Configuring the Apple
File-Sharing
Service
The primary file-sharing protocol for Macintosh computers is the Apple File Protocol (AFP). The AFP service features full
file-system
compatibility for both Mac OS X and Mac OS 9 systems. In addition to providing robust sharing services, the AFP service offers secure authentication and encrypted data transport. AFP share points can also be used for home and
group
network mounts.
The following task shows you how to enable basic AFP file services. Refer to the remaining
tasks
in this section for more advanced AFP options.
To set AFP access options:
|
1.
|
Launch the Server Admin tool located in /Applications/Server, and authenticate as the administrator (
Figure 5.14
).
|
|
2.
|
Select the AFP service for your server in the Computers & Services list (
Figure 5.15
).
|
|
3.
|
Click the Settings button
and then the General tab (
Figure 5.16
).
|
|
4.
|
Select the appropriate options
:
"Enable Rendezvous registration"
allows Mac OS X 10.2 or
newer
systems to browse to your server on the local network (sometimes defined as the local subnet).
"Enable browsing with AppleTalk"
allows pre-Mac OS X systems to browse to your server on the network using the older Chooser application.
|
|
5.
|
Click the Access tab (
Figure 5.17
).
|
|
6.
|
Select an authentication type
from the Authentication pop-up menu (
Figure 5.18
):
Standard
uses the built-in AFP authentication.
Kerberos
uses MIT's advanced key distribution system.
Any Method
uses either of the two other
methods
of authentication.
See Chapter 3, "
Open
Directory," for more information about
user
authentication.
|
|
7.
|
Choose any of the following
AFP authentication options (
Figure 5.19
):
"Enable Guest access"
enables access for users without accounts.
"Enable secure connections"
enables secure data transport connections via SSH.
"Enable administrator to masquerade as any registered user"
lets an administrator sign in to the server via AFP using a regular user's
name
but their own administrator's password.
|
|
8.
|
Configure the maximum number of concurrent AFP client and guest connections (
Figure 5.20
).
You may have a limited number of AFP connections based on your server's software license type.
|
|
9.
|
When you've finished making changes, click the Save button
.
|
|
10.
|
Click the Overview button
.
Verify that the AFP service is running (
Figure 5.21
). If it isn't, click the Start Service button
to activate the AFP server (
Figure 5.22
).
Refer to the rest of the tasks in this chapter for more information about configuring the AFP service.
|
Tips
-
A small green dot
to the left of the AFP service in the Computers & Services list indicates that the Apple File Service is running.
-
In order to allow guest access, you must also enable guest access for each share point. See the task "To configure AFP share-point settings" for more information about enabling guest access for individual share points.
-
The "Enable administrator to masquerade as any registered user" authentication option is very useful for testing share points and permissions.
|
Connecting to an AFP server from a Mac OS X client involves a few simple steps:
|
1.
|
In the Finder, click the Network icon
to browse for your server. Mac OS X client can browse for AFP servers via the AppleTalk, SLP, or Rendezvous protocol.
You can also connect directly in the Finder by selecting Go > Connect to Server from the menu bar and entering an AFP address or by pressing Command-K from the keyboard (
Figure 5.23
).
|
|
2.
|
Authenticate to the server (
Figure 5.24
).
You can also click the Options button
to configure client-side connection options (
Figure 5.25
).
|
|
3.
|
Select the share point(s) you wish to connect to (
Figure 5.26
).
|
Default settings
dictate
that the share point's icon will mount on the Finder's desktop
.
|
Login
greetings
A
login greeting
is a string of text that appears as soon as a user attempts to log in from a client computer. Login greetings can be used for general service information or usage disclaimers for server access. More and more often, users must agree to the legal
ramifications
of using an employer's computer services. Using a login greeting is perfect for this task, because the user must click the OK button to dismiss the login greeting dialog and connect to your server. Such login greetings usually begin with, "By clicking the OK button you agree to...."
To add a login greeting:
|
1.
|
Within Server Admin, navigate to your server's AFP service settings (
Figure 5.27
).
Instructions for this step are detailed in steps 14 of the task "To set AFP access options."
|
|
2.
|
On the General tab
, enter your logon text in the Logon Greeting field (
Figure 5.28
).
|
|
3.
|
To make the greeting appear only the first time a user logs in, select the appropriate check box below the Logon Greeting field (
Figure 5.29
).
