Mac OS X Server File Services Administration
Contents
1. 8 Select whether you want virtual share points to be enabled If you enable virtual share points each user has the same network home folder whether they log in from a Windows workstation or a Mac OS X computer If you disable virtual share points you must set up an SMB share point for Windows home folders and you must configure each Windows user account to use this share point From the Command Line You can also change SMB service settings using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Starting SMB Service You start SMB service to make it available to your client users To start SMB service 1 Open Server Admin and connect to the server 2 Click the triangle to the left of the server The list of services appears From the expanded Servers list select SMB 4 Click Start SMB below the Servers list From the Command Line You can also start SMB service using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Chapter 5 Working with SMB Service 99 100 Managing SMB Service This section describes typical tasks you might perform after you set up SMB service on your server Initial setup information appears in Setting Up SMB Service on page 95 Viewing SMB Service Status Use Server Admin to view the status of SMB service To view SMB service status Open Server Admin an2. Step 6 Start AFP services After you configure AFP start the service to make it available See Starting AFP Service on page 72 Turning AFP Service On Before you can configure AFP settings you must turn on AFP service in Server Admin To turn AFP service on 1 Open Server Admin and connect to the server 2 Click Settings then click Services 3 Select the AFP checkbox 4 Click Save Chapter 4 Working with AFP Service 67 68 Setting Up AFP Service If you enabled the Server Assistant to start AFP service when you installed Mac OS X Server you don t need to do anything else Verify that the default service settings meet your needs There are four groups of settings on the Settings pane for AFP service in Server Admin e General Sets information that identifies your server enables automatic startup and creates a login message for AFP service e Access Sets up client connections and guest access e Logging Configures and manages logs for AFP service Idle Users Configures and administers idle user settings The following sections describe how to configure these settings and a fifth section tells you how to start AFP service when you finish Configuring General Settings You use the General settings pane in AFP to enable automatic startup enable browsing with Bonjour and create a login greeting for your users To configure AFP service General settings Open Server Admin and connect to the server Click
3. 102 Oo uu A W Stopping SMB Service You stop SMB service using Server Admin Important When you stop SMB service any users that are connected may lose unsaved changes in open files To stop SMB service Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select SMB Click Stop SMB below the Servers list From the Command Line You can also stop SMB service using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Enabling or Disabling Virtual Share Points Using Server Admin you can control whether Mac OS X Server creates a virtual SMB share point that maps to the share point selected for each user in Server Admin This simplifies setting up home folders for Windows users by using the same home folder for Windows and Mac OS X If you enable virtual share points each user has the same network home folder whether logging in from a Windows workstation or a Mac OS X computer If you disable virtual share points you must set up an SMB share point for Windows home folders and you must configure each Windows user account to use this share point To enable or disable virtual SMB share points for Windows home folders Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expande
4. Enable MacBinary and disk image auto conversion Click Save From the Command Line You can also change FTP service settings using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Configuring Greeting Messages Users see the banner message when they first contact your server before they log in and then they see the welcome message when they log in To change banner and welcome messages Open Server Admin and connect to the server Chapter 7 Working with FTP Service 117 118 AA WwW uw N Oo N QO Ww A W Click the triangle to the left of the server The list of services appears From the expanded Servers list select FTP Click Settings then click Messages The Messages pane appears displaying the current text for both messages Edit the text Select Show welcome message and Show banner message Click Save From the Command Line You can also change the FTP service banner message using the serveradmin command in Terminal or by editing the files Library FTPServer Messages banner txt and Library FTPServer Messages welcome txt For more information see the file services chapter of Command Line Administration Displaying Banner and Welcome Messages FTP service in Mac OS X Server lets you greet users who contact or log in to your server Note Some FTP clients may not display the message in an obvious place or they may no
5. In the Access Control List select the ACE Click the Delete button Click Save Chapter 3 Setting Up Share Points 51 52 O AN DO U BP WN _ fo BW N From the Command Line You can also remove ACEs using the chmod command in Terminal For more information see the file services chapter of Command Line Administration Editing ACEs Use Server Admin if you to need change the settings of an ACE to permit or restrict a user or group from performing certain tasks in a share point To edit an ACE Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Permissions below the list In the Access Control List select the ACE Click the Edit button From the Permission Type pop up menu choose Allow or Deny In the Permissions list select permissions Click OK Click Save You can also edit an ACE s Type and Permission fields by clicking the field and choosing an option from the pop up menu The Permission field provides five options Full Control Read and Write Read Write Custom This option displays if the permissions set don t match any of the other options For more information about permissions and permission types see Access Control Entries ACEs on page 24 Removing a Folder s Inherited ACEs If you don t want to apply inherited ACEs to a folder or a file you can remove
6. JS X Server ices Administration ion 10 5 Leopard Apple Inc 2007 Apple Inc All rights reserved The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software No part of this publication may be reproduced or transmitted for commercial purposes such as selling copies of this publication or for providing paid for support services Every effort has been made to ensure that the information in this manual is accurate Apple Inc is not responsible for printing or clerical errors Apple 1 Infinite Loop Cupertino CA 95014 2084 www apple com The Apple logo is a trademark of Apple Inc registered in the U S and other countries Use of the keyboard Apple logo Option Shift K for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws Apple the Apple logo AppleShare AppleTalk Bonjour ColorSync Mac Macintosh QuickTime Xgrid Xsan and Xserve are trademarks of Apple Inc registered in the U S and other countries Finder and Spotlight are trademarks of Apple Inc Adobe and PostScript are trademarks of Adobe Systems Incorporated UNIX is a registered trademark of The Open Group Other company and product names mentioned herein are trademarks of their respective companies Mention of third party products is for i
7. Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point from the list Click Share Point below the list Click Protocol Options This opens the protocol window with configuration options for AFP SMB FTP and NFS protocols Click NFS 7 Select Export this item and its contents to and choose an audience from the pop up menu To limit clients to specific computers choose Client List and click Add to specify the IP addresses of computers that can access the share point To limit clients to the entire subnet choose Subnet and enter the IP address and subnet mask for the subnet Chapter 3 Setting Up Share Points 10 11 12 Important Make sure the subnet address you enter is the actual IP network address that corresponds to the subnet mask you chose and not a client address Otherwise your clients can t access the share point A network calculator helps you select the subnet address and mask for the range of client addresses you want to serve and you should use one to validate your final address mask combination If needed network calculators are available on the Web For example suppose you want to export to clients that have IP addresses in the range 192 168 100 50 through 192 168 100 120 Using a subnet calculator you discover that the mask 255 255 255 128 applied to any address in this range defines a subnet with a network address of
8. 129 documentation 11 domains directory Windows 96 drop boxes 57 60 61 dynamic share points 36 E Effective Permission Inspector 30 55 encryption 16 error messages See troubleshooting explicit vs inherited permissions 21 25 53 exporting NFS share points 44 56 108 F failover planning for 17 FATLOVER_BCAST_IPS 84 FAILOVER_PEER_IP 85 failoverd 84 failoverd log 91 file services overview 15 file sharing customizing 32 planning for 17 File Transfer Protocol See FTP FireWire 89 folders accessing 22 drop boxes 57 home 36 38 111 126 Library 32 58 permissions for 19 root FTP 110 111 122 FTP File Transfer Protocol service anonymous user access 110 113 116 117 120 129 auto conversion 113 connections 124 128 conversion to 113 Index graphs 123 Kerberos 114 logs 119 123 management of 122 messages 117 overview 109 passive mode 129 ports for 16 root folder 110 111 122 security 16 109 116 settings 116 setup 114 share points 37 43 111 software requirements 16 specifications 114 starting 120 status checking 122 stopping 124 troubleshooting 128 turning on 116 uploading access 116 121 user environment 110 121 G Generic Security Service Application Programming Interface See GSSAPI graphs AFP 73 FTP 123 SMB 101 groups permissions 20 21 24 29 GSSAPI Generic Security Service Application Programming Interface 65 guest accounts AFP access 69 78 FTP access 110 113
9. For issues you should keep in mind when you set up FTP service read Before Setting Up FTP Service on page 115 Chapter 7 Working with FTP Service Step 2 Turn on FTP service Before configuring FTP service FTP must be turned on See Turning On FTP Service on page 116 Step 3 Configure FTP General settings General settings enable you to specify the number of authenticated and anonymous users that can connect to the server limit the number of login attempts and provide an administrator email address See Configuring General Settings on page 116 Step 4 Configure FTP Messages settings Messages settings enable you to display banner and welcome messages set the number of login attempts and provide an administrator email address See Configuring Greeting Messages on page 117 Step 5 Configure FTP Logging settings Logging settings enable you to specify the FTP related events you want to log for authenticated and anonymous users See Configuring FTP Logging Settings on page 119 Step 6 Configure FTP Advanced settings Advanced settings enable you to change the FTP root and choose which items users can see See Configuring FTP Advanced Settings on page 120 Step 7 Create an uploads folder for anonymous users If you enabled anonymous access in Step 2 you may want to create a folder for anonymous users to upload files The folder must be named uploads It is not a share point but must have c
10. See Configuring General Settings on page 116 The FTP Root Folder The FTP root folder or FTP root is a portion of the disk space of your server set aside for FTP users The FTP root is set to Library FTPServer FTPRoot when you install the server software You can change the FTP root See Changing the FTP Root Folder on page 122 FTP User Environments Mac OS X Server has three FTP environments to choose from FTP root and Share Points e Home Folder with Share Points e Home Folder Only To choose the user environment for your server you use the Advanced pane of FTP service settings in Server Admin For more information see Configuring FTP Advanced Settings on page 120 Chapter 7 Working with FTP Service FTP Root and Share Points The FTP Root and Share Points environment option gives access to the FTP root and any FTP share points that users have access privileges to as shown in the following illustration Users bin etc Library system Volumes Looks like Looks like FTP share point when accessing when accessing incorporated as user Bob as user Betty within virtual root Bob Betty Photos FTP server FTP Root FTP Root Looks like to anonymous FTP users FTP root a la Symbolic link Data Photos Users access FTP share points through symbolic links attached to the FTP root folder The symbolic links are created wh
11. You can customize the contents of the Network folder for client computers by setting up automatically mounting share points Share Points in the Network Folder By default the Network folder contains at least these subfolders e Applications e Library e Servers You can mount share points in any of these subfolders For more information see Automatically Mounting Share Points for Clients on page 47 More servers and shared items are added as they are discovered on your network Adding System Resources to the Network Library Folder The Library folder located in Network is included in the system search path This gives you the ability to make any type of system resource usually found in the local Library folder available on the network These resources could include fonts application preferences ColorSync profiles desktop pictures and so forth You can use this capability to customize your managed client environment For example suppose you want a specific set of fonts to be available to each user in an Open Directory domain You would create a share point containing the fonts and then set the share point to mount automatically as a shared library on client computers in Network Library Fonts For more information see Automatically Mounting Share Points for Clients on page 47 Security Considerations The most effective method of securing your network is to assign correct privileges for each file folder and sha
12. exploit to introduce viruses or Trojan horses in your environment Keep It Simple You can unnecessarily complicate file access management if you re not careful Keep it simple If standard POSIX permissions do the job use those but if you must use ACLs avoid customizing permissions unless you need to Also use simple folder hierarchies when feasible A little strategic planning can help you create effective and manageable shared hierarchies Common Folder Configurations When sharing files and folders between computers custom permissions can be set to grant or restrict access to those files and folders Before you begin setting custom file and folder permissions you might want to investigate how the file and folder will be shared who has access and what type of access you want users to have A recommended way to manage file and folder permissions is to create groups of users who share the same privileges Chapter 2 Setting Up File Service Permissions Depending on your network environment you can use either POSIX ACL or both to manage file or folder access The following table shows examples of the POSIX permissions and the ACL permissions necessary to configure some common folder sharing settings Folder ACL Everyone POSIX Drop box Permission Type Allow Owner read write execute Select the following Group read write execute checkboxes Other write Traverse Folder For example drwxrwx w e Create Files e Create Fo
13. Administration covers planning installation setup and general server administration A suite of additional guides listed below covers advanced planning setup and management of individual services You can get these guides in PDF format from the Mac OS X Server documentation website www apple com server documentation This guide tells you how to Getting Started and Installation amp Setup Worksheet Install Mac OS X Server and set it up for the first time Command Line Administration Install set up and manage Mac OS X Server using UNIX command line tools and configuration files File Services Administration Share selected server volumes or folders among server clients using the AFP NFS FTP and SMB protocols iCal Service Administration Set up and manage iCal shared calendar service iChat Service Administration Set up and manage iChat instant messaging service Mac OS X Security Configuration Mac OS X Server Security Configuration Make Mac OS X computers clients more secure as required by enterprise and government customers Make Mac OS X Server and the computer it s installed on more secure as required by enterprise and government customers Mail Service Administration Set up and manage IMAP POP and SMTP mail services on the server Network Services Administration Set up configure and administer DHCP DNS VPN NTP IP firewall NAT and RADIUS services on
14. For more information see the file services chapter of Command Line Administration Changing NFS Share Point Client Access You can use Server Admin to restrict the clients that can access an NFS export To change authorized NFS clients Open Server Admin and connect to the server Click File Sharing Click Share Points and select the NFS share point Click Protocol Options and select NFS Select the Export this item and its contents to checkbox and choose an option from the pop up menu To limit clients to specific computers choose Client List click the Add button and then enter the IP addresses of computers that can access the share point To remove a client select an address from the Client List and click the Delete button To limit clients to the entire subnet choose Subnet and enter the IP address and subnet mask for the subnet To permit unlimited and unauthenticated access to the share point choose World Click OK then click Save Enabling Guest Access to a Share Point You can use Server Admin to enable guest users users not defined in the directories used by your server to connect to specific share points Note This section does not apply to NFS To change guest access privileges for a share point Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Share Point below the list Click Protoco
15. Logging settings enable you to specify how much information is recorded in SMB log files See Configuring Logging Settings on page 98 Step 5 Configure SMB Advanced settings Advanced settings enable you to choose a client code page set the server to be a workgroup or domain master browser specify the server WINS registration and enable virtual share points for home users See Configuring Advanced Settings on page 98 Step 6 Create share points and share them using SMB Use the Sharing service of Server Admin to specify the share points you want to make available through SMB For Windows users to be able to access a share point you must explicitly configure the share point to use SMB service See Creating a Share Point on page 39 and Changing SMB Settings for a Share Point on page 42 You can also create virtual share points that enable each user to have the same home folder whether logging in from a Windows workstation or a Mac OS X computer See Enabling or Disabling Virtual Share Points on page 102 Chapter 5 Working with SMB Service BW N Step 7 Start SMB service After you configure SMB start the services to make them available See Starting SMB Service on page 99 Turning On SMB Service Before you can configure SMB settings you must turn on SMB service To turn on SMB service Open Server Admin and connect to the server Click Settings then click Services Click the SMB checkbox C
16. Mac OS X Server Chapter 8 Solving Problems lists potential solutions to common problems you might encounter while working with the file services in Mac OS X Server In addition the Glossary provides brief definitions of terms used in this guide Note Because Apple periodically releases new versions and updates to its software images shown in this book may be different from what you see on your screen Using Onscreen Help You can get task instructions onscreen in Help Viewer while you re managing Mac OS X Server You can view help on a server or an administrator computer An administrator computer is a Mac OS X computer with Mac OS X Server administration software installed on it To get help for an advanced configuration of Mac OS X Server Open Server Admin or Workgroup Manager and then e Use the Help menu to search for a task you want to perform e Choose Help gt Server Admin Help or Help gt Workgroup Manager Help to browse and search the help topics The onscreen help contains instructions taken from Server Administration and other advanced administration guides described in Mac OS X Server Administration Guides next Preface About This Guide Mac OS X Server Administration Guides Getting Started covers basic installation and initial setup methods for a standard workgroup or covers installation and setup for standard and workgroup configurations of Mac OS X Server For advanced configurations Server
