1AFP_ACLS(8)                      Netatalk 2.1                      AFP_ACLS(8)
2
3
4

NAME

6       afp_acls - Setup and Usage Howto for ACLs with Netatalk
7

DESCRIPTION

9       ACL support for AFP is implemented with NFSv4 ACLs. Few filesystems and
10       fewer OSes support these. At the time of implementation its only
11       provided with ZFS on Solaris, Opensolaris and derived distributions.
12

CONFIGURATION

14       In order to be able to support ACLs, the following things have to be
15       configured:
16
17        1. ZFS Volumes
18
19           You MUST configure two ACL parameters for any volume you want to
20           use with Netatalk:
21
22               aclinherit = passthrough
23               aclmode = passthrough
24
25           For an explanation of what these parameters mean and how to apply
26           them see, your hosts ZFS documentation (e.g. man zfs).
27
28        2. Authentication Domain
29
30           Your server and the clients must be part of a security association
31           where identity data is coming from a common source. ACLs in Darwin
32           are based on UUIDs and so is the ACL specification in AFP 3.2.
33           Therefor your source of identity data has to provide an attribute
34           for every user and group where a UUID is stored as a ASCII string.
35
36           In other words:
37
38           ·   you need an Open Directory Server or an LDAP server where you
39               store UUIDs in some attribute
40
41           ·   your clients must be configured to use this server
42
43           ·   your server should be configured to use this server via
44               nsswitch and PAM.
45
46                   Tip
47                   This however is not a strict requirement: if you create
48                   duplicates of every LDAP/OD user and group with identic
49                   attributes (name, uid, gid) in your local data store
50                   (/etc/[passwd|group]) ACLs will work as long as user/group
51                   names/ids in the filesystem are equal to their counterparts
52                   in the LDAP/OD datastore.
53
54           ·   configure Netatalk via afp_ldap.conf so that Netatalk is able
55               to retrieve the UUID for users and groups via LDAP search
56               queries
57
58        3. Netatalk Volumes
59
60           Finally you can add options:acls to your volume defintion to add
61           ACL support. In case your volume basedir doesn´t grant read
62           permissions via mode (like: 0700 root:adm) but only via ACLs, you
63           MUST add the nostat option to the volume defintion.
64

SEE ALSO

66       afp_ldap.conf(5), AppleVolumes.default(5)
67
68
69
70Netatalk 2.1                      02 Feb 2009                      AFP_ACLS(8)
Impressum