| The primary file-sharing protocol for Macintosh computers is Apple File Protocol (AFP). AFP features file-system compatibility for both Mac OS X and legacy Mac OS 9 systems (although share points mounted by Mac OS 9 clients and earlier cannot take advantage of certain options that Mac OS X clients can). In addition to providing robust sharing services, AFP offers secure authentication and encrypted data transport. AFP share points can also be used for home and group network mounts. The AFP service requires a bit of overhead to maintain persistent server/client connections: The overhead per connection is quite low, but when you have many connections simultaneously, this overhead can waste valuable server CPU and network resources. To remedy this situation, the server can automatically disconnect clients who are connected to your server but not actively using it. When this functionality is configured, idle disconnections on computers running software older than Mac OS X 10.3 should receive a message that they have been disconnected. Mac OS X 10.3 AFP Connections Computers running Mac OS X 10.3 or later handle AFP idle disconnects in a very different manner. Your server still automatically disconnects, but the user shouldn't notice. The share point remains mounted to the client computer, yet the connection is idle. Essentially, the system hides the idle connection from the user. When the user tries to access the share again, the system automatically reconnects to your server. Furthermore, Mac OS X 10.3 or later attempts to reconnect to AFP connections that have been dropped due to network disconnects or sleep/wake cycles. |
The following task shows you how to enable basic AFP file services. The remaining tasks in this section offer more advanced AFP options. To set AFP access options 1. | Launch Server Admin and select the AFP service for your server in the Computers & Services list.
| 2. | Click the Settings tab at the bottom of the screen and then the General tab at the top (Figure 5.22).
Figure 5.22. Selecting the Apple File Service from Server Admin shows initial options. 
| 3. | Click the appropriate check boxes:
- Enable Bonjour registration allows Mac OS X 10.2 or newer systems to browse to your server on the local network (sometimes called the local subnet).
- Enable browsing with AppleTalk allows pre-Mac OS X systems to browse to your server on the network using the older Chooser application.
| 4. | In the Logon Greeting window, you may type a greeting that your users will see when they log in (see the "Logon Greeting" sidebar for more information) (Figure 5.23).
Figure 5.23. Adding a login greeting and managing discovery options for the AFP service. 
| 5. | If you don't want users to get the message more than once, click the check box below the Logon Greeting window.
| | | 6. | Click the Access tab and select an authentication type from the Authentication pop-up menu (Figure 5.24):
- Standard uses the built-in AFP authentication.
- Kerberos uses MIT's Kerberos for authentication.
- Any Method uses either of the two other methods of authentication, trying Kerberos first, then dropping to standard.
Figure 5.24. Selecting the type of authentication for the AFP service and permitting other AFP service options. 
See Chapter 3, "Open Directory," for more information about user authentication.
| 7. | To choose AFP authentication options, click the check boxes below the Authentication menu:
- Enable Guest access enables access for users without accounts on the server.
- Enable secure connections enables AFP to be tunneled via an ssh connection (ssh must be turned on for this to work).
- Enable administrator to masquerade as any registered user lets an administrator sign in to the server via AFP using a non-administrator's username but their own administrator's password. This is very useful for testing share points and permissions but should not typically be enabled unless needed.
| | | 8. | In the Maximum Connections area, click the radio buttons and enter the necessary values to configure the maximum number of concurrent AFP client and guest connections (as seen in Figure 5.24).
You may have a limited number of AFP connections based on your server's software license type.
| 9. | Select the Logging tab and then click the appropriate check boxes to enable both the access and error logs so you can monitor connected users (Figure 5.25).
Figure 5.25. Saving all types of AFP service information to the Access log file. 
| | | 10. | Select the Idle Users tab and then click the appropriate check boxes and enter the necessary values for disconnecting idle users (Figure 5.26):
Figure 5.26. Setting idle user options and log out messaging. 
