1afpd.conf(5) Netatalk afpd.conf(5)
2
6 afpd.conf - Configuration file used by afpd(8) to determine the setup
7 of its file sharing services
8
10 /etc/atalk//afpd.conf is the configuration file used by afpd to deter‐
11 mine the behavior and configuration of the different virtual file
12 servers that it provides.
13 Any line not prefixed with # is interpreted. The configuration lines
15 are composed like: server name [ options ] If a - is used instead of a
16 server name, the default server is specified. Server names must be
17 quoted if they contain spaces. They must not contain ":" or "@". The
18 path name must be a fully qualified path name, or a path name using
19 either the ~ shell shorthand or any of the substitution variables,
20 which are listed below.
21 Note
23 Each server has to be configured on a single line.
25 The possible options and their meanings are:
27
29 -defaultvol [path]
30 Specifies path to AppleVolumes.default file (default is
31 /etc/atalk//AppleVolumes.default).
32 -systemvol [path]
34 Specifies path to AppleVolumes.system file (default is
35 /etc/atalk//AppleVolumes.system).
36 -[no]uservol
38 Enables or disables reading of the users' individual volumes
39 file entirely.
40 -[no]uservolfirst
42 Enables or disables reading of the users' individual volumes
43 file before processing the global AppleVolumes.default file.
44
46 -uamlist [uams list]
47 Comma separated list of UAMs. (The default is
48 uams_clrtxt.so,uams_dhx.so).
49 The most commonly used UAMs are:
51 uams_guest.so
53 allows guest logins
54 uams_clrtxt.so
56 (uams_pam.so or uams_passwd.so) Allow logins with pass‐
57 words transmitted in the clear.
58 uams_randum.so
60 allows Random Number and Two-Way Random Number Exchange
61 for authentication (requires a separate file containing
62 the passwords, either /etc/atalk//afppasswd file or the
63 one specified via -passwdfile. See afppasswd(1) for
64 details
65 uams_dhx.so
67 (uams_dhx_pam.so or uams_dhx_passwd.so) Allow
68 Diffie-Hellman eXchange (DHX) for authentication.
69 uam_gss.so
71 Allow Kerberos V for authentication (optional)
72 -uampath [path]
74 Sets the default path for UAMs for this server (default is
75 /etc/atalk//uams).
76 -k5keytab [path], -k5service [service], -k5realm [realm]
78 These are required if the server supports the Kerberos 5 authen‐
79 tication UAM.
80
82 With OS X Apple introduced the AFP3 protocol. One of the big changes
83 was, that AFP3 uses Unicode names encoded as UTF-8 decomposed. Previous
84 AFP/OS versions used codepages like MacRoman, MacCentralEurope, etc.
85 To be able to serve AFP3 and older clients at the same time, afpd needs
87 to be able to convert between UTF-8 and Mac codepages. Even OS X
88 clients partly still rely on codepages. As there's no way, afpd can
89 detect the codepage a pre AFP3 client uses, you have to specify it
90 using the -maccodepage option. The default is MacRoman, which should be
91 fine for most western users.
92 As afpd needs to interact with unix operating system as well, it need's
94 to be able to convert from UTF-8/MacCodepage to the unix codepage. By
95 default afpd uses the systems LOCALE, or ASCII if your system doesn't
96 support locales. You can set the unix codepage using the -unixcodepage
97 option. If you're using extended characters in the configuration files
98 for afpd, make sure your terminal matches the -unixcodepage.
99 -unixcodepage [CODEPAGE]
101 Specifies the servers unix codepage, e.g. "ISO-8859-15" or
102 "UTF8". This is used to convert strings to/from the systems
103 locale, e.g. for authenthication, server messages and volume
104 names. Defaults to LOCALE if your system supports it, otherwise
105 ASCII will be used.
106 -maccodepage [CODEPAGE]
108 Specifies the mac clients codepage, e.g. "MAC_ROMAN". This is
109 used to convert strings and filenames to the clients codepage
110 for OS9 and Classic, i.e. for authentication and AFP messages
111 (SIGUSR2 messaging). This will also be the default for the vol‐
112 umes maccharset. Defaults to MAC_ROMAN.
113
115 -loginmaxfail [number]
116 Sets the maximum number of failed logins, if supported by the
117 UAM (currently none)
118 -passwdfile [path]
120 Sets the path to the Randnum UAM passwd file for this server
121 (default is /etc/atalk//afppasswd).