17. Windows UNIX and Linux 21 NFS Mac OS X Mac OS X Server Windows UNIX and Linux 2049 Protocol Security Comparison When sharing network resources configure your server to provide the necessary security AFP and SMB provide some level of encryption to secure password authentication SMB does not encrypt data transmissions over the network so you should only use it on a securely configured network FTP does not provide password or data encryption When using this protocol make sure your network is securely configured Instead of using FTP consider using the scp or sftp command line tools These tools securely authenticate and securely transfer files The following table provides a comparison of the protocols and their authentication and encryption capabilities Protocol Authentication Data Encryption AFP Cleartext and encrypted Kerberos Can be configured to encrypt all data passwords transmission NFS Encrypted Kerberos password and Can be configured to encrypt all data system authentication transmission SMB Cleartext and encrypted NTLM v1 Not encrypted and data is visible during NTLM v2 LAN Manager and transmission Kerberos passwords FTP All passwords are sent as cleartext All data is sent as cleartext No encryption No encryption Chapter 1 Understanding File Services Deployment Planning When planning your network consider the protocols your network configuration requires For example if
18. and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Connections Select the user and click Disconnect Enter the amount of time before the user is disconnected and type a disconnect message If you don t type a message a default message appears Click Send Automatically Disconnecting Idle Users You can set AFP service to disconnect users who have not used the server for a period of time To set how the server handles idle users Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Settings then click Idle Users 5 To enable client computers to reconnect after sleeping for a certain time select Allow clients to sleep __ hour s and enter the number of hours clients can sleep and still automatically reconnect to the server Although the server disconnects sleeping clients the clients sessions are maintained for the specified period When a user resumes work within that time the client is reconnected with no apparent interruption To specify the idle time limit select Disconnect idle users after __ minute s and enter the number of minutes after which an idle computer should be disconnected A sleeping Mac OS X v10 2 or later client can resume work on open files within the limits of th
19. failover situations you can use Xsan or third party storage area network SAN software to allow your master and backup servers to access the same volume without corrupting it It diti 7 RAID Chapter 4 Working with AFP Service 85 86 You can also use logical unit number LUN masking at the Fibre switch level to grant access to shared data on a RAID You must create scripts to instruct the switch to swap access from one server to the other LUN masking at the switch level ensures that only one server has access to the data but never both servers at the same time WARNING Giving two servers access to the same RAID volume without Xsan or third party SAN software can corrupt the volume After starting the heartbeatd and failoverd daemons the master computer starts sending heartbeat messages to the backup server at predetermined intervals If the backup computer stops receiving these messages it triggers a chain of events that results in the backup server taking over the IP address of the master server and assuming its role From a client perspective failover happens transparently with minimal disruption of service This is because the client accesses services using a virtual IP address that is an address not associated with a particular computer or domain name for example homedirs example com When the backup server assumes the role of the master the client doesn t see any difference as
20. folder that were inherited by a descendant file or folder Note Inherited ACEs cannot be edited unless you make them explicit Server Admin enables you to convert an inherited ACE to an explicit ACE For more information see Changing the Inherited ACEs for a Folder to Explicit on page 53 Understanding Inheritance ACL inheritance lets you determine how permissions pass from a folder to its descendants The Apple ACL Inheritance Model The Apple ACL inheritance model defines four options that you select or deselect in Server Admin to control the application of ACEs in other words how to propagate permissions through a folder hierarchy Apply to this folder Apply Administration Read and Write permissions to this folder Apply to child folders Apply permissions to subfolders Apply to child files Apply permissions to the files in this folder Apply to all descendants Apply permissions to all descendants 1If you want an ACE to apply to all descendants without exception you must select the Apply to child folders and Apply to child files options in addition to this option For more information see ACL Inheritance Combination on page 27 Mac OS X Server propagates ACL permissions at two well defined times e By the kernel at file or folder creation time when you create a file or folder the kernel determines what permissions the file or folder inherits from its parent folder e When initiated by a
21. from the Share Points list To view the share point configuration and protocol settings on a server Open Server Admin and connect to the server Click File Sharing Click Share Points You can view the share point name path disk space sharing guest access automount and Spotlight settings Use tooltips to quickly display the shared and guest access protocols for a share point Select the share point and click Share Point below the list View the protocol settings by clicking Protocol Options and selecting the protocol AFP SMB FTP or NFS From the Command Line You can also view share point settings using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Chapter 3 Setting Up Share Points 49 50 BW N BW N Viewing Share Point Content and Privileges You can use File Sharing in Server Admin to view share point content and access privileges To view share point content and access privileges on a server Open Server Admin and connect to the server Click File Sharing Click Share Points and select a share point in the list Click Permissions below the list You can now view the contents of the selected share point and access items in the folder hierarchy You can also view the privilege settings POSIX and ACL of the share point and each item in the folder hierarchy From the Command Line You can also view share points and their contents by u
22. long as services on both computers are configured exactly the same way A brief disruption of service may be noticeable if IP failover happens while the client is actively communicating with a service For example if a user is copying a file from the server and it fails over the copying process will be disrupted and the user must start the copying process again Acquiring Master Address Chain of Events When the master server fails over the following chain of events occurs on the backup server The failoverd daemon located in usr sbin detects no broadcasts from the primary server on the FireWire interface The failovera daemon instructs the NotifyFailover script located in usr libexec to notify users listed in etc hostconfig If no recipient is specified a message is sent to the root user failoverd executes the processFailover script located in usr libexec The processFailover script executes the Library Failover IP_address Test script where 2 _address is the IP address or domain name of the master server and the following occurs Ifthe vest script returns false ProcessFailover quits and the backup server does not acquire the IP address of the master server e If the Test script returns true or does not exist ProcessFailover continues its execution Chapter 4 Working with AFP Service Note By default the test script is empty but you can customize it to suit your needs The ProcessFailover script e
23. name double click the user s name in the Users and Groups list See if there are problems with directory services and make sure the directory services server is operating and connected to the network For help with directory services see Open Directory Administration e Verify that IP filter service is configured to enable access to the correct ports If clients still can t connect see if the client is using FTP passive mode and turn it off Passive mode causes the FTP server to open a connection to the client on a dynamically determined port which could conflict with port filters set up in IP filter service e Check the Library FTPServer Messages error txt file for clues as to what the problem might be If Clients Can t Connect to the FTP Server If users can t connect to the FTP server see if the client is using FTP passive mode and turn it off Passive mode causes the FTP server to open a connection on a dynamically determined port to the client which could conflict with port filters set up in IP filter service If Anonymous FTP Users Can t Connect If anonymous users can t connect to FTP service e Verify that anonymous access is turned on See if the maximum number of anonymous user connections has been reached To do this open Server Admin and click FTP in the Servers list Problems with IP Failover This section describes potential IP failover problems and ways to diagnose and resolve them Try these suggesti
24. of connections The maximum number of guests cannot exceed the maximum number of total client connections permitted Click Save Chapter 4 Working with AFP Service 69 70 From the Command Line You can also change AFP access settings using the serveradmin command in Terminal or by reconfiguring the AFP preferences file For more information see the file services chapter of Command Line Administration Configuring Logging Settings Use the Logging pane of the AFP service settings in Server Admin to configure and manage service logs To configure AFP service Logging settings Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Settings then click Logging To keep a record of users who connect to the server using AFP select Enable access log To periodically close and save the active log and open a new one select Archive every __ day s and enter the number of days after which the log is archived The default is 7 days The server closes the active log at the end of each archive period renames it to include the current date and then opens a new log file Select the events you want Apple file service to log An entry is added to the log when a user performs an action you select When you choose the number of events to log consider available disk space The more events you choose the faster the
25. over who can access a file or a folder they lack the flexibility and granularity that many organizations require to deal with elaborate user environments This is where ACLs come in handy An ACL provides an extended set of permissions for a file or folder and enables you to set multiple users and groups as owners In addition ACLs are compatible with Windows Server 2003 and Windows XP giving you added flexibility in a multiplatform environment Standard Permissions There are four types of standard POSIX access permissions that you can assign to a share point folder or file Read amp Write Read Only Write Only and None The table below shows how these permissions affect user access to different types of shared items files folders and share points Users can Read amp Write ReadOnly WriteOnly None Open a shared file Yes Yes No No Copy a shared file Yes Yes No No Open a shared folder or share point Yes Yes No No Copy a shared folder or share point Yes Yes No No Edit a shared file Yes No No No Move items to a shared folder or share point Yes No Yes No Move items from a shared folder or share point Yes No No No Note QuickTime Streaming Server QTSS and WebDAV have separate permissions settings For information about QTSS see the QTSS online help and the QuickTime website www apple com quicktime products qtss You ll find information about Web permissions in Web Technologies Administration Chapter 2 S
26. points use the Bonjour registration type afpserver From the Command Line You can also set AFP service to register with Bonjour using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Limiting Connections If your server provides a variety of services you can prevent a flood of users from affecting the performance of those services by limiting the number of clients and guests who can connect at the same time To set the maximum number of connections Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Settings then click Access and look under Maximum Connections By default the maximum client and guest connections is set to Unlimited Chapter 4 Working with AFP Service 75 76 5 AO uu A WwW Click the button next to the number field following Client Connections Including Guests and enter the maximum number of connections you want to permit The guest connections limit is based on the client connections limit and guest connections count as part of the total connection limit For example if you specify maximums of 400 client connections and 50 guest connections and 50 guests are connected that leaves 350 connections for registered users Click the button next to the number fields and adjacent to Guest connections a
27. protocols SMB services use SMB to provide access to servers printers and other network resources Glossary TCP Transmission Control Protocol A method used with the Internet Protocol IP to send data in the form of message units between computers over the Internet IP handles the actual delivery of the data and TCP keeps track of the units of data called packets into which a message is divided for efficient routing through the Internet ticket Kerberos A temporary credential that proves a Kerberos client s identity to a service Transmission Control Protocol See TCP UDP User Datagram Protocol A communications method that uses the Internet Protocol IP to send a data unit called a datagram from one computer to another on a network Network applications that have very small data units to exchange may use UDP rather than TCP UID User ID A number that uniquely identifies a user within a file system Mac OS X computers use the UID to keep track of a user s folder and file ownership URL Uniform Resource Locator The address of a computer file or resource that can be accessed on a local network or the Internet The URL is made up of the name of the protocol needed to access the resource a domain name that identifies a specific computer on the Internet and a hierarchical description of a file location on the computer User Datagram Protocol See UDP user ID See UID user name The long name for a user sometimes referred
28. reconnect 66 browsing options 75 client computers 66 80 connections 74 75 127 graphs 73 guest access 69 78 idle user settings 71 77 Kerberos authentication 65 login 79 logs 70 73 76 management of 72 messages 127 overview 65 permissions 24 Index ports for 16 reconnect server key 90 settings 68 setup 67 share points 37 41 software requirements 16 specifications 66 Spotlight 66 starting 72 status checking 72 stopping 74 troubleshooting 126 turning on 67 Allow permissions 29 anonymous user access FTP 110 113 116 117 120 129 Apple Filing Protocol service See AFP AppleTalk 66 applications securing 30 authentication AFP 16 65 FTP 16 110 Kerberos 65 114 NFS 16 104 SMB CIFS related 16 97 auto conversion FTP 113 automountable share points 36 47 82 B BDC backup domain controller 96 Bonjour browsing service 75 C cat tool 73 chmod tool 51 CIFS Common Internet File System See SMB CIFS client computers AFP service 66 80 clients See also users access control 22 69 group permissions 20 21 24 29 NFS subnets 44 share point access 37 47 56 139 code page Windows 98 command line interface ACEs 51 log viewing 73 NFS mounts 108 security 16 share points 39 status checking 73 compressed files 113 D daemons failoverd 84 heartbeatd 84 Deny permissions 28 30 disk quotas share points 39 46 61 Disk Utility 59 DNS Domain Name System service 126
29. s home folder is named NewRoot Chapter 7 Working with FTP Service Home Folder Only When you choose the Home Folder Only option authenticated users are confined to their home folders and do not have access to the FTP root or other FTP share points as shown in the following illustration bin Users etc Library system Volumes FTP share point incorporated within virtual root Bob Betty FTP server Share point Projects Reports Looks like to anonymous FTP users FTP root i a Symbolic link Data Photos Anonymous users and users without home folders still have access to the FTP root but cannot browse FTP share points On the Fly File Conversion FTP service in Mac OS X Server enables users to request compressed or decompressed versions of information about the server A file name suffix such as Z or gz indicates that the file is compressed If a user requests a file named Hamlet txt and the server only has a file named Hamlet txt Z the server knows that the user wants the decompressed version and delivers it to the user in that format In addition to standard file compression formats FTP in Mac OS X Server can read files from Hierarchical File System HFS or non HFS volumes and convert the files to MacBinary bin format MacBinary is one of the most commonly used file compression formats for the Macintosh operating system Chapter 7 Working with FTP Servic
30. t provide many AFP features that Mac OS users are accustomed to such as Spotlight searching native ACL and extended attribute support Also if you share applications or documents that are exclusively for Windows users you can set up an SMB share point to be used only by them This provides a single point of access for your Windows users and lets them take advantage of opportunistic and strict file locking For more information about file locking see File Locking with SMB Share Points on page 93 Note If you enable AFP and SMB services on your server Mac OS clients can connect to the server over AFP or SMB If Windows users want to connect to your server over AFP they must use third party AFP client software Shared Information Organization Organize shared information before you set up the share points especially if you re setting up network home folders After you create share points users form mental maps of the organization of the share points and the items they contain Changing share points and moving information around can cause confusion Security Review the issues discussed in Security Considerations on page 32 Network Home Folders If you re setting up a share point on your server to store user home folders keep these points in mind e The Users share point is set up by default to be used for storing home folders when you install Mac OS X Server You can use this preconfigured share point for user home fo
31. the Service list Click the Add button to open the Users and Groups list Chapter 3 Setting Up Share Points 7 Drag users and groups to the list 8 Set the user s permission To grant administrator access choose Administrator from the Permission pop up menu next to the user name To grant monitoring access choose Monitor from the Permission pop up menu next to the user name 9 Click Save Chapter 3 Setting Up Share Points 63 64 Chapter 3 Setting Up Share Points Working with AFP Service This chapter describes how to set up and manage AFP service in Mac OS X Server Apple Filing Protocol AFP service enables Mac OS clients to connect to your server and access folders and files Non Mac OS clients can also connect to your server over AFP using third party AFP client software AFP service uses version 3 3 of AFP which supports new features such as Unicode file names access control lists ACLs 64 bit file sizes extended attributes and Spotlight searching Unicode is a standard that assigns a unique number to every character regardless of the language or the operating system used to display the language Kerberos Authentication AFP supports Kerberos authentication Kerberos is a network authentication protocol developed at MIT to provide secure authentication and communication over open networks In addition to the standard authentication method Mac OS X Server uses Generic Security Services Applicatio
32. the expanded Servers list select FTP Click Settings then click Advanced From the Authenticated users see pop up menu choose the type of user environment you want to provide Chapter 7 Working with FTP Service 121 122 FTP Root and Share Points sets up the Users folder as a share point Authenticated users log in to their home folders if they re available Authenticated and anonymous users can see other users home folders Home Folder with Share Points logs authenticated FTP users in to their home folders They have access to home folders the FTP root and FTP share points Home Directory Only restricts authenticated FTP to user home folders Click Save Regardless of the user environment you choose access to data is controlled by the access privileges that you or users assign to files and folders Anonymous users and authenticated users who don t have home folders or whose home folders are not located in a share point they have access to are always logged in at the root level of the FTP environment Changing the FTP Root Folder Use the Advanced pane of the FTP service settings to change the path to the FTP root folder To specify a different FTP root Select the folder you want to use If the folder doesn t exist create it and configure it as an FTP share point Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears Fro