- Allow clients to sleep lets the client computers sleep without counting as an idle connection. Computers sleeping and connected don't produce the extra overhead that running computers with idle connections do. You can set the number of hours you want to let clients to sleep by changing the numeric value.
- Disconnect idle users lets you disconnect users who have been inactive for more than a set number of minutes. You can change the numeric value as necessary, but you should always click the check boxes (described below) underneath the Except line for idle users who have open files.
- Guests are any users who didn't authenticate as users to your server.
- Registered users are any users who have an authenticated connection.
- Administrators are any users who have an authenticated connection and are in the admin group.
- Idle users who have open files are any users who have a file that resides on the server but is open in an application running on their local computer. Severing the server connection while a file is open on the client can corrupt the filein other words, it's a bad idea.
Selecting the check box next to an exception category allows that user type to remain connected regardless of the idle disconnect settings.
| 11. | Enter a disconnect message, if you want, and when you've finished making changes, click Save.
|
 Tip
In order to allow guest access, you must also enable guest access for each share point, by checking the box allowing guest access for AFP connections, as seen in Figure 5.28.
Logon Greeting A logon greeting is a string of text that appears as soon as a user attempts to log in from a client computer. Logon greetings can be used for general service information or usage disclaimers for server access. More and more often, users must agree to the legal ramifications of using an employer's computer services. Using a login greeting is perfect for this task, because the user must click the OK button to dismiss the logon greeting dialog and connect to your server. Such logon greetings usually begin with, "By clicking the OK button you agree to...." |
Using AFP share-point settings When you create a share point on Mac OS X Server, it's automatically shared via AFP (as well as FTP and SMB), assuming the AFP service is running. Share points are also automatically configured for both registered user and guest access via AFP. Settings like these are individually configurable for each share point within the Workgroup Manager tool. See the "Configuring Share Points" section earlier in this chapter for more information about creating share points. To configure AFP share-point settings 1. | Launch the Workgroup Manager tool located in /Applications/Server and authenticate as the administrator if necessary, and then click the Sharing icon and do one of the following:
- Configure an existing share point by clicking the Share Points tab, and then select the share point you want to edit from the sharing browser (Figure 5.27).
Figure 5.27. Ensuring a share point is active to prepare for sharing over AFP. 
- Click the All tab to configure any item on a local server volume.
- Configure a new share point and select it. See the "To configure new share points" task earlier in this chapter for instructions.
| 2. | Click the Protocols tab and select Apple File Settings from the pull-down menu (Figure 5.28).
Figure 5.28. Setting the various AFP protocol options. 
| 3. | Click the check boxes to allow AFP sharing and guest access for this particular share point.
| | | 4. | Enter a custom AFP share point name, which can be different from the original share point's name (if necessary).
| 5. | If ACLs are not enabled on the volume (Figure 5.28), you can then choose one of the following radio buttons based on your permissions requirements, and then click Save:
- Use standard Unix behavior is the default behavior. New items created in this share point will be owned by the user who created the item, and the group will be set to that user's primary group. See Chapter 4 for more information about primary groups.
- Inherit permissions from parent is an optional behavior. New items created in this share point will have the same permissions as the share point itself. Refer to the "Configuring File and Folder Permissions" section earlier in this chapter.
|
Tips In order for guests to access a share point, its permissions must be set to give everyone read access. Disabling guest access to the AFP service in Server Admin disables AFP guest access for every share point, regardless of individual share settings. Changing the name of a share point can help disguise a disk as a folder name but can also backfire if the user is looking for the folder's original share name.
To connect via AFP 1. | In the Finder, click the Network icon to browse for your server.
Mac OS X can browse for AFP servers via the AppleTalk, SLP, or Bonjour protocol.
or
To connect directly, select Finder > Go > Connect to Server and enter an AFP address or press Command-K.
| 2. | Authenticate to the server.
or
Click Options to configure client-side connection options.
| 3. | Select the share point(s) to which you want to connect.
Default settings dictate that the share point's icon will mount on the Finder's desktop.
|
|