122 -passwdminlen [number]
124 Sets the minimum password length, if supported by the UAM
125 -[no]savepassword
127 Enables or disables the ability of clients to save passwords
128 locally
129 -[no]setpassword
131 Enables or disables the ability of clients to change their pass‐
132 words via chooser or the "connect to server" dialog
133
135 -[no]ddp
136 Enables or disables AFP-over-Appletalk. If -proxy is specified,
137 you must instead use -uamlist "" to prevent DDP connections from
138 working.
139 -[no]tcp
141 Enables or disables AFP-over-TCP
142 -transall
144 Make both available (default)
145
147 -advertise_ssh
148 Allows Mac OS X clients (10.3.3 or above) to automagically
149 establish a tunneled AFP connection through SSH. If this option
150 is set, the server's answers to client's FPGetSrvrInfo requests
151 contain an additional entry. It depends on both client's set‐
152 tings and a correctly configured and running sshd(8) on the
153 server to let things work.
154 Note
155 Setting this option is not recommended since globally encrypting
157 AFP connections via SSH will increase the server's load signifi‐
158 cantly. On the other hand, Apple's client side implementation of
159 this feature in MacOS X versions prior to 10.3.4 contained a
160 security flaw.
161 -ddpaddr [ddp address]
163 Specifies the DDP address of the server. The default is to
164 auto-assign an address (0.0). This is only useful if you are
165 running AppleTalk on more than one interface.
166 -fqdn [name:port]
168 Specifies a fully-qualified domain name, with an optional port.
169 This is discarded if the server cannot resolve it. This option
170 is not honored by AppleShare clients <= 3.8.3. This option is
171 disabled by default. Use with caution as this will involve a
172 second name resolution step on the client side. Also note that
173 afpd will advertise this name:port combination but not automati‐
174 cally listen to it.
175 -ipaddr [ip address]
177 Specifies the IP address that the server should advertise and
178 listens to (the default is the first IP address of the system).
179 This option also allows to use one machine to advertise the
180 AFP-over-TCP/IP settings of another machine via NBP when used
181 together with the -proxy option.
182 -port [port number]
184 Allows a different TCP port to be used for AFP-over-TCP. The
185 default is 548.
186 -proxy Runs an AppleTalk proxy server for the specified AFP-over-TCP
188 server. If the address and port aren't given, then the first IP
189 address of the system and port 548 will be used. If you don't
190 want the proxy server to act as a DDP server as well, set -uam‐
191 list "".
192 -server_quantum [number]
194 This specifies the DSI server quantum. The minimum value is
195 303840 (0x4A2E0). The maximum value is 0xFFFFFFFFF. If you spec‐
196 ify a value that is out of range, the default value will be set
197 (which is the minimum). Do not change this value unless you're
198 absolutely sure, what you're doing
199 -noslp Do not register this server using the Service Location Protocol
201 (if SLP support was compiled in). This is useful if you are run‐
202 ning multiple servers and want one to be hidden, perhaps because
203 it is advertised elsewhere, ie. by a SLP Directory Agent.
204
206 -admingroup [group]
207 Allows users of a certain group to be seen as the superuser when
208 they log in. This option is disabled by default.
209 -authprintdir [path]
211 Specifies the path to be used (per server) to store the files
212 required to do CAP-style print authentication which papd will
213 examine to determine if a print job should be allowed. These
214 files are created at login and if they are to be properly
215 removed, this directory probably needs to be umode 1777.
216 Note
217 -authprintdir will only work for clients connecting via DDP.
219 Almost all modern Clients will use TCP.
220 -client_polling
222 With this switch enabled, afpd won't advertise that it is capa‐
223 ble of server notifications, so that connected clients poll the
224 server every 10 seconds to detect changes in opened server win‐
225 dows. Note: Depending on the number of simultaneously connected
226 clients and the network's speed, this can lead to a significant
227 higher load on your network!
228 Note
229 Do not use this option any longer as Netatalk 2.0 correctly sup‐
231 ports server notifications, allowing connected clients to update
232 folder listings in case another client changed the contents.
233 -cnidserver [ipaddress:port]
235 Specifies the IP address and port of a cnid_metad server,
236 required for CNID dbd backend. Defaults to localhost:4700.