33. the server completes the reconnect Chapter 4 Working with AFP Service BW N In the case of failover the server reconnect key used to initially encrypt the reconnect token handed to the client must be used by the backup server to handle all reconnects By default the server reconnect key is by default stored in etc AFP conf This file should be copied from the master server to the backup server or should be placed on a shared storage that both servers can access The path to the key is specified by the reconnectKeyLocation attribute value found in the preference file Library Preferences com AppleFileServer plist If your master and backup servers share a data storage you can change the value of reconnectKeyLocation in the server preferences file This ensures that the same reconnect server key is used by both servers Viewing the IP Failover Log Mac OS X Server records all IP failover activity in Library Logs failoverd log To view failover service log files Open Applications Utilities Console Choose File gt Open Locate and select the failoverd log file in the Library Logs folder Click Open You can use the Filter field to display only the log entries you re interested in From the Command Line You can also view the failoverd log file using commands in Terminal To automate log monitoring consider using cron and grep to automatically search log files for IP failover related keywords and mail those entries
34. to as the user s real name See also short name volume A mountable allocation of storage that behaves from the client s perspective like a local hard disk hard disk partition or network volume In Xsan a volume consists of one or more storage pools See also logical disk WebDAV Web based Distributed Authoring and Versioning A live authoring environment that allows client users to check out webpages make changes and then check the pages back in to the site while the site is running WINS Windows Internet Naming Service A name resolution service used by Windows computers to match client names with IP addresses A WINS server can be located on the local network or externally on the Internet Glossary 137 138 Glossary Index A access See also ACLs FTP permissions ACEs 22 24 40 51 AFP 69 anonymous 110 113 116 117 120 129 NFS 103 104 precedence rules 28 share point 32 37 40 47 51 56 SMB CIFS 97 access control entries See ACEs access control lists See ACLs accounts See guest accounts user accounts ACEs access control entries 22 24 40 51 ACLs access control lists files and folders 22 inheritance 25 52 overview 20 permissions 20 22 51 rules of precedence 28 SACLs 31 share points 40 51 Active Directory AFP 79 administrator privileges of 21 62 AFP Apple Filing Protocol service accessing 69 Active Directory 79 AppleTalk support 66 authentication 16 65 automatic
35. to you For more information see the IP failover chapter of the Command Line Administration guide Chapter 4 Working with AFP Service 91 92 Chapter 4 Working with AFP Service Working with SMB Service This chapter describes how to set up and manage SMB service in Mac OS X Server Mac OS X Server can provide the following native services to Windows clients Domain login Enables each user to log in using the same user name password roaming profile and network home folder on any Windows computer capable of logging in to a Windows NT domain File service Enables Windows clients to access files stored in share points on the server using Server Message Block SMB protocol over TCP IP Print service Enables Windows clients to print to PostScript printers with print queues on the server Windows Internet Naming Service WINS Enables clients to resolve NetBIOS names and IP addresses across multiple subnets Windows domain browsing Enables clients to browse for available servers across subnets File Locking with SMB Share Points File locking prevents multiple clients from changing the same information at the same time When a client opens a file or part of a file the file becomes locked so the client has exclusive access Before a read or write is performed on a file the lock database to checked to verify the lock status of the file Strict locking enabled by default helps prevent multiple clients from attempt
36. use the command line tools 1s and chmoa For more information see the corresponding man pages and Command Line Administration You define ACLs for share points files and folders using Server Admin Supported Volume Formats and Protocols Only HFS provides local file system support for ACLs In addition only SMB and AFP provide network file system support for ACLs in Windows and Apple networks respectively Access Control Entries ACEs An access control entry ACE is an entry in an ACL that specifies for a group or a user access permissions to a file or folder and the rules of inheritance What s Stored in an ACE An ACE contains the following fields User or Group An ACE stores a universally unique ID for a group or user which permits unambiguous resolution of identity Type An ACE supports two permission types Allow and Deny which determine whether permissions are granted or denied in Server Admin Permission This field stores the settings for the 13 permissions supported by the Apple ACL model Inherited This field specifies whether the ACE is inherited from the parent folder Applies To This field specifies what the ACE permission is for Chapter 2 Setting Up File Service Permissions Explicit and Inherited ACEs Server Admin supports two types of ACEs e Explicit ACEs which are those you create in an ACL See Adding ACEs to ACLs on page 51 e Inherited ACEs which are ACEs you created for a parent
37. user to the Effective Permission Inspector N DA UU A U N If you don t see a recently created user click Refresh After dragging the user from the list the inspector shows the permissions the user has for the selected file or folder An entry with a checkmark means the user has the indicated permission equivalent to Allow An entry without a checkmark means the opposite equivalent to Deny When you finish close the inspector window Changing the Protocols Used by a Share Point You can use Server Admin to change the protocols available for accessing a share point The following protocols are available e AFP see Changing AFP Settings for a Share Point on page 41 e SMB see Changing SMB Settings for a Share Point on page 42 FTP see Changing FTP Settings for a Share Point on page 43 e NFS see Exporting an NFS Share Point on page 44 To change the protocols for a share point Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Share Point below the list Click Protocol Options and select the protocol Select the protocols you want to change and modify the configuration Click OK then click Save Chapter 3 Setting Up Share Points 55 56 wu A WwW N wu A WwW N fon From the Command Line You can also change the protocol settings of a share point using the sharing command in Terminal
38. your network consists of multiplatform computers consider using SMB and AFP services to permit access to both platforms Determining the Best Protocol for Your Needs The file service protocols you use depend on your network configuration and what platforms you are supporting Determining Hardware Requirements for Your Needs If you re sharing network resources with other networks or Ethernet your firewall must permit communication through all ports associated with your service Planning for Outages and Failovers When planning for outages and failovers consider eliminating as many single points of failure throughout your network as possible A basic example of a single point of failure would be a single computer with a single hard disk and a single power source If you have a single computer you can eliminate the single points of failure by e Configuring your computer with more disk drives using a redundant array of independent disks RAID By configuring a RAID you can help prevent data loss For example if the main disk fails the system can still access the data from the other disk drives in the RAID Connecting the power source of the computer to a backup power source e Providing another computer with the same configuration to eliminate the computer as the single point of failure If you don t have another computer you can configure your computer to automatically reboot on power failure This ensures your computer will reboot
39. 105 105 106 106 106 107 107 108 Configuring IP Failover IP Failover Overview Acquiring Master Address Chain of Events Releasing Master Address Chain of Events IP Failover Setup Connecting the Master and Backup Servers to the Same Network Connecting the Master and Backup Servers Together Configuring the Master Server for IP Failover Configuring the Backup Server for IP Failover Configuring the AFP Reconnect Server Key Viewing the IP Failover Log Working with SMB Service File Locking with SMB Share Points Setup Overview Turning On SMB Service Setting Up SMB Service Configuring General Settings Configuring Access Settings Configuring Logging Settings Configuring Advanced Settings Starting SMB Service Managing SMB Service Viewing SMB Service Status Viewing SMB Service Logs Viewing SMB Graphs Viewing SMB Connections Stopping SMB Service Enabling or Disabling Virtual Share Points Working with NFS Service Setup Overview Before Setting Up NFS Service Turning On NFS Service Setting Up NFS Service Configuring NFS Settings Starting NFS Service Managing NFS Service Checking NFS Service Status Viewing NFS Connections Stopping NFS Service Viewing Current NFS Exports Contents Chapter 7 Chapter 8 109 109 110 110 110 113 114 114 114 115 116 116 116 116 117 118 119 119 119 120 120 120 121 121 122 122 122 123 123 124 124 125 125 125 125 126 126 126 126 126 127 127 Working
40. 116 117 120 129 permissions 33 share point access 56 H heartbeatd 84 help using 10 HFS 24 home folders share points 36 38 111 troubleshooting 126 user environments 111 hostconfig entries FAILOVER_BCAST_IPS 84 FAILOVER_PEER_IP 85 inheritance file permission 23 25 52 IP failover backup server 84 configuring backup server 90 defined 83 log 91 master server 84 RAID device 85 IP over FireWire 89 K Kerberos 65 114 L Library folder network 32 58 locking files 93 opportunistic 42 43 93 strict 43 93 unified 37 login 79 127 128 logs AFP 70 73 76 FTP 119 123 SMB CIFS 98 100 M Mac OS 9 client management 83 Mac OS X client management 80 master browser 98 99 mounting automounting 36 47 command line method 108 share points 36 46 82 N naming conventions share points 39 users 81 NAS network attached storage 58 NetBios name 99 Network File System See NFS NFS Network File System accessing 103 104 connections 107 exporting 44 56 108 file sharing 33 management of 106 overview 15 ports for 16 resharing mounts 46 security 16 settings 105 setup 103 share points 32 37 44 56 software requirements 16 starting 106 status checking 106 Index stopping 107 troubleshooting 128 turning on 104 nfsd daemons 105 None privilege 20 NotifyFailover 86 87 O on the fly conversion FTP 113 Open Directory Password Server 128 opportunistic locking 42 43 93 o
41. 192 168 100 0 and a range of usable IP addresses from 192 168 100 1 through 192 168 100 126 which includes the desired client addresses So in Server Admin you enter subnet address 192 168 100 0 and subnet mask 255 255 255 128 in the NFS Export Settings for the share point To permit unlimited and unauthenticated access to the share point choose World From the Mapping pop up menu set the privilege mapping for the NFS share point Choose Root to Root if you want the root user to have root privileges to read write and carry out commands Choose All to Nobody if you want users to have minimal privileges to read write and carry out commands Choose Root to Nobody if you want the root user on a remote client to have only minimal privileges to read write and carry out commands Choose None if you don t want privileges mapped From the Minimum Security pop up menu set the level of authentication Choose Standard if you don t want to set a level of authentication Choose Any if you want NFS to accept any method authentication Choose Kerberos v5 if you want NFS to only accept Kerberos authentication Choose Kerberos v5 with data integrity if you want NFS to accept Kerberos authentication and validate the data checksum during transmission Choose Kerberos v5 with data integrity and privacy to have NFS accept Kerberos authentication to validate with checksum and to encry
42. 4 computers to access the NFS share point using system authentication If your network has only Mac OS X v10 5 computers it is recommended the security be set to Kerberos authorization only Using NFS with Kerberos is a recommended way to configure secure access to files Turning On NFS Service Before you can configure NFS settings you must turn on NFS service in Server Admin To turn on NFS service 1 Open Server Admin and connect to the server 2 Click Settings then click Services 3 Select the NFS checkbox 4 Click Save Chapter 6 Working with NFS Service Setting Up NFS Service Use Server Admin to change NFS service settings The following sections describe the tasks for configuring and starting NFS service Configuring NFS Settings NFS settings enable you to set the maximum number of daemons and choose how you want to serve clients using TCP UDP or both To configure NFS settings Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select NFS Click Settings In the Use__server threads field enter the maximum number of NFS threads you want to run at one time An NFS thread is a thread running inside the nfsd process It continuously runs behind the scenes and processes read and write requests from clients The more threads that are available the more concurrent clients can be served Select how y
43. AFP service This disconnects all users so connected users may lose unsaved changes in open files To initiate AFP service shutdown and warn users Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Connections then click Stop Enter the amount of time that clients have to save their files before AFP service stops If you want users to know why they must disconnect enter a message in the Additional Message field Otherwise a default message is sent indicating that the server will shut down in the specified number of minutes Chapter 4 Working with AFP Service aA uu A WwW Click Send From the Command Line You can also stop AFP service immediately using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Enabling Bonjour Browsing You can register AFP service with Bonjour to enable users to find the server by browsing through available servers Otherwise users who cannot browse must enter the server host name or IP address when connecting To register with Bonjour Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Settings then click General Select Enable Bonjour registration Click Save AFP share
44. See TCP troubleshooting 125 U UDP User Datagram Protocol 105 unified file locking 37 user accounts names 81 User Datagram Protocol See UDP users See also clients guest accounts home folders anonymous 110 113 116 117 120 129 categories 20 21 32 disconnecting 77 FTP environment for 110 121 idle 71 77 messages to 78 117 127 permissions 19 20 21 24 55 troubleshooting 125 unregistered 33 Workgroup Manager 35 V virtual DNS name 88 virtual share points 98 99 102 volumes exporting NFS 44 56 108 permissions 24 Index W WebDAV Web Based Distributed Authoring and Versioning 20 Windows services 38 96 See also SMB CIFS WINS Windows Internet Naming Service 98 99 Workgroup Manager share points 35 World permission level 32 45 Write Only privilege 20 143
45. Share Point on page 56 To enable guest access Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Settings then click Access Select Enable Guest access If you want to limit how many client connections can be used by guests enter a number in the Maximum Connections Guest Connections option Chapter 4 Working with AFP Service If you don t want to limit the number of guest users who can be connected to your server at one time select Unlimited Click Save From the Command Line You can also set AFP service to permit guest access using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Creating a Login Greeting The login greeting is a message users see when they log in to the server To create a login greeting Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Settings then click General In the Logon Greeting field enter a message If you change the message users will see the new message the next time they connect to the server To prevent users from seeing the message more than once select Do not send same greeting twice to the same user Click Save From the Command Line
46. Spotlight for Share Points Configuring Time Machine Backup Destination Monitoring Share Point Quotas Setting SACL Permissions Setting SACL Permissions for Users and Groups Setting SACL Permissions for Administrators Working with AFP Service Kerberos Authentication Automatic Reconnect Find Content AppleTalk Support AFP Service Specifications Setup Overview Turning AFP Service On Setting Up AFP Service Configuring General Settings Configuring Access Settings Configuring Logging Settings Configuring Idle Users Settings Starting AFP Service Managing AFP Service Checking AFP Service Status Viewing AFP Service Logs Viewing AFP Graphs Viewing AFP Connections Stopping AFP Service Enabling Bonjour Browsing Limiting Connections Keeping an Access Log Disconnecting a User Automatically Disconnecting Idle Users Sending a Message to a User Enabling Guest Access Creating a Login Greeting Integrating Active Directory and AFP Services Supporting AFP Clients Mac OS X Clients Connecting to the AFP Server in Mac OS X Changing the Default User Name for AFP Connections Setting Up a Mac OS X Client to Automatically Mount a Share Point Connecting to the AFP Server from Mac OS 8 and Mac OS 9 Clients Setting up a Mac OS 8 or Mac OS 9 Client to Automatically Mount a Share Point Contents Chapter 5 Chapter 6 83 84 86 87 88 88 89 89 90 90 91 93 93 94 95 95 96 97 98 98 99 100 100 100 101 101 102 102 103 103 104 104
47. You can also change the AFP service greeting using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Integrating Active Directory and AFP Services You can configure your AFP services to use Active Directory for authenticating and authorizing Mac users to an AFP share point If you have a mixed platform environment with Windows and Mac computers you can integrate a Mac OS X AFP server with your Windows Active Directory server Mac users can access the AFP share point by using their Active Directory user account credentials To integrate AFP with Active Directory Create an AFP share point for your Mac users For more information see Creating a Share Point on page 39 Open Directory Utility located in Applications Utilities Chapter 4 Working with AFP Service 79 80 3 If the lock icon is locked click it and then enter the name and password for an administrator Click Directory Servers then click the Add button From the Add a new directory of type pop up menu choose Active Directory then enter the following information Active Directory Domain This is the DNS name or IP Address of the Active Directory server Computer ID Optionally edit the ID you want Active Directory to use for your server This is the server s NetBIOS name The name should contain no more than 15 characters no special characters and no punctuation If practical m
48. ackup server without being aware of the service disruption as long as the data is stored on shared storage that is accessible by both computers Mac OS X Server provides built in support for IP failover In this section you learn how IP failover works in Mac OS X Server and how to configure it IP Failover Overview IP failover lets you ensure high availability of your servers A simple IP failover solution consists of two Mac OS X Server computers a master and a backup The master computer provides services while the backup computer waits in the background to take over if the master fails AFP SMB CIFS homedirs example com node1l example com node2 example com Master server Backup server In this scenario both computers connect to the same network Each computer has a unique IP address and optionally a DNS or domain name The computers are connected directly to each other using IP over FireWire To provide IP failover support Mac OS X Server uses the heartbeatd and failoverd daemons e The heartbeatd daemon runs on the master computer and broadcasts heartbeat messages every second on port 1694 from both network interfaces announcing the host s availability to other nodes listening with failoverd Sending the heartbeat message on both primary and secondary network links helps prevent false alarms heartbeatd uses the FAILOVER_BCAST_IPs entry in the etc hostconfig file to determine wh
