access Control
Entries (ACEs)” on page 24.
Removing a Folder’s Inherited ACEs
If you don’t want to apply inherited ACEs to a folder or a file, you can remove these
entries using Server Admin.
To remove a folder’s inherited ACEs:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Permissions below the list.
Chapter 3 Setting Up Share Points 53
5From the Action menu button (gear), choose “Remove Inherited Entries.”
Inherited ACEs appear dimmed unless you chose to make them explicit, as described in
“Changing the Inherited ACEs for a Folder to Explicit” on page 53.
6Click Save.
Server Admin removes the inherited ACEs.
From the Command Line
You can also remove inherited ACEs using the chmod command in Terminal. For more
information, see the file services chapter of Command-Line Administration.
Changing the Inherited ACEs for a Folder to Explicit
Inherited ACEs appear dimmed in the ACL of Server Admin and you can’t edit them. To
change these ACEs for a folder, change the inheritance to explicit.
To change the inherited ACEs of a folder to explicit:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Permissions below the list.
5From the Action menu button (gear), choose “Make Inherited Entries Explicit.”
6Click Save.
Now you can edit the ACEs.
Propagating Permissions
Server Admin enables you to specify what permissions to propagate to all descendant
files and folders. In the case of POSIX permissions, you can specify the following to
propagate:
ÂOwner name
ÂGroup name
ÂOwner permissions
ÂGroup permissions
ÂOthers permissions
The ability to select which information to propagate gives you specific control over
who can access files and folders.
For ACL permissions, you can only propagate the entire ACL. You can’t propagate
individual ACEs.
To propagate folder permissions:
1Open Server Admin and connect to the server.
54 Chapter 3 Setting Up Share Points
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Permissions below the list.
5From the Action menu button (gear), choose “Propagate Permissions.”
6Select the permissions you want to propagate.
7Click OK.
Server Admin propagates the selected permissions to all descendants.
Removing the ACL from a File
To remove the inherited ACL from a file, use Server Admin.
Note: Because the ACEs of a file are usually inherited, they may appear dimmed.
To remove the ACL from a file:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Permissions below the list.
5Select all ACEs in the ACL Permissions list and click the Delete (–) button.
6Click Save.
Server Admin removes all ACEs from the ACL of a file. The only permissions that now
apply are the standard POSIX permissions.
From the Command Line
You can also remove a file’s ACL using the chmod command in Terminal. For more
information, see the file services chapter of Command-Line Administration.
Applying ACL Inheritance to a File
If you removed the ACL from a file and want to restore it, use Server Admin.
To apply ACL inheritance to a file:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Permissions below the list.
5From the Action menu button (gear), choose “Propagate Permissions.”
6Select Access Control List.
7Click OK, then click Save.
Chapter 3 Setting Up Share Points 55
Determining a User’s File or Folder Permissions
To instantly determine the permissions that a user has to a file or folder, use the
Effective Permission Inspector in Server Admin.
To determine a user ‘s file or folder permissions:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Permissions below the list.
5From the Action menu button (gear), choose “Show Effective Permission Inspector.”
Note: In the inspector, permissions and inheritance settings are dimmed to indicate
that you can’t edit them.
6Open the Users and Groups list by clicking the Add (+) button.
7From the Users and Groups list, drag a user to the Effective Permission Inspector.
If you don’t see a recently created user, click Refresh.
After dragging the user from the list, the inspector shows the permissions the user has
for the selected file or folder. An entry with a checkmark means the user has the
indicated permission (equivalent to Allow). An entry without a checkmark means the
opposite (equivalent to Deny).
8When you finish, close the inspector window.
Changing the Protocols Used by a Share Point
You can use Server Admin to change the protocols available for accessing a share
point. The following protocols are available:
ÂAFP (see “Changing AFP Settings for a Share Point” on page 41)
ÂSMB (see “Changing SMB Settings for a Share Point” on page 42)
ÂFTP (see “Changing FTP Settings for a Share Point” on page 43)
ÂNFS (see “Exporting an NFS Share Point on page 44)
To change the protocols for a share point:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Share Point below the list.
5Click Protocol Options and select the protocol.
6Select the protocols you want to change and modify the configuration.
7Click OK, then click Save.
56 Chapter 3 Setting Up Share Points
From the Command Line
You can also change the protocol settings of a share point using the sharing command
in Terminal. For more information, see the file services chapter of Command-Line
Administration.
Changing NFS Share Point Client Access
You can use Server Admin to restrict the clients that can access an NFS export.
To change authorized NFS clients:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the NFS share point.
4Click Protocol Options and select NFS.
5Select the “Export this item and its contents to checkbox and choose an option from
the pop-up menu:
To limit clients to specific computers, choose Client List, click the Add (+) button, and
then enter the IP addresses of computers that can access the share point.
To remove a client, select an address from the Client List and click the Delete (–)
button.
To limit clients to the entire subnet, choose Subnet and enter the IP address and
subnet mask for the subnet.
To permit unlimited (and unauthenticated) access to the share point, choose World.
6Click OK, then click Save.
Enabling Guest Access to a Share Point
You can use Server Admin to enable guest users (users not defined in the directories
used by your server) to connect to specific share points.
Note: This section does not apply to NFS.
To change guest access privileges for a share point:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share points and select the share point you want to update from the list.
4Click Share Point below the list.
5Click Protocol Options and select the protocol you are using to provide access to the
share point.
6Select the Allow guest access” option.
7Click OK, then click Save.
Chapter 3 Setting Up Share Points 57
Note: Make sure guest access is also enabled at the service level in Server Admin.
From the Command Line
You can also enable guest access to a share point using the sharing command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Setting Up a Drop Box
A drop box is a shared folder with custom permissions. If you use only ACLs, you can
set the permissions so that certain users can only copy files to the folder but can’t see
its contents. If you use only POSIX permissions, you can set them to permit anyone to
copy files to the drop box but give only the owner of the drop box full access.
To create a drop box:
1Create the folder that is going to act as a drop box in an AFP share point.
2Open Server Admin and connect to the server.
3Click File Sharing.
4Click Share points and select the folder in the AFP share point that you want to use as a
drop box.
5Click Permissions below the list.
6Set write only permissions using POSIX permissions or a combination of POSIX
permissions and ACEs.
To create a drop box using standard permissions, set Write Only permissions for Owner,
Group, and Others. For more information, see “Setting Standard Permissions on
page 40.
Note: For greater security, assign None to Others.
To create a drop box using ACL permissions, add two types of ACEs:
ÂIf you want users to only copy items to a drop box but not see its contents, add ACEs
that deny them Administration and Read permissions and give only Traverse Folder,
Create File (Write Data), and Create Folder (Append Data) permissions.
ÂIf you want users to have full control of the drop box, add ACEs that give them full
Administration, Read, Write, and inheritable permissions.
For more information, see “Setting ACL Permissions” on page 40.
7Click Save.
From the Command Line
You can also set up a drop box using the mkdir and chmod commands in Terminal. For
more information, see the file services chapter of Command-Line Administration.
58 Chapter 3 Setting Up Share Points
Setting Up a Network Library
Configuring a network library creates a repository on the network for shared
information such as default configurations, fonts, images, and other common resources.
A shared library is automatically mounted at /Network/Library/ and is accessible
through Finder. Guest access must be enabled to grant all users access to the network
library. All users or groups who are logged into the network with guest access will have
access to this shared information, and the network library becomes part of the default
search path. Access to the network library can be restricted using access controls.
To configure a network library:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point you want to become a network library.
To create a share point for your network library, see “Creating a Share Point on
page 39.
4Click Share Point below the list.
5Select the Automount checkbox.
6From the Directory pop-up menu, choose the directory domain that contains your
users and computers.
7From the Protocol pop-up menu, choose the sharing protocol (AFP or NFS).
If you choose AFP, guest access has to be enabled for automounted AFP share points to
work, except when all users have access to their home folders using Kerberos SSO
authentication. For more information, see “Configuring Access Settings” on page 69.
8Choose “Shared Library folder for the share point to appear in /Network/Library/.
9Click OK.
10 Authenticate when prompted.
11 Click Save.
Using Mac OS X Server for Network Attached Storage
You can configure your Mac OS X Server for Network Attached Storage (NAS), to
provide all the basic NAS-style file resharing using AFP, SMB, FTP, and NFS as well as
advanced features such as directory integration. NAS also works with more advanced
storage architectures such as RAID data protection and Xsan for storage clustering.
To provide NAS-style file sharing for network users, you must configure your Mac OS X
server for NAS. The most common configuration uses an Xserve (as a file server) with a
RAID device (data storage). You can also use Xsan for a more advanced NAS
configuration.
The steps that follow explain how to set up an Xserve NAS system.
Chapter 3 Setting Up Share Points 59
Step 1: Connect the Xserve system to the network
The Xserve system has gigabit Ethernet hardware for extremely fast communications
with other network devices. Data transmission rates are determined by the speed of
other components, such as the network hub or switch and cables used.
If you are also using a RAID unit as part of the NAS system, connect it to the Xserve unit
by installing the Apple Fibre Channel PCI card in the Xserve unit and installing the Fibre
Channel cables between the two hardware components.
To assure that connecting the system to the network does not disrupt network
operations, work with the system administrator or other expert. Follow the instructions
in the Xserve guide, if applicable, to install the system properly in a rack.
Step 2: Establish volumes, partitions, and RAID sets on the drive modules
Plan how you want to divide the total storage on the Xserve NAS system, taking into
account the number of users, likely demands for NAS, and future growth.
Then use Disk Utility to create partitions or RAID arrays on the drives. If you have a
RAID, use RAID Admin to create RAID arrays on the drives and Disk Utility to put the file
system on the arrays.
For information about using these applications, consult the Disk Utility online help and
the RAID Admin documentation.
You can also use Xsan to configure your partitions and RAID configurations. For more
information about Xsan, see the Xsan documentation.
Step 3: Set up the system as a network-attached storage device
If you purchased a new Xserve, Mac OS X Server software is already installed. You only
need to perform initial server setup by turning on the system and answering the
questions posed by Server Assistant.
If you need to install Mac OS X Server software, use Getting Started to understand
system requirements and installation options and then use Server Assistant after the
server restarts to perform initial setup for storage. Server Assistant is in /Applications/
Server/.
Note: You can set up Xserve NAS remotely or locally. If you are setting up from a
remote computer, install the applications on the Admin Tools disc on the remote
computer. If you are configuring locally, connect a monitor and keyboard to your
Xserve. The system must have a video card for direct connection of a monitor. A video
card is optional on some Xserve models, including the Xserve G5.
To perform initial setup for Network Attached Storage (NAS):
1Make sure the system is connected to the network.
2Open Server Assistant and proceed through the panes, entering the following
information where appropriate:
ÂA valid server serial number.
60 Chapter 3 Setting Up Share Points
ÂA fixed IP address for the server, either static or using DHCP with a manual address.
ÂEnable the AFP, NFS, FTP, and SMB services so they are available for use immediately.
If you want users to share files using FTP, be sure your network is securely configured.
AFP is the standard for Mac OS X files; NFS is the file protocol for UNIX and Linux
users; and the SMB service includes Server Message Block (SMB) protocol, which
supports Microsoft Windows 95, 98, ME (millennium Edition), NT 4.0, 2000, XP, and
Vista. FTP allows access to shared files by anyone who connects to the NAS system.
3Restart the server.
Step 4: Configure file services for AFP, NFS, FTP, and SMB
Assuming that you turned on the file services with Server Assistant, you can configure
AFP, NFS, FTP, and SMB so that clients on the network can share their files. The
summary instructions that follow provide an overview of configuring these file services.
For more information about configuring these protocols, see the appropriate chapter in
this guide.
Step 5: Set up share points and access privileges for the Xserve NAS
Use Server Admin to set share points and define access privileges for the share points.
For more information, see “Setting Up a Share Point” on page 39.
After you finish these steps, the basic setup of the Xserve NAS system is complete. You
can add or change share points, users, and groups whenever necessary.
Configuring Spotlight for Share Points
If your client computers need to search share points, you can enable Spotlight indexing
in Server Admin.
Spotlight indexing is only available for a share point that has AFP or SMB turned on. If
your share point does not use AFP or SMB, do not enable Spotlight searching.
If you have a share point with Spotlight turned on and you turn off AFP and SMB,
Spotlight indexing will not work.
