1AFPD.CONF(5) Netatalk 2.1 AFPD.CONF(5)
2
3
4
6 afpd.conf - Configuration file used by afpd(8) to determine the setup
7 of its file sharing services
8
10 /etc/netatalk//afpd.conf is the configuration file used by afpd to
11 determine the behavior and configuration of the different virtual file
12 servers that it provides.
13
14 Any line not prefixed with # is interpreted. The configuration lines
15 are composed like: server name [ options ] If a - is used instead of a
16 server name, the default server is specified. Server names must be
17 quoted if they contain spaces. They must not contain ":" or "@". The
18 path name must be a fully qualified path name, or a path name using
19 either the ~ shell shorthand or any of the substitution variables,
20 which are listed below.
21
22 Note
23 Each server has to be configured on a single line. Though newline
24 escaping is supported.
25 The possible options and their meanings are:
26
28 -defaultvol [path]
29 Specifies path to AppleVolumes.default file (default is
30 /etc/netatalk//AppleVolumes.default).
31
32 -systemvol [path]
33 Specifies path to AppleVolumes.system file (default is
34 /etc/netatalk//AppleVolumes.system).
35
36 -[no]uservol
37 Enables or disables reading of the users´ individual volumes file
38 entirely.
39
40 -[no]uservolfirst
41 Enables or disables reading of the users´ individual volumes file
42 before processing the global AppleVolumes.default file.
43
45 -uamlist [uams list]
46 Comma separated list of UAMs. (The default is
47 uams_dhx.so,uams_dhx2.so).
48
49 The most commonly used UAMs are:
50
51 uams_guest.so
52 allows guest logins
53
54 uams_clrtxt.so
55 (uams_pam.so or uams_passwd.so) Allow logins with passwords
56 transmitted in the clear.
57
58 uams_randum.so
59 allows Random Number and Two-Way Random Number Exchange for
60 authentication (requires a separate file containing the
61 passwords, either /etc/netatalk//afppasswd file or the one
62 specified via -passwdfile. See afppasswd(1) for details
63
64 uams_dhx.so
65 (uams_dhx_pam.so or uams_dhx_passwd.so) Allow Diffie-Hellman
66 eXchange (DHX) for authentication.
67
68 uams_dhx2.so
69 (uams_dhx2_pam.so or uams_dhx2_passwd.so) Allow Diffie-Hellman
70 eXchange 2 (DHX2) for authentication.
71
72 uam_gss.so
73 Allow Kerberos V for authentication (optional)
74
75 -uampath [path]
76 Sets the default path for UAMs for this server (default is
77 /etc/netatalk//uams).
78
79 -k5keytab [path], -k5service [service], -k5realm [realm]
80 These are required if the server supports the Kerberos 5
81 authentication UAM.
82
83 -ntdomain, -ntseparator
84 Use for eg. winbind authentication, prepends both strings before
85 the username from login and then tries to authenticate with the
86 result through the availabel and active UAM authentication modules.
87
89 With OS X Apple introduced the AFP3 protocol. One of the big changes
90 was, that AFP3 uses Unicode names encoded as Decomposed UTF-8
91 (UTF8-MAC). Previous AFP/OS versions used codepages like MacRoman,
92 MacCentralEurope, etc.
93
94 To be able to serve AFP3 and older clients at the same time, afpd needs
95 to be able to convert between UTF-8 and Mac codepages. Even OS X
96 clients partly still rely on codepages. As there´s no way, afpd can
97 detect the codepage a pre AFP3 client uses, you have to specify it
98 using the -maccodepage option. The default is MacRoman, which should be
99 fine for most western users.
100
101 As afpd needs to interact with unix operating system as well, it need´s
102 to be able to convert from UTF8-MAC/MacCodepage to the unix codepage.
103 By default afpd uses the systems LOCALE, or ASCII if your system
104 doesn´t support locales. You can set the unix codepage using the
105 -unixcodepage option. If you´re using extended characters in the
106 configuration files for afpd, make sure your terminal matches the
107 -unixcodepage.
108
109 -unixcodepage [CODEPAGE]
110 Specifies the servers unix codepage, e.g. "ISO-8859-15" or "UTF8".
111 This is used to convert strings to/from the systems locale, e.g.
112 for authenthication, server messages and volume names. Defaults to
113 LOCALE if your system supports it, otherwise ASCII will be used.
114
115 -maccodepage [CODEPAGE]
116 Specifies the mac clients codepage, e.g. "MAC_ROMAN". This is used
117 to convert strings and filenames to the clients codepage for OS9
118 and Classic, i.e. for authentication and AFP messages (SIGUSR2
119 messaging). This will also be the default for the volumes
120 maccharset. Defaults to MAC_ROMAN.
121
123 -loginmaxfail [number]
124 Sets the maximum number of failed logins, if supported by the UAM
125 (currently none)
126
127 -passwdfile [path]
128 Sets the path to the Randnum UAM passwd file for this server
129 (default is /etc/netatalk//afppasswd).