49. ad and write files without having to deal with lower level details File Transfer Protocol See FTP FTP File Transfer Protocol A protocol that allows computers to transfer files over a network FTP clients using any operating system that supports FTP can connect to a file server and download files depending on their access privileges Most Internet browsers and a number of freeware applications can be used to access an FTP server group A collection of users who have similar needs Groups simplify the administration of shared resources guest user A user who can log in to your server without a user name or password home directory See home folder home folder A folder for a user s personal use Mac OS X also uses the home folder to store system preferences and managed user settings for Mac OS X users Also known as a home directory host Another name for a server host name A unique name for a computer historically referred to as the UNIX hostname Internet A set of interconnected computer networks communicating through a common protocol TCP IP The Internet is the most extensive publicly accessible system of interconnected computer networks in the world Internet Protocol See IP IP Internet Protocol Also known as IPv4 A method used with Transmission Control Protocol TCP to send data between computers over a local network or the Internet IP delivers data packets and TCP keeps track of data packets IP address A unique
50. aditional POSIX permissions with ACLs This combination provides great flexibility and a fine level of granularity in controlling access to files and folders However if you re not careful in how you assign privileges it ll be very hard for you to keep track of how permissions are assigned Note With 17 permissions you can choose from a staggering 98 304 combinations Add to that a sophisticated folder hierarchy many users and groups and many exceptions and you have a recipe for considerable confusion This section offers useful tips and advice to help you get the most out of access control in Mac OS X Server and avoid the pitfalls Manage Permissions at the Group Level Assign permissions to groups first and assign permissions to individual users only when there is an exception For example you can assign all teachers in a school district Read and Write permissions to a certain share point but deny Anne Johnson a temporary teacher permission to read a certain folder in the share point s folder hierarchy Using groups is the most efficient way of assigning permissions After creating groups and assigning them permissions you can add and remove users from groups without reassigning permissions Gradually Add Permissions Assign only necessary permissions and then add permissions only when needed As long as you re using Allow permissions Mac OS X Server combines the permissions For example you can assign the Students group part
51. ain Controller BDC if you want your server to provide automatic failover and backup for the Mac OS X Server PDC The BDC handles authentication requests for domain login and other services as needed The BDC can host user profiles and network home folders for user accounts on the PDC Note Mac OS X Server can host a PDC only if the server is an Open Directory master and can host a BDC only if the server is an Open Directory replica For information about Mac OS X Server directory and authentication services including Open Directory master and replicas see Open Directory Administration Enter a description computer name and domain or workgroup For Description enter a description of the computer This appears in the Network Places window on Windows computers and is optional Chapter 5 Working with SMB Service For Computer Name enter the name you want Windows users to see when they connect to the server This is the server s NetBIOS name The name should contain no more than 15 characters no special characters and no punctuation If practical make the server name match its unqualified DNS host name For example if your DNS server has an entry for your server as server example com give your server the name server For Domain enter the name of the Windows domain that the server will host The domain name cannot exceed 15 characters and cannot be workgroup For Workgroup enter a workgroup name Windows users s
52. ake sure users are looking for the correct name If Users Can t Connect to the AFP Server If users can t connect to the AFP server e Make sure the user has entered the correct user name and password The user name is not case sensitive but the password is e In the Accounts module of Workgroup Manager verify that logging in is enabled for the user See if the maximum number of client connections has been reached in the AFP service Overview If it has the user should try to connect later e Make sure the server that stores users and groups is running e Verify that the user has AppleShare 3 7 or later installed on his or her computer Administrators who want to use the admin password to log in as a user need at least AppleShare 3 7 e Make sure IP filter service is configured to enable access on port 548 if the user is trying to connect to the server from a remote location For more on IP filtering see Network Services Administration If Users Don t See the Login Greeting If users can t see the login greeting upgrade the software on their computer AFP client computers must use AppleShare client software v3 7 or later Problems with SMB Service This section describes potential SMB problems and ways to diagnose and resolve them If Windows Users Can t See the Windows Server in Network Neighborhood If Windows users can t see the Windows server in Network Neighborhood e Make sure the user s computer is properly co
53. ake the server name match its unqualified DNS host name For example if your DNS server has an entry for your server as server example com give your server the name server AD Administrator Username and Password Enter the user name and password of the Active Directory administrator Click OK and close Directory Utility Supporting AFP Clients After you configure your share point and AFP service your clients can connect using the Connect to Server window in Finder or they can have the shared volume mount when they log in Note Non Apple clients can also connect over AFP using third party AFP client software Mac OS X Clients AFP service requires the following Mac OS X system software e TCP IP connectivity e AppleShare 3 7 or later To find out the latest version of AppleShare client software supported by Mac OS X go to the Apple support website at www apple support Connecting to the AFP Server in Mac OS X You can connect to Apple file servers by entering the DNS name of the server or its IP address in the Connect to Server window Or if the server is registered with Bonjour browse for it in the Network globe in the Finder Note Apple file service doesn t support AppleTalk connections so clients must use TCP IP to access file services Chapter 4 Working with AFP Service To connect to the Apple file server in Mac OS X In the Finder choose Go gt Connect to Server In the Connect to Server pane do on
54. an for a more advanced NAS configuration The steps that follow explain how to set up an Xserve NAS system Chapter 3 Setting Up Share Points Step 1 Connect the Xserve system to the network The Xserve system has gigabit Ethernet hardware for extremely fast communications with other network devices Data transmission rates are determined by the speed of other components such as the network hub or switch and cables used If you are also using a RAID unit as part of the NAS system connect it to the Xserve unit by installing the Apple Fibre Channel PCI card in the Xserve unit and installing the Fibre Channel cables between the two hardware components To assure that connecting the system to the network does not disrupt network operations work with the system administrator or other expert Follow the instructions in the Xserve guide if applicable to install the system properly in a rack Step 2 Establish volumes partitions and RAID sets on the drive modules Plan how you want to divide the total storage on the Xserve NAS system taking into account the number of users likely demands for NAS and future growth Then use Disk Utility to create partitions or RAID arrays on the drives If you have a RAID use RAID Admin to create RAID arrays on the drives and Disk Utility to put the file system on the arrays For information about using these applications consult the Disk Utility online help and the RAID Admin documentation You can a
55. and connect to the server Click File Sharing Click Share Points and select the share point you want to become a network library To create a share point for your network library see Creating a Share Point on page 39 Click Share Point below the list Select the Automount checkbox From the Directory pop up menu choose the directory domain that contains your users and computers From the Protocol pop up menu choose the sharing protocol AFP or NFS If you choose AFP guest access has to be enabled for automounted AFP share points to work except when all users have access to their home folders using Kerberos SSO authentication For more information see Configuring Access Settings on page 69 Choose Shared Library folder for the share point to appear in Network Library Click OK Authenticate when prompted Click Save Using Mac OS X Server for Network Attached Storage You can configure your Mac OS X Server for Network Attached Storage NAS to provide all the basic NAS style file resharing using AFP SMB FTP and NFS as well as advanced features such as directory integration NAS also works with more advanced storage architectures such as RAID data protection and Xsan for storage clustering To provide NAS style file sharing for network users you must configure your Mac OS X server for NAS The most common configuration uses an Xserve as a file server with a RAID device data storage You can also use Xs
56. and when it was last updated The user can then choose whether to open and read the file Configuring FTP Logging Settings Logging settings enable you to choose which FTP related events to record For authenticated or anonymous users you can record Uploads e Downloads e FTP commands e Rule violation attempts To configure FTP Logging settings Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select FTP Click Settings then click Logging In the FTP log for authenticated users in the Log Authenticated Users section select events you want to record In the FTP log for anonymous users in the Log Anonymous Users section select events you want to record Click Save To view the log select FTP in Server Admin and click Log From the Command Line You can also change FTP service logging settings using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Chapter 7 Working with FTP Service 119 120 Configuring FTP Advanced Settings Advanced settings enable you to change the FTP root folder and to specify folders that authenticated FTP users can access To configure FTP Advanced settings Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers lis
57. as soon as power is restored You can also help diminish the possibility of failure by ensuring that your equipment has proper operational conditions for example adequate temperature and humidity levels A more advanced method of eliminating a single point of failure would involve link aggregation load balancing Open Directory replication data backup and using Xserve and RAID devices For more information about these topics see Xgrid Administration and High Performance Computing Chapter 1 Understanding File Services 17 18 Chapter 1 Understanding File Services Setting Up File Service Permissions This chapter explains standard permissions and Access Control Lists ACLs and discusses related security issues An important aspect of computer security is the granting and denying of permissions A permission is the ability to perform a specific operation such as gaining access to data or executing code Permissions are granted at the level of folders subfolders files or applications Use Server Admin to set up file service permissions In this guide the term privileges refers to the combination of ownership and permissions while the term permissions refers to the permission settings that each user category can have Read amp Write Read Only Write Only and None Permissions in the Mac OS X Environment If you re new to Mac OS X and are not familiar with UNIX there are differences in the way ownership and permiss
58. can use Server Admin to set share point availability through FTP and to change settings such as guest access permissions and the share point name that FTP clients see To change the settings of an FTP share point Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point from the list Click Share Point below the list Chapter 3 Setting Up Share Points 43 44 Click Protocol Options This opens the protocol window with configuration options for AFP SMB FTP and NFS protocols Click FTP 7 Make the share point available to FTP clients by selecting Share this item using FTP 8 Permit anonymous FTP users to open this item by selecting Allow FTP guest access 10 wu BB WwW N For greater security don t select this item To change the name clients see when they browse for and connect to the share point using FTP enter a new name in the Custom FTP name field Changing the custom FTP name doesn t affect the name of the share point itself only the name that FTP clients use Click OK then click Save From the Command Line You can also change a share point s FTP settings using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Exporting an NFS Share Point You can use NFS to export share points to UNIX clients Export is the NFS term for sharing To export an NFS share point
59. ccess and to prevent people from introducing software that might damage your information or equipment take the following precautions by using File Sharing in Server Admin e Depending on the controls you want to place on guest access to a share point consider the following options e Set privileges for Everyone to None for files and folders that guest users shouldn t access Items with this privilege setting can be accessed only by the item s owner or group e Put all files available to guests in one folder or set of folders and then assign the Read Only privilege to the Everyone category for that folder and each file in it e Assign Read amp Write privileges to the Everyone category for a folder only if guests must be able to change or add items in the folder Make sure you keep a backup copy of information in this folder Don t export NFS volumes to World Restrict NFS exports to a subnet or a specific list of computers e Disable access to guests or anonymous users over AFP FTP and SMB using Server Admin e Share individual folders instead of entire volumes The folders should contain only those items you want to share Chapter 2 Setting Up File Service Permissions 33 34 Chapter 2 Setting Up File Service Permissions Setting Up Share Points This chapter describes how to share specific volumes and directories by using AFP SMB FTP and NFS and it shows how to set standard and ACL permissions You use File Sharing i
60. ce Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select FTP Click Settings then click General Under Access select Enable anonymous access Click Save From the Command Line You can also enable anonymous FTP access using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Creating an Uploads Folder for Anonymous Users The uploads folder provides a place for anonymous users to upload files to the FTP server It must exist at the top level of the FTP root folder and be named uploads If you change the FTP root folder the uploads folder must also be changed To create an uploads folder for anonymous users Use the Finder to create a folder named uploads at the top level of your server FTP root folder Set privileges for the folder to permit guest users to write to it From the Command Line You can also set up an FTP upload folder using the mkdir and chmod commands in Terminal For more information see the file services chapter of Command Line Administration Changing the User Environment Use the Advanced pane of the FTP service settings to change the user environment To change the FTP user environment Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From
61. child folders M Apply to child files P M Apply to child files Apply to all descendants Apply to all descendants vE Inheritance vM Inheritance M Apply to this folder o M Apply to this folder M Apply to child folders M Apply to child folders Apply to child files Ss M Apply to child files M App y to all descendants L M Apply to all descendants i vE Inheritance vE Inheritance Apply to this folder N Apply to this folder F M Apply to child folders Apply to child folders E Apply to child files 2S M Apply to child files E Apply to all descendants Apply to all descendants vE Inheritance vE Inheritance Apply to this folder D Apply to this folder M Apply to child folders M Apply to child folders M Apply to child files Apply to child files Apply to all descendants M App y to all descendants a vE Inheritance vE Inheritance Apply to this folder E Apply to this folder F M Apply to child folders Apply to child folders M Apply to child files E E Apply to child files M App y to all descendants mS lik Apply to all descendants Chapter 2 Setting Up File Service Permissions 28 ACL Permission Propagation Server Admin provides a feature that lets you force the propagation of ACLs Although this is done automatically by Server Admin there are cases when you may want to manually propagate permissions You can propagate
62. ck Unshare Click Save Protocol and network mount settings you have made for the item are discarded From the Command Line You can also disable a share point by using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Chapter 3 Setting Up Share Points ao uu A WwW N Disabling a Protocol for a Share Point You can use File Sharing in Server Admin to stop sharing a share point using a specific protocol and still permit sharing to continue through other protocols To stop sharing through a particular protocol Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point you want to reconfigure Click Share Point below the list Click Protocol Options and select the protocol Deselect the Share this item using checkbox You can disable a protocol for all share points by stopping the underlying service that provides support for the protocol For more information see Stopping AFP Service on page 74 Stopping NFS Service on page 107 or Stopping FTP Service on page 124 From the Command Line You can also disable a protocol for a share point by using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Viewing Share Point Configuration and Protocol Settings You can view share point configuration and protocol settings in Server Admin
63. d Groups Use Server Admin to set SACL permissions for users and groups to access file services To set user and group SACL permissions for a file service Open Server Admin and connect to the server Click Settings Click Access Click Services Select the level of restriction you want for the services To restrict access to all services select For all services To set access permissions for individual services select For selected services below and then select the services from the Service list Select the level of restriction you want for users and groups To provide unrestricted access click Allow all users and groups To restrict access to certain users and groups select Allow only users and groups below click the Add button to open the Users and Groups drawer and then drag users and groups from the Users and Groups drawer to the list Click Save Setting SACL Permissions for Administrators Use Server Admin to set SACL permissions for administrators to monitor and manage file services To set administrator SACL permissions for a file service Open Server Admin and connect to the server Click Settings Click Access Click Administrators Select the level of restriction that you want for the services To restrict access to all services select For all services To set access permissions for individual services select For selected services below and then select a service from
64. d NFS protocols Click SMB Provide SMB access to the share point by selecting Share this item using SMB Permit unregistered users to have access to the share point by selecting Allow SMB guest access For greater security don t select this item To change the name that clients see when they browse for and connect to the share point using SMB enter a new name in the Custom SMB name field Changing the custom SMB name doesn t affect the name of the share point itself only the name that SMB clients see If the share point is only using SMB protocol select the type of locking for the share point To permit clients to use opportunistic file locking select Enable oplocks To have clients use standard locks on server files select Enable strict locking If you are using only POSIX permissions choose a method for assigning default access privileges for new files and folders in the share point To have new items adopt the privileges of the enclosing item select Inherit permissions from parent To assign specific privileges select Assign as follows and set the Owner Group and Others privileges using the pop up menus Click OK then click Save From the Command Line You can also change a share point s SMB settings using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Changing FTP Settings for a Share Point You