Spotlight provides the capability to do quick searches of network volumes, which
requires the server to maintain an index of all files and folders on a share point. This
indexing process uses more server resources. To free these resources, turn off Spotlight
if it is not going to be used.
To configure Spotlight for share points:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point you want to enable Spotlight for.
4Click Share Point below the list.
Chapter 3 Setting Up Share Points 61
5Select the Enable Spotlight searching checkbox.
6Click Save.
Configuring Time Machine Backup Destination
Time Machine is a backup application that keeps an up-to-date copy of everything on
your computer, which includes system files, applications, accounts, preferences, and
documents. Time Machine can restore individual files, complete folders, or your entire
computer by putting everything back the way it was and where it should be.
Selecting this option causes the share to be broadcast over Bonjour as a possible Time
Machine destination, so it will show up as an option in System Preferences. On a
standard or workgroup server, selecting this option also sets the POSIX permissions to
770 and sets the POSIX group to com.apple.access_backup.
A share point can be designated as a Time Machine backup in Server Admin.
To configure Time Machine backup destination:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Share Points and select the share point.
4Click Share Point below the list.
5Select the “Enable as Time Machine backup destination checkbox.
6Click Save.
Monitoring Share Point Quotas
Use Server Admin to view the space on a volume allocated for a user. This space (disk
quota), configured in Workgroup Manager, is the maximum size of a users home folder.
To monitor share point quotas:
1Open Server Admin and connect to the server.
2Click File Sharing.
3Click Volumes and select the volume you want to monitor.
4Click Quotas below the list.
5Select the “Enable quotas on this volume” checkbox.
The disk quota information for the enabled volumes is listed in the Quota Monitor. This
includes user name, space used (MB), free space (MB), and limit (MB).
6Click Save.
62 Chapter 3 Setting Up Share Points
Setting SACL Permissions
SACLs enable you to specify who has access to AFP, FTP, and SMB file services. This
provides you with greater control over who can use the services and which
administrators have access to monitor and manage the services.
Setting SACL Permissions for Users and Groups
Use Server Admin to set SACL permissions for users and groups to access file services.
To set user and group SACL permissions for a file service:
1Open Server Admin and connect to the server.
2Click Settings.
3Click Access.
4Click Services.
5Select the level of restriction you want for the services:
To restrict access to all services, select “For all services.”
To set access permissions for individual services, select “For selected services below”
and then select the services from the Service list.
6Select the level of restriction you want for users and groups:
To provide unrestricted access, click Allow all users and groups.”
To restrict access to certain users and groups, select Allow only users and groups
below,” click the Add (+) button to open the Users and Groups drawer, and then drag
users and groups from the Users and Groups drawer to the list.
7Click Save.
Setting SACL Permissions for Administrators
Use Server Admin to set SACL permissions for administrators to monitor and manage
file services.
To set administrator SACL permissions for a file service:
1Open Server Admin and connect to the server.
2Click Settings.
3Click Access.
4Click Administrators.
5Select the level of restriction that you want for the services:
To restrict access to all services, select “For all services.”
To set access permissions for individual services, select “For selected services below”
and then select a service from the Service list.
6Click the Add (+) button to open the Users and Groups list.
Chapter 3 Setting Up Share Points 63
7Drag users and groups to the list.
8Set the users permission:
To grant administrator access, choose Administrator from the Permission pop-up menu
next to the user name.
To grant monitoring access, choose Monitor from the Permission pop-up menu next to
the user name.
9Click Save.
64 Chapter 3 Setting Up Share Points
4
65
4Working with AFP Service
This chapter describes how to set up and manage AFP service
in Mac OS X Server.
Apple Filing Protocol (AFP) service enables Mac OS clients to connect to your server
and access folders and files. Non–Mac OS clients can also connect to your server over
AFP using third-party AFP client software.
AFP service uses version 3.3 of AFP, which supports new features such as Unicode file
names, access control lists (ACLs), 64-bit file sizes, extended attributes, and Spotlight
searching. Unicode is a standard that assigns a unique number to every character
regardless of the language or the operating system used to display the language.
Kerberos Authentication
AFP supports Kerberos authentication. Kerberos is a network authentication protocol
developed at MIT to provide secure authentication and communication over open
networks.
In addition to the standard authentication method, Mac OS X Server uses Generic
Security Services Application Programming Interface (GSSAPI) authentication protocol.
GSSAPI is used to authenticate using Kerberos v.5. You specify the authentication
method using the Access pane of the AFP service settings in Server Admin.
See “Configuring Access Settings” on page 69. For more information about setting up
Kerberos, see Open Directory Administration.
66 Chapter 4 Working with AFP Service
Automatic Reconnect
Mac OS X Server can automatically reconnect Mac OS X clients that have become idle
or gone to sleep.
When clients become idle or go to sleep, Mac OS X Server disconnects those clients to
free server resources. However, you can configure Mac OS X Server to save Mac OS X
client sessions, permitting these clients to resume work on open files without loss of
data.
You configure this setting in the Idle Users pane of the AFP service configuration
window in Server Admin. See “Configuring Idle Users Settings” on page 71.
Find Content
Mac OS X clients can use Spotlight to search the contents of AFP servers. This feature
enforces privileges so that only files the user has access to are searched.
AppleTalk Support
AFP service no longer supports AppleTalk as a client connection method. Although
AppleTalk clients can see AFP servers in the Chooser, they must use TCP/IP to connect
to these servers.
For more information, see “Mac OS X Clients” on page 80 and “Connecting to the AFP
Server from Mac OS 8 and Mac OS 9 Clients” on page 83.
AFP Service Specifications
AFP service has the following default specifications:
ÂMaximum number of connected users, depending on your license
agreement: Unlimited (hardware dependent)
ÂMaximum volume size: 16 terabytes
ÂTCP port number: 548
ÂLocation of log files: /Library/Logs/AppleFileService/
ÂBonjour registration type: afpserver
Chapter 4 Working with AFP Service 67
Setup Overview
Here is an overview of the basic steps for setting up AFP service.
Step 1: Turn AFP service on
Before configuring AFP service, AFP must be turned on. See “Turning AFP Service On
on page 67.
Step 2: Configure AFP General settings
Configure the General settings to advertise the AFP share point, enable Mac OS 8 and
Mac OS 9 clients to find the server, and specify a logon greeting. See “Configuring
General Settings” on page 68.
Step 3: Configure AFP Access settings
Use Access settings to permit guest AFP users, limit the number of simultaneous
Windows client connections, or set AFP authentication options. See “Configuring
Access Settings on page 69.
Step 4: Configure AFP Logging settings
Use Logging settings to specify how much information is recorded in AFP log files. See
“Configuring Logging Settings” on page 70.
Step 5: Configure AFP Idle Users settings
Use Idle Users settings to disconnect idle clients, enable clients to reconnect after
sleeping (within a specified time limit), and customize a disconnect message. See
“Configuring Idle Users Settings on page 71.
Step 6: Start AFP services
After you configure AFP, start the service to make it available. See “Starting AFP Service”
on page 72.
Turning AFP Service On
Before you can configure AFP settings, you must turn on AFP service in Server Admin.
To turn AFP service on:
1Open Server Admin and connect to the server.
2Click Settings, then click Services.
3Select the AFP checkbox.
4Click Save.
68 Chapter 4 Working with AFP Service
Setting Up AFP Service
If you enabled the Server Assistant to start AFP service when you installed Mac OS X
Server, you don’t need to do anything else. Verify that the default service settings meet
your needs.
There are four groups of settings on the Settings pane for AFP service in Server Admin:
ÂGeneral. Sets information that identifies your server, enables automatic startup, and
creates a login message for AFP service.
ÂAccess. Sets up client connections and guest access.
ÂLogging. Configures and manages logs for AFP service.
ÂIdle Users. Configures and administers idle user settings.
The following sections describe how to configure these settings, and a fifth section tells
you how to start AFP service when you finish.
Configuring General Settings
You use the General settings pane in AFP to enable automatic startup, enable browsing
with Bonjour, and create a login greeting for your users.
To configure AFP service General settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Settings, then click General.
5Advertise the AFP share point using Bonjour by selecting “Enable Bonjour registration.”
This option lets clients browse for the share point using the Mac OS X “Connect to
Server command or the Mac OS 9 Network Browser.
For information about Service Location Protocol (SLP) and IP multicasting, see Network
Services Administration.
6If you have Mac OS 8 and Mac OS 9 clients with special language needs, choose the
correct character set from the “Encoding for older clients pop-up menu.
When Mac OS 9 (or earlier) clients are connected, the server converts file names from
the systems UTF-8 character encoding to the chosen set. This has no effect on
Mac OS X client users.
7Enter the message you want users to see in the Logon Greeting field.
The message does not appear when a user logs in to their home folder.
To prevent users from seeing the greeting repeatedly, select “Do not send same
greeting twice to the same user.”
Chapter 4 Working with AFP Service 69
8Click Save.
From the Command Line
You can also change AFP service settings using the serveradmin command in Terminal
or by changing the AFP preferences file. For more information, see the file services
chapter of Command-Line Administration.
Configuring Access Settings
Use the Access pane of AFP Settings in Server Admin to control client connections and
guest access.
To configure AFP service Access settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Settings, then click Access.
5Choose the authentication method you want to use from the Authentication pop-up
menu: Standard, Kerberos, or Any Method.
6If necessary, permit unregistered users to access AFP share points by selecting “Enable
Guest access.”
Guest access is a convenient way to provide occasional users with access to files and
other items, but for better security, don’t select this option.
Note: After you permit guest access for Apple file service in general, you can still
selectively enable or disable guest access for individual share points.
7Enable an administrator to log in using a user’s name with an administrator password
(and thereby experience AFP service as the user would) by selecting “Enable
administrator to masquerade as any registered user.”
8Restrict the number of simultaneous client connections by clicking the button next to
the Client Connections or Guest Connections field and enter a number.
The maximum number of simultaneous users is limited by the type of license you have.
For example, if you have a 10-user license for your server, a maximum of 10 users can
connect at one time.
Select Unlimited if you do not want to restrict the maximum number of connections.
The maximum number of guests cannot exceed the maximum number of total client
connections permitted.
9Click Save.
70 Chapter 4 Working with AFP Service
From the Command Line
You can also change AFP access settings using the serveradmin command in Terminal
or by reconfiguring the AFP preferences file. For more information, see the file services
chapter of Command-Line Administration.
Configuring Logging Settings
Use the Logging pane of the AFP service settings in Server Admin to configure and
manage service logs.
To configure AFP service Logging settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Settings, then click Logging.
5To keep a record of users who connect to the server using AFP, select “Enable access
log.”
6To periodically close and save the active log and open a new one, select Archive every
__ day(s)” and enter the number of days after which the log is archived.
The default is 7 days. The server closes the active log at the end of each archive period,
renames it to include the current date, and then opens a new log file.
7Select the events you want Apple file service to log.
An entry is added to the log when a user performs an action you select.
When you choose the number of events to log, consider available disk space. The more
events you choose, the faster the log file will grow.
8To specify how often the error log file contents are saved to an archive, select “Error
Log: Archive every __ day(s)” and enter the number of days.
9Click Save.
You can keep the archived logs for your records or manually delete them to free disk
space when they’re no longer needed. Log files are stored in /Library/Logs/
AppleFileService/. You can use the log rolling scripts supplied with Mac OS X Server to
reclaim disk space used by log files.
From the Command Line
You can also change AFP service logging settings using the serveradmin command in
Terminal or by changing the AFP preferences file. For more information, see the file
services chapter of Command-Line Administration.
Chapter 4 Working with AFP Service 71
Configuring Idle Users Settings
Use the Idle Users pane of AFP service settings to specify how your server handles idle
users. An idle user is someone who is connected to the server but whose connection
has been inactive for a predefined period of time.
If a client is idle or asleep for longer than the specified idle time, open files are closed,
the client is disconnected, and unsaved work is lost.
To configure Idle Users settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Settings, then click Idle Users.
5To enable client computers to reconnect after sleeping for a certain time, select Allow
clients to sleep __ hour(s)” and enter a number in the appropriate field.
Sleeping clients will not show as idle.
Although the server disconnects sleeping clients, the clients’ sessions are maintained
for the specified period. A sleeping Mac OS X version 10.2 (or later) client can resume
work on open files within the limits of the Allow clients to sleep setting.
