The primary file-sharing protocol for Macintosh computers is the Apple File Protocol (AFP). The AFP service features full file-system compatibility for both Mac OS X and Mac OS 9 systems. In addition to providing robust sharing services, the AFP service offers secure authentication and encrypted data transport. AFP share points can also be used for home and group network mounts. The following task shows you how to enable basic AFP file services. Refer to the remaining tasks in this section for more advanced AFP options. To set AFP access options: 1. | Launch the Server Admin tool located in /Applications/Server, and authenticate as the administrator (Figure 5.14).
| 2. | Select the AFP service for your server in the Computers & Services list (Figure 5.15).
| 3. | Click the Settings button and then the General tab (Figure 5.16).
| 4. | Select the appropriate options:
"Enable Rendezvous registration" allows Mac OS X 10.2 or newer systems to browse to your server on the local network (sometimes defined as the local subnet).
"Enable browsing with AppleTalk" allows pre-Mac OS X systems to browse to your server on the network using the older Chooser application.
| 5. | Click the Access tab (Figure 5.17).
| 6. | Select an authentication type from the Authentication pop-up menu (Figure 5.18):
Standard uses the built-in AFP authentication.
Kerberos uses MIT's advanced key distribution system.
Any Method uses either of the two other methods of authentication.
See Chapter 3, "Open Directory," for more information about user authentication.
| 7. | Choose any of the following AFP authentication options (Figure 5.19):
"Enable Guest access" enables access for users without accounts.
"Enable secure connections" enables secure data transport connections via SSH.
"Enable administrator to masquerade as any registered user" lets an administrator sign in to the server via AFP using a regular user's name but their own administrator's password.
| 8. | Configure the maximum number of concurrent AFP client and guest connections (Figure 5.20).
You may have a limited number of AFP connections based on your server's software license type.
| 9. | When you've finished making changes, click the Save button .
| 10. | Click the Overview button .
Verify that the AFP service is running (Figure 5.21). If it isn't, click the Start Service button to activate the AFP server (Figure 5.22).
Refer to the rest of the tasks in this chapter for more information about configuring the AFP service.
| Tips A small green dot to the left of the AFP service in the Computers & Services list indicates that the Apple File Service is running. In order to allow guest access, you must also enable guest access for each share point. See the task "To configure AFP share-point settings" for more information about enabling guest access for individual share points. The "Enable administrator to masquerade as any registered user" authentication option is very useful for testing share points and permissions. Connecting to an AFP server from a Mac OS X client involves a few simple steps: 1. | In the Finder, click the Network icon to browse for your server. Mac OS X client can browse for AFP servers via the AppleTalk, SLP, or Rendezvous protocol.
You can also connect directly in the Finder by selecting Go > Connect to Server from the menu bar and entering an AFP address or by pressing Command-K from the keyboard (Figure 5.23).
| 2. | Authenticate to the server (Figure 5.24).
You can also click the Options button to configure client-side connection options (Figure 5.25).
| 3. | Select the share point(s) you wish to connect to (Figure 5.26).
| Default settings dictate that the share point's icon will mount on the Finder's desktop . |
Login greetings A login greeting is a string of text that appears as soon as a user attempts to log in from a client computer. Login greetings can be used for general service information or usage disclaimers for server access. More and more often, users must agree to the legal ramifications of using an employer's computer services. Using a login greeting is perfect for this task, because the user must click the OK button to dismiss the login greeting dialog and connect to your server. Such login greetings usually begin with, "By clicking the OK button you agree to...." To add a login greeting: 1. | Within Server Admin, navigate to your server's AFP service settings (Figure 5.27).
Instructions for this step are detailed in steps 14 of the task "To set AFP access options."
| 2. | On the General tab , enter your logon text in the Logon Greeting field (Figure 5.28).
| 3. | To make the greeting appear only the first time a user logs in, select the appropriate check box below the Logon Greeting field (Figure 5.29).