65. d Servers list select SMB Click Settings then click Advanced Click Enable virtual share points Click Save Chapter 5 Working with SMB Service Working with NFS Service This chapter describes how to set up and manage NFS service in Mac OS X Server Network File System NFS is the protocol used for file services on UNIX computers Use NFS service in Mac OS X Server to provide file services for UNIX clients including Mac OS X clients You can share a volume or export it in standard NFS terminology to a set of client computers or to World Exporting an NFS volume to World means that anyone who accesses your server can also access that volume NFS service supports POSIX file permissions NFS does not support reading or changing the Access Control List ACL permissions The ACLs are enforced by the file system exported by NFS Setup Overview Here is an overview of the major steps for setting up NFS service Step 1 Before you begin For issues you should keep in mind when you set up NFS service read Before Setting Up NFS Service on page 104 Step 2 Turn NFS service on Before configuring NFS service turn on NFS See Turning On NFS Service on page 104 Step 3 Configure NFS settings Configure NFS settings to set the maximum number of daemons and choose how you want to serve clients using Transmission Control Protocol TCP User Datagram Protocol UDP or both See Configuring NFS Setting
66. d chown commands in Terminal For more information see the file services chapter of Command Line Administration Adding ACEs to ACLs You control access to a share point by adding or removing ACEs to the share point ACL Each ACE defines the access permissions for a user or a group To add an ACE to an ACL Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Permissions below the list Open the Users and Groups list by clicking the Add button Drag users and groups you want to add to the access control list Click Save By default each new ACE gives the user or group full read permissions In addition all four inheritance options are selected For more information about inheritance options see Understanding Inheritance on page 25 To change ACE settings see Editing ACEs on page 52 From the Command Line You can also add ACEs using the chmod command in Terminal For more information see the file services chapter of Command Line Administration Removing ACEs You control access to a share point by adding or removing ACEs to the share point ACL Each ACE defines the access permissions for a user or a group To delete an ACE from an ACL Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Permissions below the list
67. d connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select SMB To see whether the service is running when it started the number of connections and whether guest access is enabled click Overview To review the event log click Logs Use the View pop up menu to choose which logs to view To see a graph of connected users click Graphs Use the pop up menu to choose the duration to graph data for To see a list of connected users click Connections The list includes the user name user s IP address or domain name and the duration of connection From the Command Line You can also view the status of the SMB service process using the ps or top commands in Terminal To view the log files located in Library Logs WindowsServices use the cat Of tail command For more information see the file services chapter of Command Line Administration Viewing SMB Service Logs Use Server Admin to view SMB logs To view SMB logs Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select SMB Chapter 5 Working with SMB Service Click Logs and use the View pop up menu to choose between SMB File Service Log and SMB Name Service Log To choose the types of events that are recorded see Configuring Logging Settings on page 98 Fro
68. d to display the status of the NFS daemons nfsd checkexports can be used to verify the current set of exports definitions For information about using NFS to host home folders see User Management Problems with FTP Service This section describes potential FTP problems and ways to diagnose and resolve them If FTP Connections Are Refused If FTP connections are refused e Verify that the user is entering the correct DNS name or IP address for the server e Make sure FTP service is on e Make sure the user has correct access privileges to the shared volume See if the maximum number of connections has been reached To do this open Server Admin select FTP in the Servers list and click Overview Note the number of connected users click Settings click General and compare to the maximum user settings you have set Chapter 8 Solving Problems e Verify that the user s computer is correctly configured for TCP IP If there doesn t appear to be a problem with TCP IP settings use the Ping pane in Network Utility to check network connections See if there s a DNS problem by trying to connect using the IP address of the FTP server instead of its DNS name If the connection works with the IP address there may be a problem with the DNS server e Verify that the user is correctly entering his or her short name and password User names and passwords with special characters or double byte characters don t work To find the user s short
69. dministrator tools for example when using the Propagate Permissions option in Server Admin Chapter 2 Setting Up File Service Permissions 25 The figure below shows how Server Admin propagates two ACEs managers and design_team after ACE creation Bold text represents an explicit ACE and regular text an inherited ACE _ managers Jupiter 9 D managers D si managers R managers ocs esign design_team otes mn managers managers Projects Spec desi esign_team R managers Lander g lander_team managers Model lander_team Chapter 2 Setting Up File Service Permissions ACL Inheritance Combination When you set inheritance options for an ACE in Server Admin you can choose from 12 unique inheritance combinations for propagating ACL permissions vE Inheritance vE Inheritance M Apply to this folder T M Apply to this folder Apply to child folders M Apply to child folders Apply to child files D Apply to child files Apply to all descendants Apply to all descendants vE Inheritance vE Inheritance M Apply to this folder TE M Apply to this folder Apply to child folders I M Apply to
70. e Allow clients to sleep setting To prevent particular types of users from being disconnected select them under Except Chapter 4 Working with AFP Service 77 78 a uu A W nO un A WwW In the Disconnect Message field enter the message you want users to see when they are disconnected If you don t type a message a default message appears stating that the user has been disconnected because the connection has been idle Click Save From the Command Line You can also change AFP service idle user settings using the serveradmin command in Terminal or by changing the AFP preferences file For more information see the file services chapter of Command Line Administration Sending a Message to a User You can use AFP service in Server Admin to send messages to clients To send a user a message Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Connections and select the user s name in the list Click Send Message Enter the message and click Send Note Users cannot reply to the message Enabling Guest Access Guests are users who can see information about your server without using a name or password to log in For better security don t permit guest access After enabling guest access for a service enable guest access for specific share points See Enabling Guest Access to a
71. e 113 114 The table below shows common file extensions and the type of compression they designate File extension What it means 9Z DEFLATE compression Z UNIX compress bin MacBinary encoding tar UNIX tar archive AZ UNIX compressed tar archive star Z UNIX compressed tar archive crc UNIX checksum file dmg Mac OS X disk image Files with Resource Forks Mac OS X clients can take advantage of on the fly conversion to transfer files created using older file systems that store information in resource forks If you enable MacBinary and disk image autoconversion in FTP service settings files with resource forks are listed as bin files on FTP clients When a client asks to have one of these files transferred on the fly conversion recognizes the bin suffix and converts the file to a genuine bin file for transfer Kerberos Authentication FTP supports Kerberos authentication You choose the authentication method using the General pane of FTP service settings in Server Admin See Configuring General Settings on page 116 FTP Service Specifications FTP service has the following default specifications e Maximum authenticated users 50 e Maximum anonymous users 50 e Maximum connected users 1000 FTP port number 21 e Number of failed login attempts before user is disconnected 3 Setup Overview Here is an overview of the basic steps for setting up FTP service Step 1 Before you begin
72. e access control lists ACLs An ACL is a list of access control entries ACEs each specifying the permissions to be granted or denied to a group or user and how these permissions are propagated throughout a folder hierarchy ACLs in Mac OS X Server enable you to set file and folder access permissions to multiple users and groups in addition to standard POSIX permissions This makes it easy to set up collaborative environments with smooth file sharing and uninterrupted workflows without compromising security ACLs provide an extended set of permissions for a file or folder to give you more granularity when assigning privileges than standard permissions would provide For example rather than giving a user full writing permissions you can restrict him or her to create only folders and not files Apple s ACL model supports 13 permissions for controlling access to files and folders as described in the following table Permission name Type Description Change Permissions Administration User can change standard permissions Take Ownership Administration User can change the file s or folder s ownership to himself or herself Read Attributes Read User can view the file s or folder s attributes for example name date and size Chapter 2 Setting Up File Service Permissions Permission name Type Description Read Extended Read User can view the file s or folder s attributes added by Attribute
73. e name of the share point itself only the name that AFP clients see If you are using only POSIX permissions choose a method for assigning default access privileges for new files and folders in the share point To have new items use default POSIX permissions select Use standard POSIX behavior To have new items adopt the privileges of the enclosing item select Inherit permissions from parent Click OK then click Save From the Command Line You can also change AFP settings for a share point using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Changing SMB Settings for a Share Point You can use Server Admin to set share point availability through SMB and to change settings such as the share point name that SMB clients see You can also use Server Admin to set guest access permissions and the default privileges for new files and folders and to enable opportunistic locking For more information about opportunistic locking see File Locking with SMB Share Points on page 93 To change the settings of an SMB share point Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point from the list Click Share Point below the list Click Protocol Options Chapter 3 Setting Up Share Points 10 11 12 A U N This opens the protocol window with configuration options for AFP SMB FTP an
74. e of the following e Browse for the server in the list If it appears select it Enter the DNS name of the server in the Address field using any of the following forms server afp server afp server share point e Enter the server IP address in the Address field Click Connect Enter your user name and password or select Guest then click Connect Select the share point you want to use and click OK Changing the Default User Name for AFP Connections When you use the Connect to Server command in the Finder to connect to an AFP server the login panel populates your full user name by default In Mac OS X version10 5 and later you can customize this panel to present your short name a custom name or no user name at all Important These instructions involve using the defaults command to edit a property list plist file and are intended for experienced Mac OS X administrators Incorrect editing of this file can lead to unexpected Mac OS X behavior Before following these instructions make a backup copy of the Library Preferences com apple NetworkAuthorization plist file You can edit this file so that the Name field in the Connect to Server dialog is populated with one of the following e Current user s long name default behavior e Current user s short name A custom name No name Note If you select the Remember password in keychain option in the Connect to Server dialog the name stored in the Keychain e
75. e status of the AFP service process using the ps or top commands in Terminal or by looking at the log files in Library Logs AppleFileService using the cat OF tail command For more information see the file services chapter of Command Line Administration Viewing the FTP Service Log Use Server Admin to view the FTP log To view the FTP log Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select FTP Click Log To search for specific entries use the Filter field in the upper right corner From the Command Line You can also view the FTP log using the cat or tail commands in Terminal For more information see the file services chapter of Command Line Administration Viewing FTP Graphs Use Server Admin to view FTP graphs Chapter 7 Working with FTP Service 123 124 To view FTP graphs Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select FTP To see a graph of average connected user s throughput over a period of time click Graphs To choose the duration of time to graph data for use the pop up menu To update the data in the graphs click the Refresh button below the Servers list Viewing FTP Connections Use Server Admin to view clients that are connected to the server through the FTP service To vi
76. e the sudo command when opening this file using your preferred command line editor Add or edit the FATLOVER_EMAIL_RECIPIENT entry to specify the mail address to send notifications to If you don t add this entry mail notifications go to root Restart the server The 1pFailover startup item launches heartbeata during startup Upon launch heartbeata checks its argument list moves to the background and periodically sends out heartbeat messages to the addresses specified in the FATLOVER_BCAST_IPs entry in the etc hostconfig file Chapter 4 Working with AFP Service 89 90 Configuring the Backup Server for IP Failover Configuring the backup server for IP failover is simple Add or edit two entries in the etc hostconfig file disconnect the master and backup servers restart the backup server and reconnect the servers To configure the backup server for IP failover Add or edit the FAILOVER_PEER_IP_PAIRS entry in the etc hostconfig file to specify the IP address of the primary network interface on the master server For example if the IP address of the primary network interface on the master server is 171 0 50 add the following entry FAILOVER_PEER_IP_PATRS en0 17 1 0 50 Note To edit the etc hostconfig file you must be root Use the sudo command when opening this file using your preferred command line editor Add or edit the FAILovER_PEER_IP entry in etc hostconfig to specify the IP address of the secondary networ
77. ee the workgroup name in the My Network Place or Network Neighborhood window If you have Windows domains on your subnet use one of them as the workgroup name to make it easier for clients to communicate across subnets Otherwise consult your Windows network administrator for the correct name The workgroup name cannot exceed 15 characters Click Save From the Command Line You can also change SMB service settings using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Configuring Access Settings Use the Access pane of SMB service settings in Server Admin to permit anonymous Windows users or to limit the number of simultaneous Windows client connections You can also select the kinds of authentication SMB service accepts To configure SMB service access settings Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select SMB Click Settings then click Access To permit Windows or other SMB users to connect to Windows file services without providing a user name or password select Allow Guest access To limit the number of users who can be connected to the SMB service at one time select maximum and enter a number in the field Select the kinds of authentication Windows users can use Authentication options are NTLMv2 and Kerberos NTLM or LAN Mana
78. en you create the FTP share points In this example Users Volumes Data and Volumes Photos are FTP share points All users can see the home folders of other users because they are subfolders of the Users share point Important Regardless of the user environment setting anonymous users and users without home folders are always logged in to the FTP Root and Share Points environment Home Folder with Share Points When the user environment option is set to Home Folder with Share Points authenticated users log in to their home folders and have access to the FTP root by a symbolic link created in their home folders Chapter 7 Working with FTP Service 111 112 Users access other FTP share points through symbolic links in the FTP root As always access to FTP share points is controlled by user access privileges For users to access their home folders the share point where the folders reside must be configured to be shared using FTP as shown in the following illustration Library system mes FTP share point incorporated within virtual root TO Bob Betty FTP server K _ Photos Looks like Share point FTP root a Users Data Photos Symbolic link If you change the FTP root the symbolic link in a user s home folder reflects that change For example if you change the FTP root to Volumes Extra NewRoot the symbolic link created in the user
79. er Admin and connect to the server Click File Sharing Control click in the Volumes or Share Points list select Mount NFS Share then enter the URL of the NFS server you intend to reshare This is the URL that connects to the reshared NFS server For example to connect to the reshared NFS mount widgets on the root level of the server corp1 use the following URL nfs corp1 widgets Click OK Server Admin creates the NFS mount point 7 Follow steps 1 through 4 for each NFS volume you want to reshare Using Server Admin share the NFS mounts as AFP share points The NFS mounts appear as normal volumes in the Share Point list You can also share the NFS mounts using SMB and FTP but you should use only AFP You can change privileges and ownership but you can t enable quotas because quotas work only on local volumes However if quotas are enabled on the NFS server they apply to the reshared volume Note Quotas set on the original NFS export are enforced on the AFP reshare Chapter 3 Setting Up Share Points U BW N 10 11 Automatically Mounting Share Points for Clients You can mount share points automatically on client Mac OS X computers using network mounts You can automatically mount AFP or NFS share points When you set a share point to automatically mount a mount record is created in the Open Directory database Be sure you create these records in the same shared domain where the user and computer records
80. ertain time select Allow clients to sleep __ hour s and enter a number in the appropriate field Sleeping clients will not show as idle Although the server disconnects sleeping clients the clients sessions are maintained for the specified period A sleeping Mac OS X version 10 2 or later client can resume work on open files within the limits of the Allow clients to sleep setting To specify the idle time limit select Disconnect idle users after __ minute s and enter the number of minutes after which the AFP session of an idle connection is disconnected To prevent particular types of users from being disconnected select them under Except In the Disconnect Message field enter the message you want users to see when they are disconnected If you don t enter a message a default message appears stating that the user has been disconnected because the connection has been idle for a period of time Click Save From the Command Line You can also change AFP service idle user settings using the serveradmin command in Terminal or by changing the AFP preferences file For more information see the file services chapter of Command Line Administration Chapter 4 Working with AFP Service 71 72 Starting AFP Service You start AFP service to make AFP share points available to your client users To start AFP service Open Server Admin and connect to the server Click the triangle to the left of the