6To specify the idle time limit, select “Disconnect idle users after __ minute(s)” and enter
the number of minutes after which the AFP session of an idle connection is
disconnected.
To prevent particular types of users from being disconnected, select them under
“Except.”
7In the “Disconnect Message” field, enter the message you want users to see when they
are disconnected.
If you don’t enter a message, a default message appears stating that the user has been
disconnected because the connection has been idle for a period of time.
8Click Save.
From the Command Line
You can also change AFP service idle user settings using the serveradmin command in
Terminal or by changing the AFP preferences file. For more information, see the file
services chapter of Command-Line Administration.
72 Chapter 4 Working with AFP Service
Starting AFP Service
You start AFP service to make AFP share points available to your client users.
To start AFP service:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Start AFP (below the Servers list).
The service runs until you stop it and restarts if your server is restarted.
From the Command Line
You can also start AFP service using the serveradmin command in Terminal. For more
information, see the file services chapter of Command-Line Administration.
Managing AFP Service
This section describes typical day-to-day tasks you might perform after you set up AFP
service on your server. Initial setup information appears in “Setting Up AFP Service on
page 68.
Checking AFP Service Status
Use Server Admin to check the status of AFP service.
To view AFP service status:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4To see information such as whether the service is running, when it started, its
throughput, the number of connections, and whether guest access is enabled, click
Overview.
5To review access and error logs, click Logs.
To choose which log to view, use the View pop-up menu.
6To see graphs of connected users or throughput, click Graphs.
Use the pop-up menus to choose which graph to view and to choose the duration of
time to graph data for.
Chapter 4 Working with AFP Service 73
7To see a list of connected users, click Connections.
The list includes the user name, connection status, users IP address or domain name,
duration of connection, and the time since the last data transfer (idle time).
From the Command Line
You can also check the status of the AFP service process by using the ps or top
commands in Terminal, or by looking at the log files in /Library/Logs/AppleFileService/
using the cat or tail command. For more information, see the file services chapter of
Command-Line Administration.
Viewing AFP Service Logs
Use Server Admin to view the error and access logs for AFP service, if you have enabled
them.
To view logs:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Choose between access and error logs by clicking Logs, then use the View pop-up
menu.
Use the Filter field in the upper right to search for specific entries.
From the Command Line
You can also view AFP service logs in /Library/Logs/AppleFileService/ using the cat or
tail commands in Terminal. For more information, see the file services chapter of
Command-Line Administration.
Viewing AFP Graphs
Use Server Admin to view AFP graphs.
To view AFP graphs:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4To see graphs of connected users or throughput, click Graphs.
To choose which graph to view and the duration of time to graph data for, use the
pop-up menus.
5To update the data in the graphs, click the Refresh button (below the Servers list).
74 Chapter 4 Working with AFP Service
Viewing AFP Connections
Use Server Admin to view the clients that are connected to the server through the AFP
service.
To view AFP connections:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4To see a list of connected users, click Connections.
The list includes user name, connection status, users IP address or domain name,
duration of connection, and the time since the last data transfer (idle time).
You can send a disconnect message to all client computers and stop the service by
clicking Stop, entering when the service will be stopped, entering a message, and
clicking Send.
You can send a message to a user by selecting the user from the list, clicking Send
Message, entering the message, and clicking Send.
You can send a disconnect message to individual client computers and disconnect
them from the server by clicking Disconnect, entering when the user will be
disconnected, entering a message, and clicking Send.
Important: Disconnected users may lose unsaved changes in open files.
5To update the list of connected users, click the Refresh button (below the Servers list).
Stopping AFP Service
Use Server Admin to stop AFP service. This disconnects all users, so connected users
may lose unsaved changes in open files.
To initiate AFP service shutdown and warn users:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Connections, then click Stop.
5Enter the amount of time that clients have to save their files before AFP service stops.
6If you want users to know why they must disconnect, enter a message in the Additional
Message field.
Otherwise, a default message is sent indicating that the server will shut down in the
specified number of minutes.
Chapter 4 Working with AFP Service 75
7Click Send.
From the Command Line
You can also stop AFP service immediately using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Enabling Bonjour Browsing
You can register AFP service with Bonjour to enable users to find the server by
browsing through available servers. Otherwise, users who cannot browse must enter
the server host name or IP address when connecting.
To register with Bonjour:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Settings, then click General.
5Select “Enable Bonjour registration.”
6Click Save.
AFP share points use the Bonjour registration type afpserver.
From the Command Line
You can also set AFP service to register with Bonjour using the serveradmin command
in Terminal. For more information, see the file services chapter of Command-Line
Administration.
Limiting Connections
If your server provides a variety of services, you can prevent a flood of users from
affecting the performance of those services by limiting the number of clients and
guests who can connect at the same time.
To set the maximum number of connections:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Settings, then click Access and look under “Maximum Connections.”
By default the maximum client and guest connections is set to Unlimited.
76 Chapter 4 Working with AFP Service
5Click the button next to the number field following “Client Connections (Including
Guests)” and enter the maximum number of connections you want to permit.
The guest connections limit is based on the client connections limit, and guest
connections count as part of the total connection limit. For example, if you specify
maximums of 400 client connections and 50 guest connections, and 50 guests are
connected, that leaves 350 connections for registered users.
6Click the button next to the number fields and adjacent to “Guest connections” and
enter the maximum number of guests you want to permit.
7Click Save.
From the Command Line
You can also set the AFP service connections limit using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Keeping an Access Log
The access log records the times when a user connects or disconnects, opens a file, or
creates or deletes a file or folder.
To set up access logging:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Settings, then click Logging.
5Select “Enable access log.”
6Select the events you want to record.
When choosing events to log, consider the available disk space. The more events you
choose, the faster the log file will grow.
To view the log, open Server Admin, select AFP, and click Logs.
Alternatively, use Terminal to view the logs stored in /Library/Logs/AppleFileService/.
From the Command Line
You can also set AFP service to record logs using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Chapter 4 Working with AFP Service 77
Disconnecting a User
Use Server Admin to disconnect users from the Apple file server.
Important: Users lose information they haven’t saved when they are disconnected.
To disconnect a user:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Connections.
5Select the user and click Disconnect.
6Enter the amount of time before the user is disconnected and type a disconnect
message.
If you don’t type a message, a default message appears.
7Click Send.
Automatically Disconnecting Idle Users
You can set AFP service to disconnect users who have not used the server for a period
of time.
To set how the server handles idle users:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Settings, then click Idle Users.
5To enable client computers to reconnect after sleeping for a certain time, select Allow
clients to sleep __ hour(s)” and enter the number of hours clients can sleep and still
automatically reconnect to the server.
Although the server disconnects sleeping clients, the clients’ sessions are maintained
for the specified period. When a user resumes work within that time, the client is
reconnected with no apparent interruption.
6To specify the idle time limit, select “Disconnect idle users after __ minute(s)” and enter
the number of minutes after which an idle computer should be disconnected.
A sleeping Mac OS X v10.2 (or later) client can resume work on open files within the
limits of the Allow clients to sleep setting.
7To prevent particular types of users from being disconnected, select them under
“Except.”
78 Chapter 4 Working with AFP Service
8In the “Disconnect Message” field, enter the message you want users to see when they
are disconnected.
If you don’t type a message, a default message appears stating that the user has been
disconnected because the connection has been idle.
9Click Save.
From the Command Line
You can also change AFP service idle user settings using the serveradmin command in
Terminal or by changing the AFP preferences file. For more information, see the file
services chapter of Command-Line Administration.
Sending a Message to a User
You can use AFP service in Server Admin to send messages to clients.
To send a user a message:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Connections and select the users name in the list.
5Click Send Message.
6Enter the message and click Send.
Note: Users cannot reply to the message.
Enabling Guest Access
Guests are users who can see information about your server without using a name or
password to log in. For better security, don’t permit guest access.
After enabling guest access for a service, enable guest access for specific share points.
See “Enabling Guest Access to a Share Point on page 56.
To enable guest access:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Settings, then click Access.
5Select “Enable Guest access.”
6If you want to limit how many client connections can be used by guests, enter a
number in the “Maximum Connections: Guest Connections” option.
Chapter 4 Working with AFP Service 79
If you don’t want to limit the number of guest users who can be connected to your
server at one time select “Unlimited.”
7Click Save.
From the Command Line
You can also set AFP service to permit guest access using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Creating a Login Greeting
The login greeting is a message users see when they log in to the server.
To create a login greeting:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select AFP.
4Click Settings, then click General.
5In the Logon Greeting field, enter a message.
If you change the message, users will see the new message the next time they connect
to the server.
6To prevent users from seeing the message more than once, select “Do not send same
greeting twice to the same user.”
7Click Save.
From the Command Line
You can also change the AFP service greeting using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Integrating Active Directory and AFP Services
You can configure your AFP services to use Active Directory for authenticating and
authorizing Mac users to an AFP share point. If you have a mixed platform environment
with Windows and Mac computers you can integrate a Mac OS X AFP server with your
Windows Active Directory server. Mac users can access the AFP share point by using
their Active Directory user account credentials.
To integrate AFP with Active Directory:
1Create an AFP share point for your Mac users.
For more information, see “Creating a Share Point on page 39.
2Open Directory Utility (located in /Applications/Utilities/).
80 Chapter 4 Working with AFP Service
3If the lock icon is locked, click it and then enter the name and password for an
administrator.
4Click Directory Servers, then click the Add (+) button.
5From the Add a new directory of type” pop-up menu, choose Active Directory, then
enter the following information:
ÂActive Directory Domain: This is the DNS name or IP Address of the Active Directory
server.
ÂComputer ID: Optionally edit the ID you want Active Directory to use for your server.
This is the servers NetBIOS name. The name should contain no more than 15
characters, no special characters, and no punctuation.
If practical, make the server name match its unqualified DNS host name. For
example, if your DNS server has an entry for your server as server.example.com,” give
your server the name “server.”
ÂAD Administrator Username and Password: Enter the user name and password of the
Active Directory administrator.
6Click OK and close Directory Utility.
Supporting AFP Clients
After you configure your share point and AFP service, your clients can connect using
the Connect to Server window in Finder or they can have the shared volume mount
when they log in.
Note: Non-Apple clients can also connect over AFP using third-party AFP client
software.
Mac OS X Clients
AFP service requires the following Mac OS X system software:
ÂTCP/IP connectivity
ÂAppleShare 3.7 or later
To find out the latest version of AppleShare client software supported by Mac OS X, go
to the Apple support website at www.apple/support.
Connecting to the AFP Server in Mac OS X
You can connect to Apple file servers by entering the DNS name of the server or its IP
address in the Connect to Server window. Or, if the server is registered with Bonjour
browse for it in the Network globe in the Finder.
Note: Apple file service doesn’t support AppleTalk connections, so clients must use
TCP/IP to access file services.
Chapter 4 Working with AFP Service 81
To connect to the Apple file server in Mac OS X:
1In the Finder, choose Go > Connect to Server.
2In the Connect to Server pane, do one of the following:
ÂBrowse for the server in the list. If it appears, select it.
ÂEnter the DNS name of the server in the Address field using any of the following
forms:
server
afp://server
afp://server/share point
ÂEnter the server IP address in the Address field.
3Click Connect.
4Enter your user name and password or select Guest, then click Connect.
5Select the share point you want to use and click OK.
Changing the Default User Name for AFP Connections
When you use the Connect to Server command in the Finder to connect to an AFP
server, the login panel populates your full user name by default. In Mac OS X
version10.5 and later, you can customize this panel to present your short name, a
custom name, or no user name at all.
Important: These instructions involve using the defaults command to edit a property
list (.plist) file and are intended for experienced Mac OS X administrators. Incorrect
editing of this file can lead to unexpected Mac OS X behavior. Before following these
instructions, make a backup copy of the /Library/Preferences/
com.apple.NetworkAuthorization.plist file.
You can edit this file so that the Name field in the Connect to Server dialog is
populated with one of the following:
ÂCurrent users long name (default behavior)
ÂCurrent users short name
ÂA custom name
ÂNo name
Note: If you select the “Remember password in keychain option in the Connect to
Server dialog, the name stored in the Keychain entry overrides the setting in this
preference file.