130
131 -passwdminlen [number]
132 Sets the minimum password length, if supported by the UAM
133
134 -[no]savepassword
135 Enables or disables the ability of clients to save passwords
136 locally
137
138 -[no]setpassword
139 Enables or disables the ability of clients to change their
140 passwords via chooser or the "connect to server" dialog
141
143 -[no]ddp
144 Enables or disables AFP-over-Appletalk. If -proxy is specified, you
145 must instead use -uamlist "" to prevent DDP connections from
146 working. (default is -noddp)
147
148 -[no]tcp
149 Enables or disables AFP-over-TCP (default is -tcp)
150
151 -transall
152 Make both available
153
155 -advertise_ssh
156 Allows Mac OS X clients (10.3.3-10.4) to automagically establish a
157 tunneled AFP connection through SSH. If this option is set, the
158 server´s answers to client´s FPGetSrvrInfo requests contain an
159 additional entry. It depends on both client´s settings and a
160 correctly configured and running sshd(8) on the server to let
161 things work.
162
163 Note
164 Setting this option is not recommended since globally
165 encrypting AFP connections via SSH will increase the server´s
166 load significantly. On the other hand, Apple´s client side
167 implementation of this feature in MacOS X versions prior to
168 10.3.4 contained a security flaw.
169
170 -ddpaddr [ddp address]
171 Specifies the DDP address of the server. The default is to
172 auto-assign an address (0.0). This is only useful if you are
173 running AppleTalk on more than one interface.
174
175 -fqdn [name:port]
176 Specifies a fully-qualified domain name, with an optional port.
177 This is discarded if the server cannot resolve it. This option is
178 not honored by AppleShare clients <= 3.8.3. This option is disabled
179 by default. Use with caution as this will involve a second name
180 resolution step on the client side. Also note that afpd will
181 advertise this name:port combination but not automatically listen
182 to it.
183
184 -hostname [name]
185 Use this instead of the result from calling hostname for
186 dertermening which IP address to advertise, therfore the hostname
187 is resolved to an IP which is the advertised. This is NOT used for
188 listening and it is also overwritten by -ipaddr.
189
190 -ipaddr [ip address]
191 Specifies the IP address that the server should advertise and
192 listens to. The default is advertise the first IP address of the
193 system, but to listen for any incoming request. The network address
194 may be specified either in dotted-decimal format for IPv4 or in
195 hexadecimal format for IPv6. This option also allows to use one
196 machine to advertise the AFP-over-TCP/IP settings of another
197 machine via NBP when used together with the -proxy option.
198
199 allbox tab(:); l l l. T{ (UTF8) Server name: fluxxus T} T{
200 Listening and advertised network address:
201 127.0.0.1 T} T{ Advertised network address:
202 www.microsoft.com T}
203
204
205 -port [port number]
206 Allows a different TCP port to be used for AFP-over-TCP. The
207 default is 548.
208
209 -proxy
210 Runs an AppleTalk proxy server for the specified AFP-over-TCP
211 server. If the address and port aren´t given, then the first IP
212 address of the system and port 548 will be used. If you don´t want
213 the proxy server to act as a DDP server as well, set -uamlist "".
214
215 -server_quantum [number]
216 This specifies the DSI server quantum. The default value is 303840.
217 The maximum value is 0xFFFFFFFFF, the minimum is 32000. If you
218 specify a value that is out of range, the default value will be
219 set. Do not change this value unless you´re absolutely sure, what
220 you´re doing
221
222 -slp
223 Register this server using the Service Location Protocol (if SLP
224 support was compiled in).
225
227 -admingroup [group]
228 Allows users of a certain group to be seen as the superuser when
229 they log in. This option is disabled by default.
230
231 -authprintdir [path]
232 Specifies the path to be used (per server) to store the files
233 required to do CAP-style print authentication which papd will
234 examine to determine if a print job should be allowed. These files
235 are created at login and if they are to be properly removed, this
236 directory probably needs to be umode 1777.
237
238 Note
239 -authprintdir will only work for clients connecting via DDP.
240 Almost all modern Clients will use TCP.
241
242 -client_polling
243 With this switch enabled, afpd won´t advertise that it is capable
244 of server notifications, so that connected clients poll the server
245 every 10 seconds to detect changes in opened server windows. Note:
246 Depending on the number of simultaneously connected clients and the
247 network´s speed, this can lead to a significant higher load on your
248 network!
249
250 Note
251 Do not use this option any longer as Netatalk 2.x correctly
252 supports server notifications, allowing connected clients to
253 update folder listings in case another client changed the
254 contents.
255
256 -closevol
257 Immediately unmount volumes removed from AppleVolumes files on
258 SIGHUP sent to the afp master process.
259
260 -cnidserver [ipaddress:port]
261 Specifies the IP address and port of a cnid_metad server, required
262 for CNID dbd backend. Defaults to localhost:4700. The network
263 address may be specified either in dotted-decimal format for IPv4
264 or in hexadecimal format for IPv6.
265
266 -guestname [name]
267 Specifies the user that guests should use (default is "nobody").
268 The name should be quoted.
269
270 -[no]icon
271 [Dont´t] Use the platform-specific icon. Recent Mac OS don´t
272 display it any longer.