By default, the logon greeting appears every time a user logs in to your server via the AFP service.
|
|
4.
|
When you've finished making changes, click the Save button
.
|
|
5.
|
Verify the greeting by logging in to your server from the client (
Figure 5.30
).
|
Tip
Managing idle users
The AFP service requires a bit of overhead to maintain persistent server/client connections. The overhead per connection is quite low; however, when you have many connections
simultaneously
, this overhead can waste
valuable
server CPU and network resources. To remedy this situation, the server can automatically disconnect
clients
who are connected to your server but not actively using it. When this functionality is configured, idle disconnections on computers running software older than Mac OS X 10.3 should receive a message that that they have been disconnected.
To disconnect idle clients:
|
1.
|
Within Server Admin, navigate to your server's AFP service settings (
Figure 5.31
).
Instructions for this step are detailed in steps 14 of the task "To set AFP access options."
|
|
2.
|
Click the Idle Users tab (
Figure 5.32
).
|
|
3.
|
Select the "Disconnect idle users" check box, and enter a time in minutes (
Figure 5.33
).
|
|
4.
|
Select any of the following idle-disconnect exceptions (
Figure 5.34
):
Guests
Any users who didn't authenticate as users to your server.
"Registered users"
Any users who have an authenticated connection.
Administrators
Any users who have an authenticated connection and are in the admin group.
"Idle users who have open files"
Any users who have a file that resides on the server but is open in an application running on their local computer. Severing the server connection while a file is open on the client is an
excellent
way to corrupt the filein other words, it's a bad idea.
Selecting the check box
next
to an exception category allows that user type to
remain
connected regardless of the idle disconnect settings.
|
|
5.
|
To configure a message to appear on the client computer when the server disconnects an idle user, enter a text string in the Disconnect Message field (
Figure 5.35
).
|
|
6.
|
When you've finished making changes, click the Save button
.
|
Tips
-
The "Allow clients to sleep" setting on the Idle Users tab lets the client computers sleep without counting as an idle connection. Computers sleeping and connected don't produce the extra overhead that running computers with idle connections do.
-
You should always select the idle disconnect exception for idle users who have open files.
-
Deleting all the text in the Disconnect Message field disables the message when an idle connection is disconnected.
|
Computers running Mac OS X 10.3 or later handle AFP idle disconnects in a very different manner. Your server still automatically disconnects, but the user shouldn't notice. The share point remains mounted to the client computer, yet the connection is idle. Essentially, the system hides the idle connection from the user. When the user
tries
to access the share again, the system automatically reconnects to your server. Furthermore, Mac OS X 10.3 or later attempts to
reconnect
to AFP connections that have been dropped due to network disconnects or sleep/wake cycles.
|
AFP share-point settings
When you create a share point on Mac OS X Server, it's automatically shared via AFP (as well as FTP and SMB),
assuming
the AFP service is running. Share points are also automatically configured for both registered user and guest access via AFP. Settings like these are individually configurable for each share point within the Workgroup Manager tool. See the "Configuring Share Points" section of this chapter for more information about creating share points.
To configure AFP share-point settings:
|
1.
|
Launch the Workgroup Manager tool located in /Applications/Server, and authenticate as the administrator (
Figure 5.36
).
|
|
2.
|
Click the Sharing icon
in the Toolbar.
|
|
3.
|
Choose to do either of the following:
-
Configure an existing share point by clicking the Share Points tab
, and then select the share point you wish to edit from the sharing browser (
Figure 5.37
).
-
Configure a new share point. See the "To configure new share points" task in this chapter for detailed instructions.
|
|
4.
|
Once you've selected the share point you wish to configure, click the Protocols tab to the right of the sharing browser (
Figure 3.38
).
|
|
5.
|
Directly below the Protocols tab is the Protocols pop-up menu. From this menu, select Apple File Settings (
Figure 5.39
).
The Apple File Settings frame opens.
|
|
6.
|
Configure AFP sharing and guest access for this particular share point (
Figure 5.40
).
You can also configure a custom AFP share point name that
differs
from the original folder's name.
|
|
7.
|
Choose one of the following options
based on your permissions requirements (
Figure 5.41
):
"Use standard Unix behavior"
The default behavior. New items created in this share point will be owned by the user who created the item, and the group will be set to that user's primary group. See Chapter 4, "User and Group Management," for more information about primary groups.
"Inherit permissions from parent"
An optional behavior. New items created in this share point will have the same permissions as the share point itself. Refer to the section "Configuring File and Folder Permissions," earlier in this chapter.
|
|
8.
|
When you've finished making changes, click the Save button
.
|
Tips
-
In order for guests to access a share point, its permissions must be set to give everyone read access.
-
Disabling guest access to the AFP service in Server Admin disables AFP guest access for every share point regardless of individual share settings.
-
Changing the name of a share point can help disguise a disk as a folder name but can also backfire if the user is looking for the folder's original share name. Sharing the same folder over several different protocols and using different share point
names
can quickly become difficult to manage.
|