Use the defaults command in Terminal to change the default name to the following:
To set the current user’s short name:
$ defaults write /Library/Preferences/com.apple.NetworkAuthorization
UseDefaultName -bool NO
82 Chapter 4 Working with AFP Service
$ defaults write /Library/Preferences/com.apple.NetworkAuthorization
UseShortName -bool YES
To set a custom name:
$ defaults write /Library/Preferences/com.apple.NetworkAuthorization
UseDefaultName -bool YES
$ defaults write /Library/Preferences/com.apple.NetworkAuthorization
DefaultName “user”
Replace “user” with the desired custom name and enclose it in quotation marks.
To set no name:
$ defaults write /Library/Preferences/com.apple.NetworkAuthorization
UseDefaultName -bool YES
$ defaults write /Library/Preferences/com.apple.NetworkAuthorization
DefaultName “”
To set the current user’s long name:
This is only necessary if you have made any of the changes listed above.
$ defaults write /Library/Preferences/com.apple.NetworkAuthorization
UseDefaultName -bool NO
$ defaults write /Library/Preferences/com.apple.NetworkAuthorization
UseShortName -bool NO
or
$ defaults delete /Library/Preferences/com.apple.NetworkAuthorization
UseDefaultName
$ defaults delete /Library/Preferences/com.apple.NetworkAuthorization
UseShortName
Setting Up a Mac OS X Client to Automatically Mount a Share Point
As an alternative to using the network mount feature of AFP or NFS, Mac OS X clients
can set their computers to automatically mount server volumes.
To set a Mac OS X version 10.2.8 or earlier client to automatically mount a server
volume:
1Log in to the client computer as the user and mount the volume.
2Open System Preferences and click Login Items.
3Click Add, then locate the Recent Servers folder and double-click the volume you want
automatically mounted.
When the client user logs in the next time, the server, if available, mounts.
The client user can also add the server volume to Favorites and then use the item in
the Favorites folder in the home Library.
Chapter 4 Working with AFP Service 83
To set a Mac OS X version 10.3 or later client to automatically mount a server
volume:
1Log in to the client computer as the user and mount the volume.
2Open System Preferences and click Accounts.
3Select the user and click Startup Items (in Mac OS X v10.3) or Login Items (in Mac OS X
v10.4 or later).
4Click the Add (+) button (below the Servers list), select the server volume, and click
Add.
Connecting to the AFP Server from Mac OS 8 and Mac OS 9 Clients
Apple file service requires the following Mac OS 8 or 9 system software:
ÂMac OS 8 (version 8.6) or Mac OS 9 (version 9.2.2)
ÂTCP/IP
ÂAppleShare Client 3.7 or later
To find the latest version of AppleShare client software supported by Mac OS 8 and
Mac OS 9, go to the Apple support website at www.apple/support.
Note: Apple file service does not support AppleTalk connections, so clients must use
TCP/IP to access file services.
To connect from Mac OS 8 or Mac OS 9:
1Open the Chooser and click AppleShare.
2Select a file server and click OK.
3Enter your user name and password, or select Guest and then click Connect.
4Select the volume you want to use and click OK.
Setting up a Mac OS 8 or Mac OS 9 Client to Automatically Mount a
Share Point
As an alternative to using the network mount feature of AFP or NFS, clients can set
their computers to automatically mount server volumes.
To set a Mac OS 8 or Mac OS 9 client to automatically mount a server volume:
1Use the Chooser to mount the volume on the client computer.
2In the select-item dialog that appears after you log in, select the server volume you
want to mount automatically.
Configuring IP Failover
IP failover is a technology that allows you to set up two computers in a master-backup
relationship so that if the master computer fails, the backup computer transparently
assumes the role of the master with minimal disruption in service.
84 Chapter 4 Working with AFP Service
For example, if you have a home directory server with 1,000 users and you don’t have a
backup server, your users can’t access their files if the directory server fails. But if you
set up another server as a backup, then even if the master server fails the users can
access their files through the backup server without being aware of the service
disruption, as long as the data is stored on shared storage that is accessible by both
computers.
Mac OS X Server provides built-in support for IP failover. In this section, you learn how
IP failover works in Mac OS X Server and how to configure it.
IP Failover Overview
IP failover lets you ensure high availability of your servers. A simple IP failover solution
consists of two Mac OS X Server computers: a master and a backup. The master
computer provides services while the backup computer waits in the background to
take over if the master fails:
In this scenario, both computers connect to the same network. Each computer has a
unique IP address and, optionally, a DNS or domain name. The computers are
connected directly to each other using IP over FireWire.
To provide IP failover support, Mac OS X Server uses the heartbeatd and failoverd
daemons:
ÂThe heartbeatd daemon runs on the master computer and broadcasts heartbeat
messages every second on port 1694 from both network interfaces, announcing the
host’s availability to other nodes listening with failoverd. Sending the heartbeat
message on both primary and secondary network links helps prevent false alarms.
heartbeatd uses the FAILOVER_BCAST_IPS entry in the /etc/hostconfig file to
determine who to send to broadcast the heartbeat message to.
homedirs.example.com
AFP SMB/CIFS
node1.example.com
Master server
node2.example.com
Backup server
Chapter 4 Working with AFP Service 85
ÂThe failoverd daemon runs on the backup computer and listens on port 1694 for
broadcasts from a specific address on both interfaces. If failoverd stops receiving
the heartbeat messages on both interfaces, it takes over the public IP address of the
master server, which allows the failover server to service incoming client requests,
thus maintaining availability. failoverd uses the FAILOVER_PEER_IP and
FAILOVER_PEER_IP entries in the /etc/hostconfig file to get the public and private IP
addresses of the master server.
For IP failover to work, you must keep the backup computer in sync with the master.
For example, if you’re using the master computer as an AFP file server, make sure that
the backup computer has the same AFP service settings. If the settings are not the
same, users might not be able to access the file service.
In addition, for IP failover to work, the backup computer should have access to the data
needed by client computers. To ensure data availability, you’ll have to keep the data on
both computers in sync using the cron and rsync commands or other third-party
solutions.
Alternatively, you could use a RAID shared storage device in which to store data.
To take advantage of a RAID device in IP failover situations, you can use Xsan or third-
party storage area network (SAN) software to allow your master and backup servers to
access the same volume without corrupting it.
homedirs.example.com
AFP
node1.example.com
Master server
node2.example.com
Backup server
Fibre channel switch
RAID
86 Chapter 4 Working with AFP Service
You can also use logical unit number (LUN) masking at the Fibre switch level to grant
access to shared data on a RAID. You must create scripts to instruct the switch to swap
access from one server to the other. LUN masking at the switch level ensures that only
one server has access to the data, but never both servers at the same time.
After starting the heartbeatd and failoverd daemons, the master computer starts
sending heartbeat messages to the backup server at predetermined intervals. If the
backup computer stops receiving these messages, it triggers a chain of events that
results in the backup server taking over the IP address of the master server and
assuming its role.
From a client perspective, failover happens transparently, with minimal disruption of
service. This is because the client accesses services using a virtual IP address (that is, an
address not associated with a particular computer) or domain name (for example,
homedirs.example.com).
When the backup server assumes the role of the master, the client doesn’t see any
difference, as long as services on both computers are configured exactly the same way.
A brief disruption of service may be noticeable if IP failover happens while the client is
actively communicating with a service. For example, if a user is copying a file from the
server and it fails over, the copying process will be disrupted and the user must start
the copying process again.
Acquiring Master Address—Chain of Events
When the master server fails over, the following chain of events occurs on the backup
server:
1The failoverd daemon (located in /usr/sbin/) detects no broadcasts from the primary
server on the FireWire interface.
2The failoverd daemon instructs the NotifyFailover script (located in /usr/libexec/) to
notify users listed in /etc/hostconfig. If no recipient is specified, a message is sent to the
root user.
3failoverd executes the ProcessFailover script (located in /usr/libexec/).
4The ProcessFailover script executes the /Library/Failover/
IP_address
/Test script,
where
IP_address
is the IP address or domain name of the master server, and the
following occurs:
ÂIf the Test script returns false, ProcessFailover quits and the backup server does not
acquire the IP address of the master server.
ÂIf the Test script returns true (or does not exist), ProcessFailover continues its
execution.
WARNING: Giving two servers access to the same RAID volume without Xsan or third-
party SAN software can corrupt the volume.
Chapter 4 Working with AFP Service 87
Note: By default, the Test script is empty, but you can customize it to suit your needs.
5The ProcessFailover script executes, in alphabetical order, any script with the prefix
PreAcq in the /Library/Failover/IP_address folder.
PreAcq scripts prepares the backup server to acquire the IP address of the master
server. By default, Mac OS X Server ships with a number of PreAcq scripts, but you can
customize them or add you own.
6The ProcessFailover script configures the network interface to use the IP address of
the master server.
7The ProcessFailover script executes, in alphabetical order, any script with the prefix
PostAcq in the /Library/Failover/IP_address folder.
PostAcq scripts run after the backup server acquires the master’s IP address. As with
PreAcq scripts, Mac OS X Server ships with a number of PostAcq scripts. But you can
add your own. For example, a PostAcq script can notify you an email that failover
completed successfully.
For more information about failoverd, NotifyFailover, and ProcessFailover, see the
corresponding man page or the high availability chapter of the Command-Line
Administration guide.
Note: It takes approximately 30 seconds for failover to complete.
Releasing Master Address—Chain of Events
When you trigger failback, the following occurs on the backup server:
1The failoverd daemon instructs the NotifyFailover script (located in /usr/libexec/) to
notify the users listed in /etc/hostconfig. If no recipient is specified, a mail message is
sent to the root user.
2failoverd executes the ProcessFailover script (located in /usr/libexec/).
3The ProcessFailover script executes the Test script (located in /Library/Failover/
IP_address, where IP_address is the IP address or domain name of the master server),
and the following occurs:
ÂIf the Test script returns false, ProcessFailover quits and the master server does not
acquire the IP address of the backup server.
ÂIf the Test script returns true (or does not exist), ProcessFailover continues its
execution.
4The ProcessFailover script executes, in alphabetical order, any script with the prefix
PreRel in the Library/Failover/IP_address folder.
5The ProcessFailover script releases the IP address of the master server.
6The ProcessFailover script executes, in alphabetical order, any script with the prefix
PostRel in the Library/Failover/IP_address folder.
Note: By default, the Test script is empty, but you can customize it to suit your needs.
88 Chapter 4 Working with AFP Service
IP Failover Setup
Here is an overview of what you need to do to set up your Mac OS X Server computers
for IP failover:
Step 1: Connect the master and backup computers to the same network and
configure their TCP/IP settings
This step allows your servers to communicate with client computers. Each server must
have its own unique IP address.
Step 2: Connect the two computers directly using a secondary Ethernet interface
or IP over FireWire and configure the IP settings
This step allows direct communication of IP failover events between servers.
Step 3: Configure and start IP failover service on the master and backup servers
This step allows the master and backup computers to fail over and fail back.
Connecting the Master and Backup Servers to the Same Network
The first step in setting up your servers for failover is to connect the master and backup
computers to the same network and configure their network settings.
To connect the master and backup server to the same network:
1Using the primary Ethernet interface, connect the master and backup servers to the
same network.
2In the Network pane of System Preferences, configure the TCP/IP settings on both the
master and backup computers so that each computer has a unique IP address and
both are on the same subnet.
Ideally, have your system administrator map the IP address of the master server to a
virtual DNS name (for example, homedirs.example.com) that users use to connect to
your server. This allows you to change the IP address of the master server transparently
to users.
You might also want to map the IP addresses of the master and backup servers to DNS
names (for example, node1.example.com and node2.example.com) that you can use to
refer to the two computers when setting up IP failover.
Chapter 4 Working with AFP Service 89
Connecting the Master and Backup Servers Together
Connect the master and backup computers together using a secondary Ethernet
interface or IP over FireWire. This is an important step because the two computers
communicate failover events over this connection.
To connect the master and backup servers together:
1Use an Ethernet cable or a FireWire cable to connect the master and backup computers
together.
2In the Network pane of System Preferences, configure the TCP/IP settings of the
secondary Ethernet interface or IP over FireWire interface on both computers.
Assign each computer a private network IP address (for example 10.1.0.2 and 10.1.0.3)
and make sure that both computers are on the same subnet.
Configuring the Master Server for IP Failover
Configuring the master server for IP failover is simple: Add or edit two entries in the /
etc/hostconfig file and then restart the server.