273
274 -loginmesg [message]
275 Sets a message to be displayed when clients logon to the server.
276 The message should be in unixcodepage and should be quoted.
277 Extended characters are allowed.
278
279 -nodebug
280 Disables debugging.
281
282 -sleep [number]
283 AFP 3.x waits number hours before disconnecting clients in sleep
284 mode. Default is 10 hours.
285
286 -signature { user:<text> | auto }
287 Specify a server signature. This option is useful while running
288 multiple independent instances of afpd on one machine (eg. in
289 clustered environments, to provide fault isolation etc.). Default
290 is "auto". "auto" signature type allows afpd generating signature
291 and saving it to /etc/netatalk//afp_signature.conf automatically
292 (based on random number). "host" signature type switches back to
293 "auto" because it is obsoleted. "user" signature type allows
294 administrator to set up a signature string manually. The maximum
295 length is 16 characters.
296
297 Example. Three server definitions using 2 different server
298 signatures
299
300 first -signature user:USERS
301 second -signature user:USERS
302 third -signature user:ADMINS
303
304
305 First two servers will appear as one logical AFP service to the
306 clients - if user logs in to first one and then connects to second
307 one, session will be automatically redirected to the first one. But
308 if client connects to first and then to third, will be asked for
309 password twice and will see resources of both servers. Traditional
310 method of signature generation causes two independent afpd
311 instances to have the same signature and thus cause clients to be
312 redirected automatically to server (s)he logged in first.
313
314 -volnamelen [number]
315 Max length of UTF8-MAC volume name for Mac OS X. Note that Hangul
316 is especially sensitive to this.
317
318 73: limit of Mac OS X 10.1
319 80: limit for Mac OS X 10.4/10.5 (default)
320 123: limit for Mac OS X 10.6
321 255: limit of spec
322
323 Mac OS 9 and earlier are not influenced by this, because Maccharset
324 volume name is always limitted to 27 bytes.
325
327 -setuplog "<logtype> <loglevel> [<filename>]"
328 Specify that any message of a loglevel up to the given loglevel
329 should be logged to the given file. If the filename is ommited the
330 loglevel applies to messages passed to syslog.
331
332 By default (no explicit -setuplog and no buildtime configure flag
333 --with-logfile) afpd logs to syslog with a default logging setup
334 equivalent to "-setuplog default log_info".
335
336 If build with --with-logfile (default logfile
337 /var/log/netatalk.log) or --with-logfile=somefile afpd defaults to
338 a setup that is equivalent to "-setuplog default log_info
339 [netatalk.log|somefile]".
340
341 logtypes: Default, AFPDaemon, Logger, UAMSDaemon
342
343 loglevels: LOG_SEVERE, LOG_ERROR, LOG_WARN, LOG_NOTE, LOG_INFO,
344 LOG_DEBUG, LOG_DEBUG6, LOG_DEBUG7, LOG_DEBUG8, LOG_DEBUG9,
345 LOG_MAXDEBUG
346
347 Note
348 The config is case-ignoring
349
350 Example. Useful default config
351
352 -setuplog "default log_info /var/log/afpd.log"
353
354 Example. Debugging config
355
356 -setuplog "default log_maxdebug /var/log/afpd.log"
357
358 Example. afpd logging to different files
359
360 -setuplog "default log_info /var/log/afpd.log"
361 -setuplog "UAMSDaemon log_maxdebug /var/log/uams.log"
362
363 -unsetuplog "<logtype> [<filename>]"
364 Note that for unsetuplog specifying any string as filename is
365 sufficient for the config parser to distinguish between requests to
366 disable syslog logging or file-logging.
367
368 Example. Disable afpd logging set at build-time from configure
369
370 -unsetuplog "default -"
371
373 These options are useful for debugging only.
374
375 -tickleval [number]
376 Sets the tickle timeout interval (in seconds). Defaults to 30.
377
378 -timeout [number]
379 Specify the number of tickles to send before timing out a
380 connection. The default is 4, therefore a connection will timeout
381 after 2 minutes.
382
384 Example. afpd.conf default configuration
385
386 - -transall -uamlist uams_dhx.so,uams_dhx2.so
387
388 Example. afpd.conf MacCyrillic setup / UTF8 unix locale
389
390 - -transall -maccodepage mac_cyrillic -unixcodepage utf8
391
392 Example. afpd.conf setup for Kerberos V auth with newline escaping
393
394 - -transall -uamlist uams_dhx.so,uams_dhx2.so,uams_guest.so,uams_gss.so \
395 -k5service afpserver -k5keytab /path/to/afpserver.keytab \
396 -k5realm YOUR.REALM -fqdn your.fqdn.namel:548
397
398 Example. afpd.conf letting afpd appear as three servers on the net
399
400 "Guest Server" -uamlist uams_guest.so -loginmesg "Welcome guest!"
401 "User Server" -uamlist uams_dhx2.so -port 12000
402 "special" -notcp -defaultvol <path> -systemvol <path>
403
405 afpd(8), afppasswd(1), AppleVolumes.default(5), afp_signature.conf(5)
406
407
408
409Netatalk 2.1 23 December 2009 AFPD.CONF(5)