81. es where ACLs are not supported use the standard POSIX permissions Read amp Write Read Only Write Only and None to control access to a share point and its contents To set standard permissions on a share point Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point from the list Click Permissions below the list To set the owner or group of the shared item enter names or drag names from the Users and Groups drawer to the owner or group records in the permissions table The owner and group records are listed under the POSIX heading The owner record is the one with the single user icon and the group record is the one with the group icon To open the drawer click the Add button If you don t see a recently created user or group click the Refresh button below the Servers list Owner and group names can also be edited by double clicking the proper permissions record and dragging into or typing in the User Group field in the window that is displayed Note To change the autorefresh interval choose Server Admin gt Preferences and change the value of the Auto refresh status every field To change the permissions for the Owner Group and Others use the Permission pop up menu in the appropriate row of the permissions table Others is any user that logs in to the file server who is not the owner and does not belong to the group Click Save The new share po
82. esses and names Also called a domain name DNS name A unique name of a computer used in the Domain Name System to translate IP addresses and names Also called a domain name domain Part of the domain name of a computer on the Internet It does not include the top level domain designator for example com net us uk Domain name www example com consists of the subdomain or host name www the domain example and the top level domain com domain name See DNS name Domain Name System See DNS drop box A shared folder with privileges that allow other users to write to but not read the folder s contents Only the owner has full access Drop boxes should be created only using AFP When a folder is shared using AFP the ownership of an item written to the folder is automatically transferred to the owner of the folder thus giving the owner of a drop box full access to and control over items put into it Glossary everyone Any user who can log in to a file server a registered user or guest an anonymous FTP user or a website visitor export In the Network File System NFS a way of sharing a folder with clients on a network file server A computer that serves files to clients A file server may be a general purpose computer that s capable of hosting additional applications or a computer capable only of serving files file system A scheme for storing data on storage devices that allows applications to re
83. etting Up File Service Permissions Explicit Permissions Share points and the shared items they contain including folders and files have separate permissions If you move an item to a different folder it retains its permissions and doesn t adopt the permissions of the folder where you moved it In the following illustration the second folder Designs and the third folder Documents were assigned permissions that are different from those of their parent folders Read amp Write Engineering Read Only ii Designs Read amp Write Documents fi he When ACLs are not enabled you can also set up an AFP or SMB share point so new files and folders inherit the permissions of their parent folder See Changing AFP Settings for a Share Point on page 41 or Changing SMB Settings for a Share Point on page 42 The User Categories Owner Group and Others You can assign standard POSIX access permissions separately to three categories of users e Owner A user who creates an item file or folder on the file server is its owner and automatically has Read amp Write permissions for that folder By default the owner of an item and the server administrator are the only users who can change its access privileges enable a group or others to use the item The administrator can also transfer ownership of the shared item to another user Note When you copy an item to a drop box on an Apple file se
84. ew FTP connections Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select FTP To see a list of connected users click Connections The list includes the user name type of connection user IP address or domain name and event activity To update the list of connected users click the Refresh button below the Servers list Stopping FTP Service You stop FTP service using Server Admin To stop FTP service Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select FTP Click Stop FTP below the Servers list From the Command Line You can also stop FTP service using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Chapter 7 Working with FTP Service Solving Problems This chapter lists solutions to common problems you might encounter while working with file services in Mac OS X Server Problems are listed in the following categories Problems with share points Problems with AFP service Problems with SMB service Problems with NFS service Problems with FTP service Problems with IP failover Problems with Share Points This section describes potential problems with share points and ways to diagnose and resolve the problems If User
85. exec The ProcessFailover script executes the Test script located in Library Failover IP_address where IP_address is the IP address or domain name of the master server and the following occurs If the Test script returns false processFailover quits and the master server does not acquire the IP address of the backup server e If the Test script returns true or does not exist ProcessFailover continues its execution The ProcessFailover script executes in alphabetical order any script with the prefix PreRe1 in the Library Failover IP_address folder The processFailover script releases the IP address of the master server The ProcessFailover script executes in alphabetical order any script with the prefix PostRe1 in the Library Failover IP_address folder Note By default the Test script is empty but you can customize it to suit your needs Chapter 4 Working with AFP Service 87 88 IP Failover Setup Here is an overview of what you need to do to set up your Mac OS X Server computers for IP failover Step 1 Connect the master and backup computers to the same network and configure their TCP IP settings This step allows your servers to communicate with client computers Each server must have its own unique IP address Step 2 Connect the two computers directly using a secondary Ethernet interface or IP over FireWire and configure the IP settings This step allows direct communication of IP failover events betwee
86. exist Note All users have guest access to network automounted AFP share points Authenticated access is permitted only for a user s own home folder or if you have Kerberos set to support single sign on SSO authentication To set up a network mount Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point from the list Click Share Point below the list Select the Enable Automount checkbox and click Edit This opens a configuration window for the automount From the Directory pop up menu choose the directory domain that contains your users and computers From the Protocol pop up menu choose the sharing protocol AFP or NFS If you choose AFP guest access has to be enabled for automounted AFP share points to work except when all users have access to their home folders using Kerberos SSO authentication For more information see Configuring Access Settings on page 69 Choose how you want the share point to be used and mounted on client computers User Home Folders Select to have the home folders on the share point listed on a user s computer in Network Servers Shared Applications folder Select to have the share point appear in Network Applications on the user s computer Shared Library folder Select to have the share point appear in Network Library This creates a network library Custom mount path Select to have the share point appear in the folde
87. ger NTLMv2 and Kerberos is the most secure option but clients need Windows NT Windows 98 or later to use it LAN Manager is the least secure but Windows 95 clients can use it Click Save Chapter 5 Working with SMB Service 97 98 From the Command Line You can also change SMB service settings by using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Configuring Logging Settings Use the Logging pane of SMB service settings in Server Admin to specify how much information is recorded in the SMB log file To configure SMB service logging level Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select SMB Click Settings then click Logging From the pop up menu set the level of log detail Choose Low to record error and warning messages only Choose Medium to record error and warning messages service start and stop times authentication failures and browser name registrations Choose High to record error and warning messages service start and stop times authentication failures browser name registrations and file accesses Click Save From the Command Line You can also change SMB service settings using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Co
88. ght indexing is only available for a share point that has AFP or SMB turned on If your share point does not use AFP or SMB do not enable Spotlight searching If you have a share point with Spotlight turned on and you turn off AFP and SMB Spotlight indexing will not work Spotlight provides the capability to do quick searches of network volumes which requires the server to maintain an index of all files and folders on a share point This indexing process uses more server resources To free these resources turn off Spotlight if it is not going to be used To configure Spotlight for share points Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point you want to enable Spotlight for Click Share Point below the list Chapter 3 Setting Up Share Points AO uu A WwW N um A WwW N Select the Enable Spotlight searching checkbox Click Save Configuring Time Machine Backup Destination Time Machine is a backup application that keeps an up to date copy of everything on your computer which includes system files applications accounts preferences and documents Time Machine can restore individual files complete folders or your entire computer by putting everything back the way it was and where it should be Selecting this option causes the share to be broadcast over Bonjour as a possible Time Machine destination so it will show up as an option in System Preferences On a standa
89. he AFP NFS FTP and SMB services so they are available for use immediately If you want users to share files using FTP be sure your network is securely configured AFP is the standard for Mac OS X files NFS is the file protocol for UNIX and Linux users and the SMB service includes Server Message Block SMB protocol which supports Microsoft Windows 95 98 ME millennium Edition NT 4 0 2000 XP and Vista FTP allows access to shared files by anyone who connects to the NAS system Restart the server Step 4 Configure file services for AFP NFS FTP and SMB Assuming that you turned on the file services with Server Assistant you can configure AFP NFS FTP and SMB so that clients on the network can share their files The summary instructions that follow provide an overview of configuring these file services For more information about configuring these protocols see the appropriate chapter in this guide Step 5 Set up share points and access privileges for the Xserve NAS Use Server Admin to set share points and define access privileges for the share points For more information see Setting Up a Share Point on page 39 After you finish these steps the basic setup of the Xserve NAS system is complete You can add or change share points users and groups whenever necessary Configuring Spotlight for Share Points If your client computers need to search share points you can enable Spotlight indexing in Server Admin Spotli
90. he Network Library Folder Security Considerations Restricting Access to File Services Restricting Access to Everyone Restricting Access to NFS Share Points Restricting Guest Access Setting Up Share Points Share Points and the Mac OS X Network Folder Automounting Share Points and Network Home Folders Setup Overview Before Setting Up a Share Point Client Privileges File Sharing Protocols Shared Information Organization Security Network Home Folders Disk Quotas Setting Up a Share Point Creating a Share Point Setting Privileges Changing AFP Settings for a Share Point Changing SMB Settings for a Share Point Changing FTP Settings for a Share Point Exporting an NFS Share Point Resharing NFS Mounts as AFP Share Points Automatically Mounting Share Points for Clients Managing Share Points Checking File Sharing Status Disabling a Share Point Disabling a Protocol for a Share Point Viewing Share Point Configuration and Protocol Settings Viewing Share Point Content and Privileges Managing Share Point Access Privileges Changing the Protocols Used by a Share Point Changing NFS Share Point Client Access Enabling Guest Access to a Share Point Setting Up a Drop Box Setting Up a Network Library Using Mac OS X Server for Network Attached Storage Contents Chapter 4 60 61 62 62 62 65 65 66 66 66 66 67 67 68 68 69 70 71 72 72 72 73 73 74 74 75 75 76 77 77 78 78 79 79 80 80 80 81 82 83 83 Configuring
91. he item The owner may also change the group entry to any group the owner is a member of By default the owner has Read amp Write permissions password An alphanumeric string used to authenticate the identity of a user or to authorize access to files or services pathname The location of an item within a file system represented as a series of names separated by slashes permissions Settings that define the kind of access users have to shared items in a file system You can assign four types of permissions to a share point folder or file Read amp Write Read Only Write Only and No Access See also privileges port A sort of virtual mail slot A server uses port numbers to determine which application should receive data packets Firewalls use port numbers to determine whether data packets are allowed to traverse a local network Port usually refers to either a TCP or UDP port Glossary 135 136 privileges The right to access restricted areas of a system or perform certain tasks such as management tasks in the system process A program that has started executing and has a portion of memory allocated to it protocol A set of rules that determines how data is sent back and forth between two applications QTSS QuickTime Streaming Server A technology that lets you deliver media over the Internet in real time QuickTime A set of Macintosh system extensions or a Windows dynamic link library that supports the composi
92. ial reading permissions on an entire share point Then where needed in the folder hierarchy you can give the group more reading and writing permissions Chapter 2 Setting Up File Service Permissions 29 Use the Deny Rule Only When Necessary When Mac OS X Server encounters a Deny permission it stops evaluating other permissions the user might have for a file or folder and applies the Deny permission Therefore use Deny permissions only when absolutely necessary Keep a record of these Deny permissions so that you can delete them when they are not needed Always Propagate Permissions Inheritance is a powerful feature so take advantage of it By propagating permissions down a folder hierarchy you save yourself the time and effort required to manually assign permissions to descendants Use the Effective Permission Inspector Frequently use the Effective Permission Inspector to make sure users have the correct access to important resources This is especially important after changing ACLs Sometimes you might inadvertently give someone more or fewer permissions than needed The inspector helps you detect these cases For more information about the inspector see Determining a User s File or Folder Permissions on page 55 Protect Applications from Being Modified If you are sharing applications make sure you set permissions for applications so that no one except a trusted few can change them This is a vulnerability that attackers can
93. ing to write to the same file When strict locking is enabled the SMB server checks for and enforces file locks Opportunistic locking oplocks grants exclusive access to the file similarly to strict locking but also permits the client to cache its changes locally on the client computer This type of locking offers improved performance In Mac OS X Server SMB share points supports oplocks 93 94 To enable oplocks change the SMB protocol settings for a share point using Workgroup Manager For more information see Changing SMB Settings for a Share Point on page 42 Important Do not enable oplocks unless the share point is using only SMB If the share point uses any other protocol data can become corrupt Setup Overview Here is an overview of the basic steps for setting up SMB service Step 1 Turn SMB service on Before configuring SMB service SMB must be turned on See Turning On SMB Service on page 95 Step 2 Configure SMB General settings SMB General settings enable you to specify the number of authenticated and anonymous users that are permitted to connect to the server See Configuring General Settings on page 96 Step 3 Configure SMB Access settings Access settings enable you to permit guest Windows users limit the number of simultaneous Windows client connections or set Windows authentication options See Configuring Access Settings on page 97 Step 4 Configure SMB Logging settings
94. int is shared using the AFP SMB and FTP protocols but not NFS Setting ACL Permissions To configure ACL permissions for a share point or folder you create a list of access control entries ACEs Chapter 3 Setting Up Share Points ao uu A U N wm A U N For each ACE you can set 17 permissions with Allow Deny and Static inheritance so you have fine grain control over access permissions something that you don t have when using standard permissions For example you can separate delete permissions from write permissions so that a user can edit a file but cannot delete it To set ACL permissions on a share point or a folder Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point from the list Click Permissions below the list Open the Users and Groups drawer by clicking the Add button Drag groups and users from the drawer into the ACL Permissions list to create ACEs By default each new ACE gives the user or group full read and inheritance permissions To change ACE settings see Editing ACEs on page 52 The first entry in the list takes precedence over the second which takes precedence over the third and so on For example if the first entry denies a user the right to edit a file other ACEs that allow the same user editing permissions are ignored In addition the ACEs in the ACL take precedence over standard permissions For more information about perm
95. ions are handled compared to Mac OS 9 To increase security and reliability Mac OS X sets many system folders such as Library to be owned by the root user literally a user named root Files and folders owned by root can t be changed or deleted by you unless you re logged in as root Be careful there are few restrictions on what you can do when you log in as root and changing system data can cause problems An alternative to logging in as root is to use the sudo command Note The Finder calls the root user system By default files and folders are owned by the user who creates them After they re created items keep their privileges a combination of ownership and permissions even when moved unless the privileges are explicitly changed by their owners or an administrator 20 Therefore new files and folders you create are not accessible by client users if they are created in a folder that the users don t have privileges for When setting up share points make sure that items have the correct access privileges for the users you want to share them with Kinds of Permissions Mac OS X Server supports two kinds of file and folder permissions e Standard Portable Operating System Interface POSIX permissions e Access Control Lists ACLs Standard POSIX permissions enable you to control access to files and folders based on three categories of users Owner Group and Others Although these permissions give you adequate control
96. ions that now apply are the standard POSIX permissions From the Command Line You can also remove a file s ACL using the chmod command in Terminal For more information see the file services chapter of Command Line Administration Applying ACL Inheritance to a File If you removed the ACL from a file and want to restore it use Server Admin To apply ACL inheritance to a file Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Permissions below the list From the Action menu button gear choose Propagate Permissions Select Access Control List Click OK then click Save Chapter 3 Setting Up Share Points wu A WwW N Determining a User s File or Folder Permissions To instantly determine the permissions that a user has to a file or folder use the Effective Permission Inspector in Server Admin To determine a user s file or folder permissions Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Permissions below the list From the Action menu button gear choose Show Effective Permission Inspector Note In the inspector permissions and inheritance settings are dimmed to indicate that you can t edit them Open the Users and Groups list by clicking the Add button 7 From the Users and Groups list drag a