To configure the master server for IP failover:
1Add or edit the FAILOVER_BCAST_IPS entry in /etc/hostconfig to specify the addresses
to send heartbeat messages to.
For example, if the primary IP address of the master server is 17.1.0.50 and the
secondary IP address is 10.1.0.2, add the following line to the /etc/hostconfig file to
broadcast the message over the two networks:
FAILOVER_BCAST_IPS=”10.1.0.255 17.1.0.255”
However, it’s more efficient for your network switch to send the heartbeat messages to
specific addresses:
FAILOVER_BCAST_IPS=”10.1.0.3 17.1.0.51”
This line instructs the master server to send the heartbeat messages to the primary and
secondary IP addresses of the backup server.
Note: To edit the /etc/hostconfig file, you must be root. Use the sudo command when
opening this file using your preferred command-line editor.
2Add or edit the FAILOVER_EMAIL_RECIPIENT entry to specify the mail address to send
notifications to.
If you don’t add this entry, mail notifications go to root.
3Restart the server.
The IPFailover startup item launches heartbeatd during startup. Upon launch,
heartbeatd checks its argument list, moves to the background, and periodically sends
out heartbeat messages to the addresses specified in the FAILOVER_BCAST_IPS entry in
the /etc/hostconfig file.
90 Chapter 4 Working with AFP Service
Configuring the Backup Server for IP Failover
Configuring the backup server for IP failover is simple: Add or edit two entries in the /
etc/hostconfig file, disconnect the master and backup servers, restart the backup
server, and reconnect the servers.
To configure the backup server for IP failover:
1Add or edit the FAILOVER_PEER_IP_PAIRS entry in the /etc/hostconfig file to specify the
IP address of the primary network interface on the master server.
For example, if the IP address of the primary network interface on the master server is
17.1.0.50, add the following entry:
FAILOVER_PEER_IP_PAIRS=”en0:17.1.0.50”
Note: To edit the /etc/hostconfig file, you must be root. Use the sudo command when
opening this file using your preferred command-line editor.
2Add or edit the FAILOVER_PEER_IP entry in /etc/hostconfig to specify the IP address of
the secondary network interface on the master server.
For example, if the IP address of the FireWire port on the master server is 10.1.0.2, add
the following entry:
FAILOVER_PEER_IP=”10.1.0.2”
3Disconnect the direct connection between backup server and master server.
If youre using IP over FireWire for the secondary interface, disconnect the FireWire
cable connecting the two computers.
4Restart the backup server.
5When the backup server has started up, reconnect it to the primary server.
Configuring the AFP Reconnect Server Key
In the case of network disconnect, AFP can allow initially authenticated clients to
reconnect to the server using a reconnect token rather then reauthenticating with user
credentials. The reconnect token contains information that allows the server to verify
session and user data on the server.
When the client initially logs in (using user credentials), the server sends the client a
reconnect token. This token is encrypted with the server reconnect key located in /etc/
AFP.conf and is only readable by the server.
Following a disconnect of an established session, the client attempts a reconnect by
sending the reconnect key to the server. The server decrypts the reconnect token using
the server reconnect key. Then the server verifies that it is a valid, authenticated session
token by verifying data in the reconnect token with data on the server (for example,
user data obtained from the user record). When the information is verified, the server
completes the reconnect.
Chapter 4 Working with AFP Service 91
In the case of failover, the server reconnect key used to initially encrypt the reconnect
token handed to the client must be used by the backup server to handle all reconnects.
By default, the server reconnect key is, by default, stored in /etc/AFP.conf. This file
should be copied from the master server to the backup server, or should be placed on
a shared storage that both servers can access.
The path to the key is specified by the reconnectKeyLocation attribute value, found in
the preference file /Library/Preferences/com.AppleFileServer.plist.
If your master and backup servers share a data storage, you can change the value of
reconnectKeyLocation in the server preferences file. This ensures that the same
reconnect server key is used by both servers.
Viewing the IP Failover Log
Mac OS X Server records all IP failover activity in /Library/Logs/failoverd.log.
To view failover service log files:
1Open /Applications/Utilities/Console.
2Choose File > Open.
3Locate and select the failoverd.log file in the /Library/Logs/ folder.
4Click Open.
You can use the Filter field to display only the log entries you’re interested in.
From the Command Line
You can also view the failoverd.log file using commands in Terminal. To automate log
monitoring, consider using cron and grep to automatically search log files for IP
failover-related keywords and mail those entries to you. For more information, see the
IP failover chapter of the Command-Line Administration guide.
92 Chapter 4 Working with AFP Service
5
93
5Working with SMB Service
This chapter describes how to set up and manage SMB
service in Mac OS X Server.
Mac OS X Server can provide the following native services to Windows clients:
ÂDomain login. Enables each user to log in using the same user name, password,
roaming profile, and network home folder on any Windows computer capable of
logging in to a Windows NT domain.
ÂFile service. Enables Windows clients to access files stored in share points on the
server using Server Message Block (SMB) protocol over TCP/IP.
ÂPrint service. Enables Windows clients to print to PostScript printers with print
queues on the server.
ÂWindows Internet Naming Service (WINS). Enables clients to resolve NetBIOS names
and IP addresses across multiple subnets.
ÂWindows domain browsing. Enables clients to browse for available servers across
subnets.
File Locking with SMB Share Points
File locking prevents multiple clients from changing the same information at the same
time. When a client opens a file (or part of a file), the file becomes locked so the client
has exclusive access.
Before a read or write is performed on a file the lock database to checked to verify the
lock status of the file.
Strict locking, enabled by default, helps prevent multiple clients from attempting to
write to the same file. When strict locking is enabled, the SMB server checks for and
enforces file locks.
Opportunistic locking (oplocks) grants exclusive access to the file similarly to strict
locking, but also permits the client to cache its changes locally (on the client
computer). This type of locking offers improved performance.
In Mac OS X Server, SMB share points supports oplocks.
94 Chapter 5 Working with SMB Service
To enable oplocks, change the SMB protocol settings for a share point using
Workgroup Manager. For more information, see “Changing SMB Settings for a Share
Point” on page 42.
Important: Do not enable oplocks unless the share point is using only SMB. If the share
point uses any other protocol, data can become corrupt.
Setup Overview
Here is an overview of the basic steps for setting up SMB service.
Step 1: Turn SMB service on
Before configuring SMB service, SMB must be turned on. See “Turning On SMB Service”
on page 95.
Step 2: Configure SMB General settings
SMB General settings enable you to specify the number of authenticated and
anonymous users that are permitted to connect to the server. See “Configuring General
Settings” on page 96.
Step 3: Configure SMB Access settings
Access settings enable you to permit guest Windows users, limit the number of
simultaneous Windows client connections, or set Windows authentication options. See
“Configuring Access Settings” on page 97.
Step 4: Configure SMB Logging settings
Logging settings enable you to specify how much information is recorded in SMB log
files. See “Configuring Logging Settings on page 98.
Step 5: Configure SMB Advanced settings
Advanced settings enable you to choose a client code page, set the server to be a
workgroup or domain master browser, specify the server WINS registration, and enable
virtual share points for home users. See “Configuring Advanced Settings” on page 98.
Step 6: Create share points and share them using SMB
Use the Sharing service of Server Admin to specify the share points you want to make
available through SMB. For Windows users to be able to access a share point, you must
explicitly configure the share point to use SMB service. See “Creating a Share Point” on
page 39 and “Changing SMB Settings for a Share Point on page 42.
You can also create virtual share points that enable each user to have the same home
folder whether logging in from a Windows workstation or a Mac OS X computer. See
“Enabling or Disabling Virtual Share Points” on page 102.
Chapter 5 Working with SMB Service 95
Step 7: Start SMB service
After you configure SMB, start the services to make them available. See “Starting SMB
Service on page 99.
Turning On SMB Service
Before you can configure SMB settings, you must turn on SMB service.
To turn on SMB service:
1Open Server Admin and connect to the server.
2Click Settings, then click Services.
3Click the SMB checkbox.
4Click Save.
Setting Up SMB Service
You set up SMB service by configuring four groups of settings on the Settings pane for
SMB service in Server Admin:
ÂGeneral. Specify the servers role in providing SMB service and the server’s identity
among clients of its SMB service.
ÂAccess. Limit the number of clients and control guest access.
ÂLogging. Choose how much information is recorded in the service log.
ÂAdvanced. Configure WINS registration and domain browsing services, choose a
code page for clients, and control virtual share points for home folders.
Because the default settings work well if you want to provide only SMB file and print
services, you may only need to start SMB service. Nonetheless, check the settings and
change anything that is incorrect for your network.
If you want to set up a Mac OS X Server as one of the following, you must change some
settings:
ÂA Primary Domain Controller (PDC)
ÂA Backup Domain Controller (BDC)
ÂA member of the Windows domain of Mac OS X Server PDC
ÂA member of an Active Directory domain of a Windows server
In addition, your Windows client computers must be configured to access SMB service
of Mac OS X Server as described at the end of this chapter, especially if users will log in
to the Windows domain.
The following sections describe how to configure these settings, and a final section
tells you how to start SMB service.
96 Chapter 5 Working with SMB Service
Configuring General Settings
Use the General settings to select the server role and provide the description,
computer name, and workgroup for the server.
To configure SMB General settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
4Click Settings, then click General.
5From the Role pop-up menu, set the Windows server role:
Choose “Standalone Server” if you want your server to provide SMB file and print
services to users with accounts in the server local directory domain. The server will not
provide authentication services for Windows domain login on Windows computers.
This is the default.
Choose “Domain Member if you want your server to provide Windows file and print
services to users who log in to the Windows domain of a Mac OS X Server PDC or the
Active Directory domain of a Windows server. A domain member can host user profiles
and network home folders for user accounts on the PDC or the Active Directory
domain.
Choose “Primary Domain Controller (PDC)” if you want your server to host a Windows
domain, to store user, group, and computer records, and to provide authentication for
domain login and other services. If no domain member server is available, the PDC
server can provide Windows file and print services, and it can host user profiles and
network home folders for users with user accounts on the PDC.
Choose “Backup Domain Controller (BDC)” if you want your server to provide automatic
failover and backup for the Mac OS X Server PDC. The BDC handles authentication
requests for domain login and other services as needed. The BDC can host user profiles
and network home folders for user accounts on the PDC.
Note: Mac OS X Server can host a PDC only if the server is an Open Directory master,
and can host a BDC only if the server is an Open Directory replica. For information
about Mac OS X Server directory and authentication services, including Open Directory
master and replicas, see Open Directory Administration.
6Enter a description, computer name, and domain or workgroup:
For Description, enter a description of the computer. This appears in the Network
Places window on Windows computers, and is optional.
Chapter 5 Working with SMB Service 97
For Computer Name, enter the name you want Windows users to see when they
connect to the server. This is the servers NetBIOS name. The name should contain no
more than 15 characters, no special characters, and no punctuation. If practical, make
the server name match its unqualified DNS host name. For example, if your DNS server
has an entry for your server as server.example.com,” give your server the name “server.”
For Domain, enter the name of the Windows domain that the server will host. The
domain name cannot exceed 15 characters and cannot be “workgroup.”
For Workgroup, enter a workgroup name. Windows users see the workgroup name in
the My Network Place (or Network Neighborhood) window. If you have Windows
domains on your subnet, use one of them as the workgroup name to make it easier for
clients to communicate across subnets. Otherwise, consult your Windows network
administrator for the correct name. The workgroup name cannot exceed 15 characters.
7Click Save.
From the Command Line
You can also change SMB service settings using the serveradmin command in Terminal.
For more information, see the file services chapter of Command-Line Administration.
Configuring Access Settings
Use the Access pane of SMB service settings in Server Admin to permit anonymous
Windows users or to limit the number of simultaneous Windows client connections.
You can also select the kinds of authentication SMB service accepts.
To configure SMB service access settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
4Click Settings, then click Access.
5To permit Windows or other SMB users to connect to Windows file services without
providing a user name or password, select Allow Guest access.”
6To limit the number of users who can be connected to the SMB service at one time,
select “__ maximum” and enter a number in the field.
7Select the kinds of authentication Windows users can use.
Authentication options are NTLMv2 and Kerberos, NTLM, or LAN Manager. NTLMv2 and
Kerberos is the most secure option, but clients need Windows NT, Windows 98, or later
to use it. LAN Manager is the least secure, but Windows 95 clients can use it.
8Click Save.