237 -guestname [name]
239 Specifies the user that guests should use (default is "nobody").
240 The name should be quoted.
241 -icon Use the platform-specific icon
243 -loginmesg [message]
245 Sets a message to be displayed when clients logon to the server.
246 The message should be in unixcodepage and should be quoted.
247 Extended characters are allowed.
248 -nodebug
250 Disables debugging.
251 -sleep [number]
253 AFP 3.x waits number hours before disconnecting clients in sleep
254 mode. Default is 10 hours.
255 -signature { user:<text> | host }
257 Specify a server signature. This option is useful while running
258 multiple independent instances of afpd on one machine (eg. in
259 clustered environments, to provide fault isolation etc.). "host"
260 signature type allows afpd generating signature automatically
261 (based on machine primary IP address). "user" signature type
262 allows administrator to set up a signature string manually. The
263 maximum length is 16 characters
264 Three server definitions using 2 different server signatures
266 first -signature user:USERS
268 second -signature user:USERS
269 third -signature user:ADMINS
270 First two servers will appear as one logical AFP service to the
272 clients - if user logs in to first one and then connects to sec‐
273 ond one, session will be automatically redirected to the first
274 one. But if client connects to first and then to third, will be
275 asked for password twice and will see resources of both servers.
276 Traditional method of signature generation causes two indepen‐
277 dent afpd instances to have the same signature and thus cause
278 clients to be redirected automatically to server (s)he logged in
279 first.
280
282 Note
283 Extended logging capabilities are only available if Netatalk was
285 built using --with-logfile. As of Netatalk 2.0, the default is
286 --without-logfile since the logger code is partially broken and
287 needs a complete rewrite (the -setuplog option might not work as
288 expected). If Netatalk was built without logger support then the
289 daemons log to syslog.
290 -[un]setuplog "<logtype> <loglevel> [<filename>]"
292 Specify that the given loglevel should be applied to log mes‐
293 sages of the given logtype and that these messages should be
294 logged to the given file. If the filename is ommited the
295 loglevel applies to messages passed to syslog. Each logtype may
296 have a loglevel applied to syslog and a loglevel applied to a
297 single file. Latter -setuplog settings will override earlier
298 ones of the same logtype (file or syslog).
299 logtypes: Default, Core, Logger, CNID, AFP
301 Daemon loglevels: LOG_SEVERE, LOG_ERROR, LOG_WARN, LOG_NOTE,
303 LOG_INFO, LOG_DEBUG, LOG_DEBUG6, LOG_DEBUG7, LOG_DEBUG8,
304 LOG_DEBUG9, LOG_MAXDEBUG
305 Some ways to change afpd's logging behaviour via -[un]setuplog
307 Example:
309 -setuplog "logger log_maxdebug /var/log/netatalk-logger.log"
311 -setuplog "afpdaemon log_maxdebug /var/log/netatalk-afp.log"
312 -unsetuplog "default level file"
313 -setuplog "default log_maxdebug"
314
316 These options are useful for debugging only.
317 -tickleval [number]
319 Sets the tickle timeout interval (in seconds). Defaults to 30.
320 -timeout [number]
322 Specify the number of tickles to send before timing out a con‐
323 nection. The default is 4, therefore a connection will timeout
324 after 2 minutes.
325
327 afpd.conf default configuration
328 - -transall -uamlist uams_clrtxt.so,uams_dhx.so
330 afpd.conf MacCyrillic setup / UTF8 unix locale
332 - -transall -maccodepage mac_cyrillic -unixcodepage utf8
334 afpd.conf setup for Kerberos V auth
336 - -transall -uamlist uams_clrtxt.so,uams_dhx.so,uams_guest.so,uams_gss.so \
338 -k5service afpserver -k5keytab /path/to/afpserver.keytab \
339 -k5realm YOUR.REALM -fqdn your.fqdn.namel:548
340 afpd.conf letting afpd appear as three servers on the net
342 "Guest Server" -uamlist uams_guest.so -loginmesg "Welcome guest!"
344 "User Server" -uamlist uams_dhx.so -port 12000
345 "special" -notcp -defaultvol <path> -systemvol <path>
346
348 afpd(8), afppasswd(1), AppleVolumes.default(5)
3492.0.3 24 September 2004 afpd.conf(5)