97. issions see Rules of Precedence on page 28 To set the appropriate permissions use the arrows in the column fields for each entry in the list The ACE order in the list changes depending on the level of access when the permissions are saved Click Save Changing AFP Settings for a Share Point You can use Server Admin to choose whether a share point is available through AFP and to change settings such as the share point name that AFP clients see and whether guest access is permitted The default settings for a new share point should make it readily accessible to Mac OS 8 Mac OS 9 and Mac OS X clients To change the settings of an AFP share point Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point from the list Click Share Point below the list Click Protocol Options Chapter 3 Setting Up Share Points 41 42 This opens the protocol window with configuration options for AFP SMB FTP and NFS protocols Click AFP 7 Provide AFP access to the share point by selecting Share this item using AFP 10 wu BB WwW N Permit unregistered users to access the share point by selecting Allow AFP guest access For greater security don t select this item To change the name that clients see when they browse for and connect to the share point using AFP enter a name in the Custom AFP name field Changing the custom AFP name does not affect th
98. ist of current NFS exports To view current NFS exports 1 Open Terminal 2 Enter the following command to display NFS exports showmount e If this command does not return results in a few seconds there are no exports and the process does not respond 3 Quit Terminal Press Control C to exit the showmount command and return to an active command line in your Terminal window 108 Chapter 6 Working with NFS Service Working with FTP Service This chapter describes how to set up and manage FTP service in Mac OS X Server File Transfer Protocol FTP is a simple way for computers of any type to transfer files over the Internet Someone using a computer that supports FTP or an FTP client application can connect to your FTP server and upload or download files depending on the permissions you set Most Internet browsers and a number of freeware and shareware applications can be used to access your FTP server In Mac OS X Server FTP service is based on the source code for Washington University s FTP server known as wu FTPd However the original source code has been extensively modified to provide a better user experience Some of these differences are described in the following sections A Secure FTP Environment Most FTP servers restrict users to specific folders on the server Users see content only in these directories so the server is kept quite secure Users cannot access volumes mounted outside the restricted f
99. iting files Changing permissions of files Anonymous FTP users are permitted only to upload files to a special folder named uploads in the FTP root If the uploads folder doesn t exist anonymous users can t upload files Turning On FTP Service Before you can configure FTP settings you must turn on FTP service in Server Admin To turn on FTP service Open Server Admin and connect to the server Click Settings then click Services Click the FTP checkbox Click Save Setting Up FTP Service There are four groups of settings on the Settings pane for FTP service in Server Admin e General Use to set information about access file conversion and login attempts for FTP service e Messages Use to configure messages that appear to clients using FTP service e Logging Use to configure and manage logs for FTP service e Advanced Use to configure and administer advanced settings The following sections describe how to configure these settings and a final section tells you how to start FTP service when you ve finished Configuring General Settings You can use the General settings to limit the number of login attempts provide an administrator email address and limit the number and type of users Chapter 7 Working with FTP Service 10 11 12 To configure FTP General settings Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the e
100. k interface on the master server For example if the IP address of the FireWire port on the master server is 10 1 0 2 add the following entry FAILOVER_PEER_IP 10 1 0 2 Disconnect the direct connection between backup server and master server If you re using IP over FireWire for the secondary interface disconnect the FireWire cable connecting the two computers Restart the backup server When the backup server has started up reconnect it to the primary server Configuring the AFP Reconnect Server Key In the case of network disconnect AFP can allow initially authenticated clients to reconnect to the server using a reconnect token rather then reauthenticating with user credentials The reconnect token contains information that allows the server to verify session and user data on the server When the client initially logs in using user credentials the server sends the client a reconnect token This token is encrypted with the server reconnect key located in etc AFP conf and is only readable by the server Following a disconnect of an established session the client attempts a reconnect by sending the reconnect key to the server The server decrypts the reconnect token using the server reconnect key Then the server verifies that it is a valid authenticated session token by verifying data in the reconnect token with data on the server for example user data obtained from the user record When the information is verified
101. l Options and select the protocol you are using to provide access to the share point Select the Allow guest access option Click OK then click Save Chapter 3 Setting Up Share Points A U N uw Note Make sure guest access is also enabled at the service level in Server Admin From the Command Line You can also enable guest access to a share point using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Setting Up a Drop Box A drop box is a shared folder with custom permissions If you use only ACLs you can set the permissions so that certain users can only copy files to the folder but can t see its contents If you use only POSIX permissions you can set them to permit anyone to copy files to the drop box but give only the owner of the drop box full access To create a drop box Create the folder that is going to act as a drop box in an AFP share point Open Server Admin and connect to the server Click File Sharing Click Share points and select the folder in the AFP share point that you want to use as a drop box Click Permissions below the list Set write only permissions using POSIX permissions or a combination of POSIX permissions and ACEs To create a drop box using standard permissions set Write Only permissions for Owner Group and Others For more information see Setting Standard Permissions on page 40 Note For greater sec
102. lder All inheritance options Set the owner to root or localadmin and set the group to admin Backup share Permission Type Allow Owner read write execute Select the following Group read write execute checkboxes Other no permissions e List Folder Contents For example drwxrwx e Create Files Set the owner to root and set the group to admin Create Folder Home folder Permission Type Deny Owner read write execute e Delete Group read only e Apply to this folder Other read only Apply to all descendants For example drwxr r File Services Access Control Server Admin in Mac OS X Server enables you to configure service access control lists SACLs which enable you to specify which users and groups have access to AFP FTP and SMB file services Using SACLs enables you to add another layer of access control on top of standard POSIX and ACL permissions Only users and groups listed in a SACL have access to its corresponding service For example if you want to prevent users from accessing a server s AFP share points including home folders remove the users from the AFP service s SACL For information about restricting access to file services using SACLs see Setting SACL Permissions on page 62 Chapter 2 Setting Up File Service Permissions 31 32 Customizing Shared Network Resources The Network folder Network accessible from the Mac OS X Finder sidebar contains shared network resources
103. lder level control determines which users have access to the contents of a folder inheritance determines how a defined set of permissions and rules pass from the container to the objects in it Without use of this model administration of access control would quickly become a nightmare you would need to create and manage ACLs on thousands or millions of files In addition controlling access to files through inheritance frees applications from maintaining extended attributes or explicit ACEs when saving a file because the system automatically applies inherited ACEs to files For information about explicit ACEs see Explicit and Inherited ACEs on page 25 Chapter 2 Setting Up File Service Permissions 23 24 ACLs and Standard Permissions You can set ACL permissions for files and folders in addition to standard permissions For more information about how Mac OS X Server uses ACL and standard permissions to determine what users can and cannot do to a file or folder see Rules of Precedence on page 28 ACL Management In Mac OS X Server you create and manage ACLs in the Permissions pane of File Sharing in Server Admin The Get Info window in Finder displays the logged in user s effective permissions For information about setting up and managing ACLs see Setting ACL Permissions on page 40 and Managing Share Point Access Privileges on page 50 In addition to using Server Admin to set and view ACL permissions you can also
104. lders or you can create one on a local volume e The Automount settings for the share point should indicate that it s used for user home folders e The share point should be in the same Open Directory domain where user accounts are defined e To provide service to all types of clients the complete pathname of an AFP or NFS network home folder must not contain spaces and must not exceed 89 characters For more information see Apple Knowledge Base article 107695 at docs info apple com article html artnum 107695 Chapter 3 Setting Up Share Points Disk Quotas You can set the maximum size of a user s home folder by setting a quota on the Home pane of the user s account settings in Workgroup Manager To set space quotas for other share points you must use the command line See the file services chapter of Command Line Administration Setting Up a Share Point This section describes how to create share points and set share point access privileges It also describes how to share using specific protocols AFP SMB FTP or NFS and how to automatically mount share points on clients desktops For more tasks that you might perform after you set up sharing on your server see Managing Share Points on page 48 Creating a Share Point You use File Sharing in Server Admin to share volumes including disks CDs and DVDs partitions and individual folders by setting up share points Note Don t use a slash in the name of a folder o
105. lick Save Setting Up SMB Service You set up SMB service by configuring four groups of settings on the Settings pane for SMB service in Server Admin General Specify the server s role in providing SMB service and the server s identity among clients of its SMB service Access Limit the number of clients and control guest access Logging Choose how much information is recorded in the service log Advanced Configure WINS registration and domain browsing services choose a code page for clients and control virtual share points for home folders Because the default settings work well if you want to provide only SMB file and print services you may only need to start SMB service Nonetheless check the settings and change anything that is incorrect for your network If you want to set up a Mac OS X Server as one of the following you must change some settings e A Primary Domain Controller PDC A Backup Domain Controller BDC A member of the Windows domain of Mac OS X Server PDC e A member of an Active Directory domain of a Windows server In addition your Windows client computers must be configured to access SMB service of Mac OS X Server as described at the end of this chapter especially if users will log in to the Windows domain The following sections describe how to configure these settings and a final section tells you how to start SMB service Chapter 5 Working with SMB Service 95 96 Configuring General Se
106. log file will grow To specify how often the error log file contents are saved to an archive select Error Log Archive every __ day s and enter the number of days Click Save You can keep the archived logs for your records or manually delete them to free disk space when they re no longer needed Log files are stored in Library Logs AppleFileService You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files From the Command Line You can also change AFP service logging settings using the serveradmin command in Terminal or by changing the AFP preferences file For more information see the file services chapter of Command Line Administration Chapter 4 Working with AFP Service Configuring Idle Users Settings Use the Idle Users pane of AFP service settings to specify how your server handles idle users An idle user is someone who is connected to the server but whose connection has been inactive for a predefined period of time If a client is idle or asleep for longer than the specified idle time open files are closed the client is disconnected and unsaved work is lost To configure Idle Users settings Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Settings then click Idle Users 5 To enable client computers to reconnect after sleeping for a c
107. lso use Xsan to configure your partitions and RAID configurations For more information about Xsan see the Xsan documentation Step 3 Set up the system as a network attached storage device If you purchased a new Xserve Mac OS X Server software is already installed You only need to perform initial server setup by turning on the system and answering the questions posed by Server Assistant If you need to install Mac OS X Server software use Getting Started to understand system requirements and installation options and then use Server Assistant after the server restarts to perform initial setup for storage Server Assistant is in Applications Server Note You can set up Xserve NAS remotely or locally If you are setting up from a remote computer install the applications on the Admin Tools disc on the remote computer If you are configuring locally connect a monitor and keyboard to your Xserve The system must have a video card for direct connection of a monitor A video card is optional on some Xserve models including the Xserve G5 To perform initial setup for Network Attached Storage NAS Make sure the system is connected to the network Open Server Assistant and proceed through the panes entering the following information where appropriate A valid server serial number Chapter 3 Setting Up Share Points 59 60 A WwW N e A fixed IP address for the server either static or using DHCP with a manual address Enable t
108. lternative to using the network mount feature of AFP or NFS Mac OS X clients can set their computers to automatically mount server volumes To set a Mac OS X version 10 2 8 or earlier client to automatically mount a server volume Log in to the client computer as the user and mount the volume Open System Preferences and click Login Items Click Add then locate the Recent Servers folder and double click the volume you want automatically mounted When the client user logs in the next time the server if available mounts The client user can also add the server volume to Favorites and then use the item in the Favorites folder in the home Library Chapter 4 Working with AFP Service A U N To set a Mac OS X version 10 3 or later client to automatically mount a server volume Log in to the client computer as the user and mount the volume Open System Preferences and click Accounts Select the user and click Startup Items in Mac OS X v10 3 or Login Items in Mac OS X v10 4 or later Click the Add button below the Servers list select the server volume and click Add Connecting to the AFP Server from Mac OS 8 and Mac OS 9 Clients Apple file service requires the following Mac OS 8 or 9 system software e Mac OS 8 version 8 6 or Mac OS 9 version 9 2 2 e TCP IP AppleShare Client 3 7 or later To find the latest version of AppleShare client software supported by Mac OS 8 and Mac OS 9 go to the Apple support web
109. ly consist of more than one physical disk drive An Xsan volume for example is a logical disk that behaves like a single disk even though it consists of multiple storage pools that are in turn made up of multiple LUNs each of which contains multiple disk drives Mac OS X The latest version of the Apple operating system Mac OS X combines the reliability of UNIX with the ease of use of Macintosh Mac OS X Server An industrial strength server platform that supports Mac Windows UNIX and Linux clients out of the box and provides a suite of scalable workgroup and network services plus advanced remote management tools mount verb To make a remote directory or volume available for access on a local system In Xsan to cause an Xsan volume to appear on a client s desktop just like a local disk multicast DNS A protocol developed by Apple for automatic discovery of computers devices and services on IP networks Called Bonjour previously Rendezvous by Apple this proposed Internet standard protocol is sometimes referred to as ZeroConf or multicast DNS For more information visit www apple com or www zeroconf org To see how this protocol is used in Mac OS X Server see local hostname Network File System See NFS Glossary network interface Your computer s hardware connection to a network This includes but isn t limited to Ethernet connections AirPort cards and FireWire connections NFS Network File System A client server
110. m the Command Line You can also view the SMB log using the cat or tail commands in Terminal For more information see the file services chapter of Command Line Administration Viewing SMB Graphs You use Server Admin to view SMB graphs To view SMB graphs Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select SMB To see a graph of average connected user s throughput over a period of time click Graphs To choose the duration of time to graph data for use the pop up menu Update the data in the graph by clicking the Refresh button below the Servers list Viewing SMB Connections Use Server Admin to view the clients that are connected to the server through SMB services To view SMB connections Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select SMB To see a list of connected users click Connections The list includes the user name user IP address or domain name and the duration of connection You can disconnect individual clients by selecting the user from the Connections list and clicking Disconnect Important Disconnected users may lose unsaved changes in open files Update the list of connected users by clicking the Refresh button below the Servers list Chapter 5 Working with SMB Service 101
111. m the expanded Servers list select FTP Click Settings then click Advanced In the FTP root field enter the path to the new folder or click the Browse button below the field and select the folder From the Command Line You can also change the FTP service root folder using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Managing FTP Service This section describes typical tasks you perform after you set up FTP service on your server Initial setup information appears in Setting Up FTP Service on page 116 Checking FTP Service Status Use Server Admin to check the status of FTP service Chapter 7 Working with FTP Service To view FTP service status Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select FTP To see whether the service is running when it started the number of authenticated and anonymous connections and whether anonymous access is enabled click Overview To review the event log click Log To see a graph of connected users click Graphs To choose the duration of time to graph data for use the pop up menu To see a list of connected users click Connections The list includes the user name type of connection user s IP address or domain name and event activity From the Command Line You can also check th
112. n Programming Interface GSSAPI authentication protocol GSSAPI is used to authenticate using Kerberos v 5 You specify the authentication method using the Access pane of the AFP service settings in Server Admin See Configuring Access Settings on page 69 For more information about setting up Kerberos see Open Directory Administration 65 66 Automatic Reconnect Mac OS X Server can automatically reconnect Mac OS X clients that have become idle or gone to sleep When clients become idle or go to sleep Mac OS X Server disconnects those clients to free server resources However you can configure Mac OS X Server to save Mac OS X client sessions permitting these clients to resume work on open files without loss of data You configure this setting in the Idle Users pane of the AFP service configuration window in Server Admin See Configuring Idle Users Settings on page 71 Find Content Mac OS X clients can use Spotlight to search the contents of AFP servers This feature enforces privileges so that only files the user has access to are searched AppleTalk Support AFP service no longer supports AppleTalk as a client connection method Although AppleTalk clients can see AFP servers in the Chooser they must use TCP IP to connect to these servers For more information see Mac OS X Clients on page 80 and Connecting to the AFP Server from Mac OS 8 and Mac OS 9 Clients on page 83 AFP Service Specifications AFP