98 Chapter 5 Working with SMB Service
From the Command Line
You can also change SMB service settings by using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Configuring Logging Settings
Use the Logging pane of SMB service settings in Server Admin to specify how much
information is recorded in the SMB log file.
To configure SMB service logging level:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
4Click Settings, then click Logging.
5From the pop-up menu, set the level of log detail:
Choose “Low” to record error and warning messages only.
Choose “Medium” to record error and warning messages, service start and stop times,
authentication failures, and browser name registrations.
Choose “High” to record error and warning messages, service start and stop times,
authentication failures, browser name registrations, and file accesses.
6Click Save.
From the Command Line
You can also change SMB service settings using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Configuring Advanced Settings
Use the Advanced pane of SMB service settings in Server Admin to choose a client
code page, set the server to be a workgroup or domain master browser, specify the
servers WINS registration, and enable virtual share points for user homes.
To configure SMB service Advanced settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
4Click Settings, then click Advanced.
5From the Code Page pop-up menu, choose the character set you want clients to use.
Chapter 5 Working with SMB Service 99
6Select how you want the server to perform discovery and browsing services:
To provide discovery and browsing of servers in a single subnet, select “Services:
Workgroup Master Browser.”
To provide discovery and browsing of servers across subnets, select “Services: Domain
Master Browser.”
7Select how you want the server to register with WINS:
To prevent your server from using or providing WINS for NetBIOS name resolution,
select “Off.
To enable your server to provide NetBIOS name resolution service, select “Enable WINS
server.” This feature enables clients across multiple subnets to perform name and
address resolution.
To enable your server to use an existing WINS service for NetBIOS name resolution,
select “Register with WINS server and enter the IP address or DNS name of the WINS
server.
8Select whether you want virtual share points to be enabled:
If you enable virtual share points, each user has the same network home folder
whether they log in from a Windows workstation or a Mac OS X computer.
If you disable virtual share points, you must set up an SMB share point for Windows
home folders and you must configure each Windows user account to use this share
point.
From the Command Line
You can also change SMB service settings using the serveradmin command in Terminal.
For more information, see the file services chapter of Command-Line Administration.
Starting SMB Service
You start SMB service to make it available to your client users.
To start SMB service:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
4Click Start SMB (below the Servers list).
From the Command Line
You can also start SMB service using the serveradmin command in Terminal. For more
information, see the file services chapter of Command-Line Administration.
100 Chapter 5 Working with SMB Service
Managing SMB Service
This section describes typical tasks you might perform after you set up SMB service on
your server. Initial setup information appears in “Setting Up SMB Service on page 95.
Viewing SMB Service Status
Use Server Admin to view the status of SMB service.
To view SMB service status:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
4To see whether the service is running, when it started, the number of connections, and
whether guest access is enabled, click Overview.
5To review the event log, click Logs.
Use the View pop-up menu to choose which logs to view.
6To see a graph of connected users, click Graphs.
Use the pop-up menu to choose the duration to graph data for.
7To see a list of connected users, click Connections.
The list includes the user name, user’s IP address or domain name, and the duration of
connection.
From the Command Line
You can also view the status of the SMB service process using the ps or top commands
in Terminal. To view the log files (located in /Library/Logs/WindowsServices/), use the
cat or tail command.
For more information, see the file services chapter of Command-Line Administration.
Viewing SMB Service Logs
Use Server Admin to view SMB logs.
To view SMB logs:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
Chapter 5 Working with SMB Service 101
4Click Logs and use the View pop-up menu to choose between “SMB File Service Log”
and “SMB Name Service Log.”
To choose the types of events that are recorded, see “Configuring Logging Settings” on
page 98.
From the Command Line
You can also view the SMB log using the cat or tail commands in Terminal. For more
information, see the file services chapter of Command-Line Administration.
Viewing SMB Graphs
You use Server Admin to view SMB graphs.
To view SMB graphs:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
4To see a graph of average connected user’s throughput over a period of time, click
Graphs.
To choose the duration of time to graph data for, use the pop-up menu.
5Update the data in the graph by clicking the Refresh button (below the Servers list).
Viewing SMB Connections
Use Server Admin to view the clients that are connected to the server through SMB
services.
To view SMB connections:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
4To see a list of connected users, click Connections.
The list includes the user name, user IP address or domain name, and the duration of
connection.
You can disconnect individual clients by selecting the user from the Connections list
and clicking Disconnect.
Important: Disconnected users may lose unsaved changes in open files.
5Update the list of connected users by clicking the Refresh button (below the Servers
list).
102 Chapter 5 Working with SMB Service
Stopping SMB Service
You stop SMB service using Server Admin.
Important: When you stop SMB service, any users that are connected may lose
unsaved changes in open files.
To stop SMB service:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
4Click Stop SMB (below the Servers list).
From the Command Line
You can also stop SMB service using the serveradmin command in Terminal. For more
information, see the file services chapter of Command-Line Administration.
Enabling or Disabling Virtual Share Points
Using Server Admin, you can control whether Mac OS X Server creates a virtual SMB
share point that maps to the share point selected for each user in Server Admin. This
simplifies setting up home folders for Windows users by using the same home folder
for Windows and Mac OS X.
If you enable virtual share points, each user has the same network home folder
whether logging in from a Windows workstation or a Mac OS X computer.
If you disable virtual share points, you must set up an SMB share point for Windows
home folders, and you must configure each Windows user account to use this share
point.
To enable or disable virtual SMB share points for Windows home folders:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select SMB.
4Click Settings, then click Advanced.
5Click “Enable virtual share points.”
6Click Save.
6
103
6Working with NFS Service
This chapter describes how to set up and manage NFS service
in Mac OS X Server.
Network File System (NFS) is the protocol used for file services on UNIX computers. Use
NFS service in Mac OS X Server to provide file services for UNIX clients (including
Mac OS X clients).
You can share a volume (or export it, in standard NFS terminology) to a set of client
computers or to “World.” Exporting an NFS volume to World means that anyone who
accesses your server can also access that volume.
NFS service supports POSIX file permissions. NFS does not support reading or changing
the Access Control List (ACL) permissions. The ACLs are enforced by the file system
exported by NFS.
Setup Overview
Here is an overview of the major steps for setting up NFS service.
Step 1: Before you begin
For issues you should keep in mind when you set up NFS service, read “Before Setting
Up NFS Service on page 104.
Step 2: Turn NFS service on
Before configuring NFS service, turn on NFS. See “Turning On NFS Service” on page 104.
Step 3: Configure NFS settings
Configure NFS settings to set the maximum number of daemons and choose how you
want to serve clients—using Transmission Control Protocol (TCP), User Datagram
Protocol (UDP), or both. See “Configuring NFS Settings” on page 105.
Step 4: Create share points and share them using NFS
Use the Sharing service of Server Admin to specify the share points you want to export
(share) using NFS. For NFS users to access the share point, you must explicitly configure
a share point to use NFS.
104 Chapter 6 Working with NFS Service
See “Creating a Share Point on page 39, “Exporting an NFS Share Point” on page 44,
and “Automatically Mounting Share Points for Clients on page 47.
When you export a share point, NFS automatically starts. When you delete all exports,
the service stops. To see if NFS service is running, open Server Admin, select NFS from
the list of services for your server, and click Overview.
Before Setting Up NFS Service
Mac OS X 10.5 offers NFS with Kerberos, providing another secure file sharing service.
Secure access to NFS shared items is controlled by Kerberos, the client software, and
file permissions. NFS with Kerberos can be configured to only grant access to shared
volumes based on the IP address of a computer and a user’s single sign-on credentials.
If your network has both Mac OS X v10.4 and Mac OS X v10.5 computers, you can
permit authentication through both system authentication and Kerberos (by setting
the Minimum Security option to Any), then export your NFS share to World. This
requires users in a Kerberos realm to get a ticket-granting ticket from a single sign-on
Kerberos server before accessing NFS shared volumes, and still permits Mac OS X v10.4
computers to access the NFS share point using system authentication.
If your network has only Mac OS X v10.5 computers, it is recommended the security be
set to Kerberos authorization only.
Using NFS with Kerberos is a recommended way to configure secure access to files.
Turning On NFS Service
Before you can configure NFS settings, you must turn on NFS service in Server Admin.
To turn on NFS service:
1Open Server Admin and connect to the server.
2Click Settings, then click Services.
3Select the NFS checkbox.
4Click Save.
Chapter 6 Working with NFS Service 105
Setting Up NFS Service
Use Server Admin to change NFS service settings. The following sections describe the
tasks for configuring and starting NFS service.
Configuring NFS Settings
NFS settings enable you to set the maximum number of daemons and choose how you
want to serve clients—using TCP, UDP, or both.
To configure NFS settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select NFS.
4Click Settings.
5In the “Use__server threads” field, enter the maximum number of NFS threads you want
to run at one time.
An NFS thread is a thread running inside the nfsd process. It continuously runs behind
the scenes and processes read and write requests from clients. The more threads that
are available, the more concurrent clients can be served.
6Select how you want to serve data to your client computers.
TCP separates data into packets (small bits of data sent over the network using IP) and
uses error correction to make sure information is transmitted properly.
UDP is a correctionless and connectionless transport protocol. UDP doesn’t break data
into packets, so it uses fewer system resources. It’s more scalable than TCP, and a good
choice for a heavily used server because it puts a smaller load on the server. However,
do not use UDP if remote clients are using the service.
TCP provides better performance for clients than UDP. However, unless you have a
specific performance concern, select both TCP and UDP.
7Click Save.
From the Command Line
You can also change NFS service settings using the serveradmin command in Terminal.
For more information, see the file services chapter of Command-Line Administration.
106 Chapter 6 Working with NFS Service
Starting NFS Service
You start NFS service to make NFS exports available to your client users.
To start NFS service:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select NFS.
4Click Start NFS (below the Servers list).
The service runs until you stop it and restarts if your server is restarted.
Managing NFS Service
Use Server Admin to manage NFS service settings.
Checking NFS Service Status
Use Server Admin to check the status of Mac OS X Server devices and services.
To view NFS service status:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select NFS.
4Click Overview.
The Overview pane tells you whether the service is running and whether nfsd,
portmap, rpc.lockd, and rpc.statd processes are running.
The nfsd process responds to all NFS protocol and mount protocol requests from client
computers that have mounted folders.
The portmap process enables client computers to find nfs daemons (always one
process).
The rpc.lockd daemon provides file and record-locking services in an NFS environment.
The rpc.statd daemon cooperates with rpc.statd daemons on other hosts to provide a
status monitoring service. If a local NFS service quits unexpectedly and restarts, the
local rpc.statd daemon notifies the hosts being monitored at the time the service quit.
5To see a list of connected users, click Connections.
The list includes the user name, the user IP address or domain name, the time since the
last data transfer (idle time), NFS requests, and the bytes read and written.
Chapter 6 Working with NFS Service 107
From the Command Line
You can also check the NFS service status using the ps, nfsd status, or serveradmin
commands in Terminal. For more information, see the file services chapter of
Command-Line Administration.
Viewing NFS Connections
Use Server Admin to view the active clients that are connected to the server through
the NFS service.
To view NFS connections:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select NFS.
4To see a list of active users, click Connections.
The list includes the user name, the user IP address or domain name, the time since the
last data transfer (idle time), NFS requests, and the bytes read and written.
5To update the list of connected users, click the Refresh button (below the Servers list).
Stopping NFS Service
Use Server Admin to stop NFS service and disconnect users. Users who are connected
when you stop NFS service may lose unsaved changes in open files.
To stop NFS service after warning users:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select NFS.
4Click Connections, then see if users are connected to an NFS shared volume.
If you stop the service while users are connected, your connected users may lose
unsaved data.
5Click Stop NFS.
From the Command Line
You can also stop NFS service immediately using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
108 Chapter 6 Working with NFS Service
Viewing Current NFS Exports
Use the Terminal application to view a list of current NFS exports.
To view current NFS exports:
1Open Terminal.
2Enter the following command to display NFS exports:
$ showmount -e
If this command does not return results in a few seconds, there are no exports and the
process does not respond.
3Quit Terminal.
Press Control-C to exit the showmount command and return to an active command line
in your Terminal window.
7
109
7Working with FTP Service
This chapter describes how to set up and manage FTP service
in Mac OS X Server.