By default, the logon greeting appears every time a user logs in to your server via the AFP service.
| 4. | When you've finished making changes, click the Save button .
| 5. | Verify the greeting by logging in to your server from the client (Figure 5.30).
| Tip Managing idle users The AFP service requires a bit of overhead to maintain persistent server/client connections. The overhead per connection is quite low; however, when you have many connections simultaneously, this overhead can waste valuable server CPU and network resources. To remedy this situation, the server can automatically disconnect clients who are connected to your server but not actively using it. When this functionality is configured, idle disconnections on computers running software older than Mac OS X 10.3 should receive a message that that they have been disconnected. To disconnect idle clients: 1. | Within Server Admin, navigate to your server's AFP service settings (Figure 5.31).
Instructions for this step are detailed in steps 14 of the task "To set AFP access options."
| 2. | Click the Idle Users tab (Figure 5.32).
| 3. | Select the "Disconnect idle users" check box, and enter a time in minutes (Figure 5.33).
| 4. | Select any of the following idle-disconnect exceptions (Figure 5.34):
Guests Any users who didn't authenticate as users to your server.
"Registered users" Any users who have an authenticated connection.
Administrators Any users who have an authenticated connection and are in the admin group.
"Idle users who have open files" Any users who have a file that resides on the server but is open in an application running on their local computer. Severing the server connection while a file is open on the client is an excellent way to corrupt the filein other words, it's a bad idea.
Selecting the check box next to an exception category allows that user type to remain connected regardless of the idle disconnect settings.
| 5. | To configure a message to appear on the client computer when the server disconnects an idle user, enter a text string in the Disconnect Message field (Figure 5.35).
| 6. | When you've finished making changes, click the Save button .
| Tips The "Allow clients to sleep" setting on the Idle Users tab lets the client computers sleep without counting as an idle connection. Computers sleeping and connected don't produce the extra overhead that running computers with idle connections do. You should always select the idle disconnect exception for idle users who have open files. Deleting all the text in the Disconnect Message field disables the message when an idle connection is disconnected. Computers running Mac OS X 10.3 or later handle AFP idle disconnects in a very different manner. Your server still automatically disconnects, but the user shouldn't notice. The share point remains mounted to the client computer, yet the connection is idle. Essentially, the system hides the idle connection from the user. When the user tries to access the share again, the system automatically reconnects to your server. Furthermore, Mac OS X 10.3 or later attempts to reconnect to AFP connections that have been dropped due to network disconnects or sleep/wake cycles. |
AFP share-point settings When you create a share point on Mac OS X Server, it's automatically shared via AFP (as well as FTP and SMB), assuming the AFP service is running. Share points are also automatically configured for both registered user and guest access via AFP. Settings like these are individually configurable for each share point within the Workgroup Manager tool. See the "Configuring Share Points" section of this chapter for more information about creating share points. To configure AFP share-point settings: 1. | Launch the Workgroup Manager tool located in /Applications/Server, and authenticate as the administrator (Figure 5.36).
| 2. | Click the Sharing icon in the Toolbar.
| 3. | Choose to do either of the following:
Configure an existing share point by clicking the Share Points tab , and then select the share point you wish to edit from the sharing browser (Figure 5.37).
Configure a new share point. See the "To configure new share points" task in this chapter for detailed instructions. | 4. | Once you've selected the share point you wish to configure, click the Protocols tab to the right of the sharing browser (Figure 3.38).
| 5. | Directly below the Protocols tab is the Protocols pop-up menu. From this menu, select Apple File Settings (Figure 5.39).
The Apple File Settings frame opens.
| 6. | Configure AFP sharing and guest access for this particular share point (Figure 5.40).
You can also configure a custom AFP share point name that differs from the original folder's name.
| 7. | Choose one of the following options based on your permissions requirements (Figure 5.41):
"Use standard Unix behavior" The default behavior. New items created in this share point will be owned by the user who created the item, and the group will be set to that user's primary group. See Chapter 4, "User and Group Management," for more information about primary groups.
"Inherit permissions from parent" An optional behavior. New items created in this share point will have the same permissions as the share point itself. Refer to the section "Configuring File and Folder Permissions," earlier in this chapter.
| 8. | When you've finished making changes, click the Save button .
| Tips In order for guests to access a share point, its permissions must be set to give everyone read access. Disabling guest access to the AFP service in Server Admin disables AFP guest access for every share point regardless of individual share settings. Changing the name of a share point can help disguise a disk as a folder name but can also backfire if the user is looking for the folder's original share name. Sharing the same folder over several different protocols and using different share point names can quickly become difficult to manage. |