File Transfer Protocol (FTP) is a simple way for computers of any type to transfer files
over the Internet. Someone using a computer that supports FTP or an FTP client
application can connect to your FTP server and upload or download files, depending
on the permissions you set.
Most Internet browsers and a number of freeware and shareware applications can be
used to access your FTP server.
In Mac OS X Server, FTP service is based on the source code for Washington Universitys
FTP server, known as “wu-FTPd.” However, the original source code has been
extensively modified to provide a better user experience. Some of these differences are
described in the following sections.
A Secure FTP Environment
Most FTP servers restrict users to specific folders on the server. Users see content only
in these directories, so the server is kept quite secure. Users cannot access volumes
mounted outside the restricted folders, and symbolic links and aliases cannot reach
outside these boundaries.
In Mac OS X Server, FTP service expands the restricted environment to permit access to
symbolic links while still providing a secure FTP environment. You can permit FTP users
to have access to the FTP root folder, their home folder, or to any other folder on the
server that you set up as an FTP share point.
A users access to the FTP root folder, FTP share points, and his or her home folder is
determined by the user environment you specify (as described in the following section)
and by access privileges.
Note: FTP service enforces ACL permissions.
110 Chapter 7 Working with FTP Service
FTP Users
FTP supports two types of users:
ÂAuthenticated users. These users have accounts on your server, and might have
home folders stored on the server. Some FTP software refers to these as real users. An
authenticated user must provide a user name and password to access server files
using FTP.
You review or set up authenticated users using the Accounts module of Workgroup
Manager.
ÂAnonymous users. These users do not have accounts on your server. They are also
known as guest users (for example, when you set up an FTP share point in Server
Admin). An anonymous user can access FTP folders on the server using the common
user name “anonymous” and a fictitious email address as their password.
You permit anonymous access to your server using the General pane of the FTP
service settings in Server Admin. See “Configuring General Settings” on page 116.
The FTP Root Folder
The FTP root folder (or FTP root) is a portion of the disk space of your server set aside
for FTP users. The FTP root is set to /Library/FTPServer/FTPRoot/ when you install the
server software.
You can change the FTP root. See “Changing the FTP Root Folder” on page 122.
FTP User Environments
Mac OS X Server has three FTP environments to choose from:
ÂFTP root and Share Points
ÂHome Folder with Share Points
ÂHome Folder Only
To choose the user environment for your server, you use the Advanced pane of FTP
service settings in Server Admin. For more information, see “Configuring FTP Advanced
Settings” on page 120.
Chapter 7 Working with FTP Service 111
FTP Root and Share Points
The “FTP Root and Share Points environment option gives access to the FTP root and
any FTP share points that users have access privileges to, as shown in the following
illustration.
Users access FTP share points through symbolic links attached to the FTP root folder.
The symbolic links are created when you create the FTP share points.
In this example, /Users, /Volumes/Data/, and /Volumes/Photos/ are FTP share points. All
users can see the home folders of other users because they are subfolders of the Users
share point.
Important: Regardless of the user environment setting, anonymous users and users
without home folders are always logged in to the FTP Root and Share Points
environment.
Home Folder with Share Points
When the user environment option is set to “Home Folder with Share Points,”
authenticated users log in to their home folders and have access to the FTP root by a
symbolic link created in their home folders.
etc system
Library
Data
Volumes
FTP server
FTP root
FTP Root
Looks like “/ ”
to anonymous
FTP users
Looks like “/ ”
when accessing
as user “Bob
Looks like “/ ”
when accessing
as user “Betty”
FTP share point
incorporated
within virtual root
Data
Betty
Bob
Users
Photos
Photos
Symbolic link
bin
FTP Root
112 Chapter 7 Working with FTP Service
Users access other FTP share points through symbolic links in the FTP root. As always,
access to FTP share points is controlled by user access privileges.
For users to access their home folders, the share point where the folders reside must be
configured to be shared using FTP, as shown in the following illustration:
If you change the FTP root, the symbolic link in a users home folder reflects that
change. For example, if you change the FTP root to /Volumes/Extra/NewRoot/, the
symbolic link created in the user’s home folder is named NewRoot.
bin etc system
Library
Data
Volumes
FTP
server
FTP root
Looks like “/ ”
FTP share point
incorporated
within virtual root
Data
Betty
Bob
Users
Photos
Photos
Share point
Symbolic link
Users
Chapter 7 Working with FTP Service 113
Home Folder Only
When you choose the “Home Folder Only option, authenticated users are confined to
their home folders and do not have access to the FTP root or other FTP share points, as
shown in the following illustration.
Anonymous users and users without home folders still have access to the FTP root but
cannot browse FTP share points.
On-the-Fly File Conversion
FTP service in Mac OS X Server enables users to request compressed or decompressed
versions of information about the server.
A file-name suffix such as “.Z” or “.gz” indicates that the file is compressed. If a user
requests a file named “Hamlet.txt and the server only has a file named “Hamlet.txt.Z,”
the server knows that the user wants the decompressed version, and delivers it to the
user in that format.
In addition to standard file compression formats, FTP in Mac OS X Server can read files
from Hierarchical File System (HFS) or non-HFS volumes and convert the files to
MacBinary (.bin) format. MacBinary is one of the most commonly used file compression
formats for the Macintosh operating system.
bin etc system
Library
Data
Volumes
FTP server
FTP root
Reports
Betty
Bob
Users
Projects
Photos
FTP share point
incorporated
within virtual root
Data Photos
Share point
Symbolic link
Looks like “/ ”
to anonymous
FTP users
114 Chapter 7 Working with FTP Service
The table below shows common file extensions and the type of compression they
designate.
Files with Resource Forks
Mac OS X clients can take advantage of on-the-fly conversion to transfer files created
using older file systems that store information in resource forks.
If you enable MacBinary and disk image autoconversion in FTP service settings, files
with resource forks are listed as .bin files on FTP clients. When a client asks to have one
of these files transferred, on-the-fly conversion recognizes the .bin suffix and converts
the file to a genuine .bin file for transfer.
Kerberos Authentication
FTP supports Kerberos authentication. You choose the authentication method using
the General pane of FTP service settings in Server Admin. See “Configuring General
Settings” on page 116.
FTP Service Specifications
FTP service has the following default specifications:
ÂMaximum authenticated users: 50
ÂMaximum anonymous users: 50
ÂMaximum connected users: 1000
ÂFTP port number: 21
ÂNumber of failed login attempts before user is disconnected: 3
Setup Overview
Here is an overview of the basic steps for setting up FTP service.
Step 1: Before you begin
For issues you should keep in mind when you set up FTP service, read “Before Setting
Up FTP Service on page 115.
File extension What it means
.gz DEFLATE compression
.Z UNIX compress
.bin MacBinary encoding
.tar UNIX tar archive
.tZ UNIX compressed tar archive
.tar.Z UNIX compressed tar archive
.crc UNIX checksum file
.dmg Mac OS X disk image
Chapter 7 Working with FTP Service 115
Step 2: Turn on FTP service
Before configuring FTP service, FTP must be turned on. See “Turning On FTP Service”
on page 116.
Step 3: Configure FTP General settings
General settings enable you to specify the number of authenticated and anonymous
users that can connect to the server, limit the number of login attempts, and provide
an administrator email address. See “Configuring General Settings” on page 116.
Step 4: Configure FTP Messages settings
Messages settings enable you to display banner and welcome messages, set the
number of login attempts, and provide an administrator email address. See
“Configuring Greeting Messages” on page 117.
Step 5: Configure FTP Logging settings
Logging settings enable you to specify the FTP-related events you want to log for
authenticated and anonymous users. See “Configuring FTP Logging Settings on
page 119.
Step 6: Configure FTP Advanced settings
Advanced settings enable you to change the FTP root and choose which items users
can see. See “Configuring FTP Advanced Settings” on page 120.
Step 7: Create an uploads folder for anonymous users
If you enabled anonymous access in Step 2, you may want to create a folder for
anonymous users to upload files. The folder must be named “uploads.” It is not a share
point, but must have correct access privileges. See “Creating an Uploads Folder for
Anonymous Users on page 121.
Step 8: Create share points and share them using FTP
Use the Sharing service of Server Admin to specify the share points that you want to
make available through FTP. You must explicitly configure a share point to use FTP so
that FTP users can access the share point. See “Creating a Share Point” on page 39 and
“Changing FTP Settings for a Share Point” on page 43.
Step 9: Start FTP service
After you configure FTP service, start the service to make it available. See “Starting FTP
Service on page 120.
Before Setting Up FTP Service
When determining whether to offer FTP service, consider the type of information you
will share and who your clients are. FTP works well when you want to transfer large files
such as applications and databases. In addition, if you want to permit guest
(anonymous) users to download files, FTP is a secure way to provide this service.
116 Chapter 7 Working with FTP Service
Server Security and Anonymous Users
Enabling anonymous FTP poses a security risk to your server and data because you
open your server to users that you do not know. The access privileges you set for the
files and folders on your server are the most important way to keep information secure.
The default settings for FTP prevent anonymous users from performing the following
actions:
ÂDeleting files
ÂRenaming files
ÂOverwriting files
ÂChanging permissions of files
Anonymous FTP users are permitted only to upload files to a special folder named
uploads” in the FTP root. If the uploads folder doesn’t exist, anonymous users can’t
upload files.
Turning On FTP Service
Before you can configure FTP settings, you must turn on FTP service in Server Admin.
To turn on FTP service:
1Open Server Admin and connect to the server.
2Click Settings, then click Services.
3Click the FTP checkbox.
4Click Save.
Setting Up FTP Service
There are four groups of settings on the Settings pane for FTP service in Server Admin:
ÂGeneral. Use to set information about access, file conversion, and login attempts for
FTP service.
ÂMessages. Use to configure messages that appear to clients using FTP service.
ÂLogging. Use to configure and manage logs for FTP service.
ÂAdvanced. Use to configure and administer advanced settings.
The following sections describe how to configure these settings, and a final section
tells you how to start FTP service when you’ve finished.
Configuring General Settings
You can use the General settings to limit the number of login attempts, provide an
administrator email address, and limit the number and type of users.
Chapter 7 Working with FTP Service 117
To configure FTP General settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4Click Settings, then click General.
5To indicate the number of times users can try to connect before they are disconnected,
enter a number in “Disconnect client after __ login failures.”
6To provide a contact for your users, enter an email address following “FTP administrator
email address.”
7From the Authentication pop-up menu, choose an authentication method.
8To limit the number of authenticated users who can connect to your server at the same
time, enter a number in the Allow a maximum of __ authenticated users field.
Authenticated users have accounts on the server. You can view or add them using the
Accounts module of Workgroup Manager.
9To permit anonymous users to connect to the server, select “Enable anonymous
access.”
Important: Before selecting this option, review the privileges assigned to your share
points under File Privileges in the Sharing pane to make sure there are no security
holes.
Anonymous users can log in using the name “ftp or “anonymous.” They do not need a
password to log in, but they are prompted to enter their email addresses.
10 To limit the number of anonymous users who can connect to your server at the same
time, enter a number in the Allow a maximum of __ anonymous users” field.
11 If you want to have files that have resource forks listed with a .bin suffix so that clients
can take advantage of automatic file conversion when transferring them, select “Enable
MacBinary and disk image auto-conversion.”
12 Click Save.
From the Command Line
You can also change FTP service settings using the serveradmin command in Terminal.
For more information, see the file services chapter of Command-Line Administration.
Configuring Greeting Messages
Users see the banner message when they first contact your server (before they log in),
and then they see the welcome message when they log in.
To change banner and welcome messages:
1Open Server Admin and connect to the server.
118 Chapter 7 Working with FTP Service
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4Click Settings, then click Messages.
The Messages pane appears, displaying the current text for both messages.
5Edit the text.
6Select “Show welcome message and “Show banner message.”
7Click Save.
From the Command Line
You can also change the FTP service banner message using the serveradmin command
in Terminal or by editing the files /Library/FTPServer/Messages/banner.txt and /Library/
FTPServer/Messages/welcome.txt. For more information, see the file services chapter of
Command-Line Administration.
Displaying Banner and Welcome Messages
FTP service in Mac OS X Server lets you greet users who contact or log in to your server.
Note: Some FTP clients may not display the message in an obvious place, or they may
not display it at all. For example, in recent releases of the FTP client Fetch, you set a
preference to display server messages.
The banner message appears when a user contacts the server, before they log in. The
welcome message appears after they successfully log in.
To display banner and welcome messages to users:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4Click Settings, then click Messages.
5Select “Show welcome message.”
6Select “Show banner message.”
7Click Save.
From the Command Line
You can also change the FTP service banner message using the serveradmin command
in Terminal or by editing the files /Library/FTPServer/Messages/banner.txt and /Library/
FTPServer/Messages/welcome.txt. For more information, see the file services chapter of
Command-Line Administration.
Chapter 7 Working with FTP Service 119
Displaying Messages Using message.txt Files
If an FTP user opens a folder on your server that contains a file named “message.txt,”
the file contents appear as a message.
The user sees the message only the first time they connect to the folder during an FTP
session. You can use the message to notify users of important information or changes.
Using README Messages
If you place a file named README in a folder, an FTP user who opens that folder
receives a message letting them know that the file exists and when it was last updated.
The user can then choose whether to open and read the file.
Configuring FTP Logging Settings
Logging settings enable you to choose which FTP-related events to record.
For authenticated or anonymous users, you can record:
ÂUploads
ÂDownloads
ÂFTP commands
ÂRule violation attempts
To configure FTP Logging settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4Click Settings, then click Logging.
5In the FTP log for authenticated users in the “Log Authenticated Users” section, select
events you want to record.
6In the FTP log for anonymous users in the “Log Anonymous Users section, select
events you want to record.
7Click Save.
To view the log, select FTP in Server Admin and click Log.
From the Command Line
You can also change FTP service logging settings using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
120 Chapter 7 Working with FTP Service
Configuring FTP Advanced Settings
Advanced settings enable you to change the FTP root folder and to specify folders that
authenticated FTP users can access.
To configure FTP Advanced settings:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4Click Settings, then click Advanced.
5For Authenticated users see,” choose the type of user environment you want to
use: FTP Root and Share Points, Home Folder with Share Points, or Home Folder Only.
For more information, see “FTP Users” on page 110.
6To change the FTP root, enter the new pathname in the FTP Root field.
For more information, see “The FTP Root Folder on page 110.
From the Command Line
You can also change FTP service settings using the serveradmin command in Terminal.
For more information, see the file services chapter of Command-Line Administration.
Starting FTP Service
You must start FTP service to make it available to your users.
To start FTP service:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4Click Start FTP (below the Servers list).
From the Command Line
You can also start FTP service using the serveradmin command in Terminal. For more
information, see the file services chapter of Command-Line Administration.
Permitting Anonymous User Access
You can permit guests to log in to your FTP server with the user name “ftp” or
anonymous.” They don’t need a password to log in, but they are prompted to enter an
email address.
For better security, do not enable anonymous access.
Chapter 7 Working with FTP Service 121
To enable anonymous FTP service:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4Click Settings, then click General.
5Under Access, select “Enable anonymous access.”
6Click Save.
From the Command Line
You can also enable anonymous FTP access using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Creating an Uploads Folder for Anonymous Users
The uploads folder provides a place for anonymous users to upload files to the FTP
server. It must exist at the top level of the FTP root folder and be named “uploads.” If
you change the FTP root folder, the uploads folder must also be changed.
To create an uploads folder for anonymous users:
1Use the Finder to create a folder named “uploads” at the top level of your server FTP
root folder.
2Set privileges for the folder to permit guest users to write to it.
From the Command Line
You can also set up an FTP upload folder using the mkdir and chmod commands in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Changing the User Environment
Use the Advanced pane of the FTP service settings to change the user environment.
To change the FTP user environment:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4Click Settings, then click Advanced.
5From the Authenticated users see” pop-up menu, choose the type of user environment
you want to provide.
122 Chapter 7 Working with FTP Service
“FTP Root and Share Points” sets up the Users folder as a share point. Authenticated
users log in to their home folders, if theyre available. Authenticated and anonymous
users can see other users’ home folders.
“Home Folder with Share Points” logs authenticated FTP users in to their home folders.
They have access to home folders, the FTP root, and FTP share points.
“Home Directory Only” restricts authenticated FTP to user home folders.
6Click Save.
Regardless of the user environment you choose, access to data is controlled by the
access privileges that you or users assign to files and folders.
Anonymous users and authenticated users who don’t have home folders (or whose
home folders are not located in a share point they have access to) are always logged in
at the root level of the FTP environment.
Changing the FTP Root Folder
Use the Advanced pane of the FTP service settings to change the path to the FTP root
folder.
To specify a different FTP root:
1Select the folder you want to use.
If the folder doesn’t exist, create it and configure it as an FTP share point.
2Open Server Admin and connect to the server.
3Click the triangle to the left of the server.
The list of services appears.
4From the expanded Servers list, select FTP.
5Click Settings, then click Advanced.
6In the “FTP root field, enter the path to the new folder or click the Browse (...) button
below the field and select the folder.
From the Command Line
You can also change the FTP service root folder using the serveradmin command in
Terminal. For more information, see the file services chapter of Command-Line
Administration.
Managing FTP Service
This section describes typical tasks you perform after you set up FTP service on your
server. Initial setup information appears in “Setting Up FTP Service on page 116.
Checking FTP Service Status
Use Server Admin to check the status of FTP service.
Chapter 7 Working with FTP Service 123
To view FTP service status:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4To see whether the service is running, when it started, the number of authenticated
and anonymous connections, and whether anonymous access is enabled, click
Overview.
5To review the event log, click Log.
6To see a graph of connected users, click Graphs.
To choose the duration of time to graph data for, use the pop-up menu.
7To see a list of connected users, click Connections.
The list includes the user name, type of connection, users IP address or domain name,
and event activity.
From the Command Line
You can also check the status of the AFP service process using the ps or top commands
in Terminal, or by looking at the log files in /Library/Logs/AppleFileService/ using the
cat or tail command. For more information, see the file services chapter of Command-
Line Administration.
Viewing the FTP Service Log
Use Server Admin to view the FTP log.
To view the FTP log:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4Click Log.
To search for specific entries, use the Filter field in the upper right corner.
From the Command Line
You can also view the FTP log using the cat or tail commands in Terminal. For more
information, see the file services chapter of Command-Line Administration.
Viewing FTP Graphs
Use Server Admin to view FTP graphs.
124 Chapter 7 Working with FTP Service
To view FTP graphs:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4To see a graph of average connected user’s throughput over a period of time, click
Graphs.
To choose the duration of time to graph data for, use the pop-up menu.
5To update the data in the graphs, click the Refresh button (below the Servers list).
Viewing FTP Connections
Use Server Admin to view clients that are connected to the server through the FTP
service.
To view FTP connections:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4To see a list of connected users, click Connections.
The list includes the user name, type of connection, user IP address or domain name,
and event activity.
5To update the list of connected users, click the Refresh button (below the Servers list).
Stopping FTP Service
You stop FTP service using Server Admin.
To stop FTP service:
1Open Server Admin and connect to the server.
2Click the triangle to the left of the server.
The list of services appears.
3From the expanded Servers list, select FTP.
4Click Stop FTP (below the Servers list).
From the Command Line
You can also stop FTP service using the serveradmin command in Terminal. For more
information, see the file services chapter of Command-Line Administration.
8
125
8Solving Problems
This chapter lists solutions to common problems you might
encounter while working with file services in Mac OS X
Server.
Problems are listed in the following categories:
ÂProblems with share points
ÂProblems with AFP service
ÂProblems with SMB service
ÂProblems with NFS service
ÂProblems with FTP service
ÂProblems with IP failover
Problems with Share Points
This section describes potential problems with share points and ways to diagnose and
resolve the problems.
If Users Can’t Access Shared Optical Media
If users can’t access shared optical media:
ÂMake sure the optical media is a share point.
ÂIf you share multiple media, make sure that each has a unique name in the Sharing
pane.
If Users Can’t Access External Volumes Using Server Admin
Make sure the server is logged in.
126 Chapter 8 Solving Problems
If Users Can’t Find a Shared Item
If users can’t find a shared item:
ÂCheck the access privileges for the item. The user must have Read access privileges
to the share point where the item is located and to each folder in the path to the
item.
ÂServer administrators don’t see share points the same way a user does over AFP
because administrators see everything on the server.
To see share points from a user’s perspective, select “Enable administrator to
masquerade as any registered user in the Access pane of the Settings pane of AFP
service in Server Admin. You can also log in using a users name and password.
ÂAlthough DNS is not required for file services, an incorrectly configured DNS could
cause a file service to fail. For more information about DNS configuration, see
Network Services Administration.
If Users Can’t Open Their Home Folder
If users can’t open their home folder:
ÂMake sure the share point used for home folders is set up as an automount for home
folders in Server Admin.
ÂMake sure the share point is created in the same Open Directory domain as user
accounts.
ÂMake sure the client computer is set to use the correct Open Directory domain using
Directory Utility.
If Users Can’t Find a Volume or Folder to Use as a Share Point
If users can’t find a volume or folder to use as a share point:
ÂMake sure the volume or folder name does not contain a slash (“/”) character. The
Share Points pane of Server Admin lists the volumes and folders on your server but it
can’t correctly display the names of volumes and folders that include the slash
character.
ÂMake sure you’re not using special characters in the name of the volume or folder.
If Users Can’t See the Contents of a Share Point
If you set Write Only access privileges to a share point, users can’t see its contents.
Change the access privileges to Read Only or to Read & Write.
Problems with AFP Service
This section describes potential problems with AFP service and ways to diagnose and
resolve them.
Chapter 8 Solving Problems 127
If Users Can’t Find the AFP Server
If users can’t find the AFP server:
ÂMake sure the network settings are correct on the user’s computer and on the
computer that is running AFP service. If you can’t connect to other network resources
from the user’s computer, the network connection may not be working.
ÂMake sure the file server is running. Use the Ping pane in Network Utility to check
whether the server at the specified IP address can receive packets from clients over
the network.
ÂCheck the name you assigned to the file server and make sure users are looking for
the correct name.
If Users Can’t Connect to the AFP Server
If users can’t connect to the AFP server:
ÂMake sure the user has entered the correct user name and password. The user name
is not case-sensitive, but the password is.
ÂIn the Accounts module of Workgroup Manager, verify that logging in is enabled for
the user.
ÂSee if the maximum number of client connections has been reached (in the AFP
service Overview). If it has, the user should try to connect later.
ÂMake sure the server that stores users and groups is running.
ÂVerify that the user has AppleShare 3.7 or later installed on his or her computer.
Administrators who want to use the admin password to log in as a user need at least
AppleShare 3.7.
ÂMake sure IP filter service is configured to enable access on port 548 if the user is
trying to connect to the server from a remote location. For more on IP filtering, see
Network Services Administration.
If Users Don’t See the Login Greeting
If users can’t see the login greeting, upgrade the software on their computer. AFP client
computers must use AppleShare client software v3.7 or later.
Problems with SMB Service
This section describes potential SMB problems and ways to diagnose and resolve them.
If Windows Users Can’t See the Windows Server in Network
Neighborhood
If Windows users can’t see the Windows server in Network Neighborhood:
ÂMake sure the users computer is properly configured for TCP/IP and has the correct
Windows networking software installed.
ÂMake sure the user has guest access.
128 Chapter 8 Solving Problems
ÂGo to the DOS prompt on the client computer and enter ping <IP address>, where
<IP address> is your servers address. If the ping fails, there is a TCP/IP problem.
ÂIf the user is on a different subnet from the server, make sure you have a WINS server
on your network.
Note: If Windows computers are properly configured for networking and connected
to the network, client users can connect to the file server even if they can’t see the
server icon in the Network Neighborhood window.
If Users Can’t Log In to the Windows Server
If users can’t log in to the Windows Server, make sure Password Server is configured
correctly (if that is what you are using to authenticate users).
Problems with NFS Service
Following are general issues and recommendations to keep in mind when using NFS
service:
ÂNot entering the full path to the NFS share causes errors on the client side.
ÂIf you export more than one NFS share point, you cannot have nested exports on a
single volume, which means one exported directory cannot be the child of another
exported directory on the same volume.
ÂTo see available NFS mounts, use showmount -e
IP address
in Terminal, where IP
address is the servers address.
ÂNFS server errors and warnings are logged to /var/log/system.log.
Ânfsd status can be used to display the status of the NFS daemons.
Ânfsd checkexports can be used to verify the current set of exports definitions.
For information about using NFS to host home folders, see User Management.
Problems with FTP Service