113. n Server Admin to share information with clients of Mac OS X Server and to control access to shared information by assigning access privileges To share folders or volumes on the server set up share points A share point is a folder hard disk hard disk partition CD or DVD whose files are available for access across a network It s the point of access at the top level of a hierarchy of shared items Users with access privileges to share points see them as volumes mounted on their desktops or in their Finder windows Share Points and the Mac OS X Network Folder If you configure your computer to connect to LDAP directory domains and you set it with specific data mappings you can control the access and availability of network services by using Server Admin to e Identify share points and shared domains that you want to mount automatically in a user s Network folder accessible by clicking Network in the Finder sidebar Add user records and group records as defined in Workgroup Manager and configure their access When configuring share points you must define the users or groups that will access the share points You can use Workgroup Manager to e Define user and group records and configure their settings e Define lists of computers that have the same preference settings and that are available to the same users and groups For more information about configuring users and groups see User Management 35 36 Automounti
114. n servers Step 3 Configure and start IP failover service on the master and backup servers This step allows the master and backup computers to fail over and fail back Connecting the Master and Backup Servers to the Same Network The first step in setting up your servers for failover is to connect the master and backup computers to the same network and configure their network settings To connect the master and backup server to the same network Using the primary Ethernet interface connect the master and backup servers to the same network In the Network pane of System Preferences configure the TCP IP settings on both the master and backup computers so that each computer has a unique IP address and both are on the same subnet Ideally have your system administrator map the IP address of the master server to a virtual DNS name for example homedirs example com that users use to connect to your server This allows you to change the IP address of the master server transparently to users You might also want to map the IP addresses of the master and backup servers to DNS names for example node1 example com and node2 example com that you can use to refer to the two computers when setting up IP failover Chapter 4 Working with AFP Service Connecting the Master and Backup Servers Together Connect the master and backup computers together using a secondary Ethernet interface or IP over FireWire This is an important step because the two c
115. nal clusters of Xserve systems and Performance Computing Mac computers Mac OS X Server Glossary Learn about terms used for server and storage products Viewing PDF Guides on Screen While reading the PDF version of a guide onscreen Show bookmarks to see the guide s outline and click a bookmark to jump to the corresponding section e Search for a word or phrase to see a list of places where it appears in the document Click a listed place to see the page where it occurs e Click a cross reference to jump to the referenced section Click a web link to visit the website in your browser Printing PDF Guides If you want to print a guide you can take these steps to save paper and ink Save ink or toner by not printing the cover page Save color ink on a color printer by looking in the panes of the Print dialog for an option to print in grays or black and white e Reduce the bulk of the printed document and save paper by printing more than one page per sheet of paper In the Print dialog change Scale to 115 155 for Getting Started Then choose Layout from the untitled pop up menu If your printer supports two sided duplex printing select one of the Two Sided options Otherwise choose 2 from the Pages per Sheet pop up menu and optionally choose Single Hairline from the Border menu If you re using Mac OS X v10 4 or earlier the Scale setting is in the Page Setup dialog and the Layout settings are in the Print dialog You ma
116. nd enter the maximum number of guests you want to permit Click Save From the Command Line You can also set the AFP service connections limit using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Keeping an Access Log The access log records the times when a user connects or disconnects opens a file or creates or deletes a file or folder To set up access logging Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Settings then click Logging Select Enable access log Select the events you want to record When choosing events to log consider the available disk space The more events you choose the faster the log file will grow To view the log open Server Admin select AFP and click Logs Alternatively use Terminal to view the logs stored in Library Logs AppleFileService From the Command Line You can also set AFP service to record logs using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Chapter 4 Working with AFP Service a uu A WwW Disconnecting a User Use Server Admin to disconnect users from the Apple file server Important Users lose information they haven t saved when they are disconnected To disconnect a user Open Server Admin
117. nfigured for TCP IP and has the correct Windows networking software installed e Make sure the user has guest access Chapter 8 Solving Problems 127 128 e Go to the DOS prompt on the client computer and enter ping lt IP address gt where lt IP address gt is your server s address If the ping fails there is a TCP IP problem If the user is on a different subnet from the server make sure you have a WINS server on your network Note If Windows computers are properly configured for networking and connected to the network client users can connect to the file server even if they can t see the server icon in the Network Neighborhood window If Users Can t Log In to the Windows Server If users can t log in to the Windows Server make sure Password Server is configured correctly if that is what you are using to authenticate users Problems with NFS Service Following are general issues and recommendations to keep in mind when using NFS service e Not entering the full path to the NFS share causes errors on the client side e If you export more than one NFS share point you cannot have nested exports on a single volume which means one exported directory cannot be the child of another exported directory on the same volume To see available NFS mounts use showmount e ZP address in Terminal where IP address is the server s address e NFS server errors and warnings are logged to var log system log nfsd status can be use
118. nfiguring Advanced Settings Use the Advanced pane of SMB service settings in Server Admin to choose a client code page set the server to be a workgroup or domain master browser specify the server s WINS registration and enable virtual share points for user homes To configure SMB service Advanced settings Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select SMB Click Settings then click Advanced From the Code Page pop up menu choose the character set you want clients to use Chapter 5 Working with SMB Service 6 Select how you want the server to perform discovery and browsing services To provide discovery and browsing of servers in a single subnet select Services Workgroup Master Browser To provide discovery and browsing of servers across subnets select Services Domain Master Browser 7 Select how you want the server to register with WINS To prevent your server from using or providing WINS for NetBIOS name resolution select Off To enable your server to provide NetBIOS name resolution service select Enable WINS server This feature enables clients across multiple subnets to perform name and address resolution To enable your server to use an existing WINS service for NetBIOS name resolution select Register with WINS server and enter the IP address or DNS name of the WINS server
119. nformational purposes only and constitutes neither an endorsement nor a recommendation Apple assumes no responsibility with regard to the performance or use of these products 019 0933 2007 09 01 Preface Chapter 1 Chapter 2 19 19 20 20 22 24 24 24 25 25 28 29 30 31 Contents About This Guide What s New in File Services What s in This Guide Using Onscreen Help Mac OS X Server Administration Guides Viewing PDF Guides on Screen Printing PDF Guides Getting Documentation Updates Getting Additional Information Understanding File Services Protocol Overview Protocol Comparison Protocol Security Comparison Deployment Planning Determining the Best Protocol for Your Needs Determining Hardware Requirements for Your Needs Planning for Outages and Failovers Setting Up File Service Permissions Permissions in the Mac OS X Environment Kinds of Permissions Standard Permissions ACLs Supported Volume Formats and Protocols Access Control Entries ACEs What s Stored in an ACE Explicit and Inherited ACEs Understanding Inheritance Rules of Precedence Tips and Advice Common Folder Configurations File Services Access Control Chapter 3 32 32 32 32 32 32 33 33 35 35 36 36 36 37 37 37 38 38 38 39 39 39 40 41 42 43 44 46 47 48 48 48 49 49 50 50 55 56 56 57 58 58 Customizing Shared Network Resources Share Points in the Network Folder Adding System Resources to t
120. ng You can configure client computers to automatically mount share points These share points can be static or dynamic e Static share points are mounted on demand You can assign statically mounted share points to specific folders e Dynamic share points are mounted on demand and are in the Network Servers server_name folder Share Points and Network Home Folders Network authenticated users can have their home folder stored locally on the client computer they are using or on a network server Network home folders are an extension of simple automounts A home folder share point is mounted when the user logs in and provides the user the same environment to store files as if the folders were on the local computer The benefit of network home folders is that they can be accessed by any client computer that logs in to a specific server that provides network home folder services for that user For more information see Network Home Folders on page 38 Setup Overview You use File Sharing in Server Admin to create share points and set privileges for them Here is an overview of the basic steps for setting up share points Step 1 Read Before Setting Up a Share Point For issues you should consider before sharing information about your network read Before Setting Up a Share Point on page 37 Step 2 Locate or create the information you want to share Decide which volumes partitions or folders you want to share Yo
121. ng problems make sure you have shut down the master server Chapter 8 Solving Problems Glossary Glossary AFP Apple Filing Protocol A client server protocol used by Apple file service to share files and network services AFP uses TCP IP and other protocols to support communication between computers on a network access control A method of controlling which computers can access a network or network services access control list See ACL ACL Access Control List A list maintained by a system that defines the rights of users and groups to access resources on the system address A number or other identifier that uniquely identifies a computer on a network a block of data stored on a disk or a location in a computer s memory See also IP address MAC address administrator A user with server or directory domain administration privileges Administrators are always members of the predefined admin group alias Another email address at your domain that redirects incoming email to an existing user Apple Filing Protocol See AFP automount To make a share point appear automatically on a client computer See also mount bit A single piece of information with a value of either 0 or 1 CIFS Common Internet File System See SMB client A computer or a user of the computer that requests data or services from another computer or server command line The text you type at a shell prompt when using a command line inte
122. ntry overrides the setting in this preference file Use the defaults command in Terminal to change the default name to the following To set the current user s short name defaults write Library Preferences com apple NetworkAuthorization UseDefaultName bool NO Chapter 4 Working with AFP Service 81 82 defaults write Library Preferences com apple NetworkAuthorization UseShortName bool YES To set a custom name defaults write Library Preferences com apple NetworkAuthorization UseDefaultName bool YES defaults write Library Preferences com apple NetworkAuthorization DefaultName user Replace user with the desired custom name and enclose it in quotation marks To set no name defaults write Library Preferences com apple NetworkAuthorization UseDefaultName bool YES defaults write Library Preferences com apple NetworkAuthorization DefaultName To set the current user s long name This is only necessary if you have made any of the changes listed above defaults write Library Preferences com apple NetworkAuthorization UseDefaultName bool NO defaults write Library Preferences com apple NetworkAuthorization UseShortName bool NO or defaults delete Library Preferences com apple NetworkAuthorization UseDefaultName defaults delete Library Preferences com apple NetworkAuthorization UseShortName Setting Up a Mac OS X Client to Automatically Mount a Share Point As an a
123. numeric address that identifies a computer on the Internet Glossary 133 134 IP subnet A portion of an IP network which may be a physically independent network segment that shares a network address with other portions of the network and is identified by a subnet number Kerberos A secure network authentication system Kerberos uses tickets which are issued for a specific user service and period of time After a user is authenticated it s possible to access additional services without retyping a password called single sign on for services that have been configured to take Kerberos tickets Mac OS X Server uses Kerberos v5 LDAP Lightweight Directory Access Protocol A standard client server protocol for accessing a directory domain local hostname A name that designates a computer on a local subnet It can be used without a global DNS system to resolve names to IP addresses It consists of lowercase letters numbers or hyphens except as the last characters and ends with local For example bills computer local Although the default name is derived from the computer name a user can specify this name in the Sharing pane of System Preferences It can be changed easily and can be used anywhere a DNS name or fully qualified domain name is used It can only resolve on the same subnet as the computer using it logical disk A storage device that appears to a user as a single disk for storing files even though it might actual
124. o to send to broadcast the heartbeat message to Chapter 4 Working with AFP Service e The failoverd daemon runs on the backup computer and listens on port 1694 for broadcasts from a specific address on both interfaces If failovera stops receiving the heartbeat messages on both interfaces it takes over the public IP address of the master server which allows the failover server to service incoming client requests thus maintaining availability ailovera uses the FAILOVER_PEER_IP and FAILOVER_PEER_IP entries in the etc hostconfig file to get the public and private IP addresses of the master server For IP failover to work you must keep the backup computer in sync with the master For example if you re using the master computer as an AFP file server make sure that the backup computer has the same AFP service settings If the settings are not the same users might not be able to access the file service In addition for IP failover to work the backup computer should have access to the data needed by client computers To ensure data availability you ll have to keep the data on both computers in sync using the cron and rsyne commands or other third party solutions Alternatively you could use a RAID shared storage device in which to store data AFP homedirs example com e node1 example com node2 example com Master server a Backup server To take advantage of a RAID device in IP
125. olders and symbolic links and aliases cannot reach outside these boundaries In Mac OS X Server FTP service expands the restricted environment to permit access to symbolic links while still providing a secure FTP environment You can permit FTP users to have access to the FTP root folder their home folder or to any other folder on the server that you set up as an FTP share point A user s access to the FTP root folder FTP share points and his or her home folder is determined by the user environment you specify as described in the following section and by access privileges Note FTP service enforces ACL permissions 109 110 FTP Users FTP supports two types of users Authenticated users These users have accounts on your server and might have home folders stored on the server Some FTP software refers to these as real users An authenticated user must provide a user name and password to access server files using FTP You review or set up authenticated users using the Accounts module of Workgroup Manager Anonymous users These users do not have accounts on your server They are also known as guest users for example when you set up an FTP share point in Server Admin An anonymous user can access FTP folders on the server using the common user name anonymous and a fictitious email address as their password You permit anonymous access to your server using the General pane of the FTP service settings in Server Admin
126. omputers communicate failover events over this connection To connect the master and backup servers together Use an Ethernet cable or a FireWire cable to connect the master and backup computers together In the Network pane of System Preferences configure the TCP IP settings of the secondary Ethernet interface or IP over FireWire interface on both computers Assign each computer a private network IP address for example 10 1 0 2 and 10 1 0 3 and make sure that both computers are on the same subnet Configuring the Master Server for IP Failover Configuring the master server for IP failover is simple Add or edit two entries in the etc hostconfig file and then restart the server To configure the master server for IP failover Add or edit the ratLover_Bcast_rps entry in etc hostconfig to specify the addresses to send heartbeat messages to For example if the primary IP address of the master server is 171 0 50 and the secondary IP address is 10 1 0 2 add the following line to the etc hostconfig file to broadcast the message over the two networks FAILOVER_BCAST_IPS 10 1 0 255 17 1 0 255 However it s more efficient for your network switch to send the heartbeat messages to specific addresses FAILOVER_BCAST_IPS 10 1 0 3 17 1 0 51 This line instructs the master server to send the heartbeat messages to the primary and secondary IP addresses of the backup server Note To edit the etc hostconfig file you must be root Us
127. ons to solve or avoid failover problems while configuring or using failover service Chapter 8 Solving Problems 129 130 If IP Failover Does Not Occur Following are tips for troubleshooting general IP failover problems e Verify that the server s software serial number is entered correctly and has not expired To check the number open Server Admin select the server in the Computers amp Services list and click Overview To enter an updated serial number click Settings e Check the IP failover log Library Logs failoverd log for problem indications e Make sure cables are attached correctly to the hardware components e Verify that network settings are configured correctly on both the master and backup server e Verify that the rArLovER_Bcast_tps entry in the etc hostconfig file is correctly configured on the master server e Verify that the FAILOVER_PEER_IP_PAIRS and FAILOVER_PEER_IP entries in the etc hostconfig file are correctly configured on the backup server If IP Failover Mail Notifications Are Not Working Following are tips for troubleshooting IP failover mail notification problems e Verify that the mail addresses specified by the FAILOVER_EMAIL_RECIPIENT entry in the etc hostconfig file is correct e Make sure your public network interface is working e Make sure you have correctly configured IP failover If You Are Still Having Problems After Failover Occurs If IP failover took place but you re still havi
128. orrect access privileges See Creating an Uploads Folder for Anonymous Users on page 121 Step 8 Create share points and share them using FTP Use the Sharing service of Server Admin to specify the share points that you want to make available through FTP You must explicitly configure a share point to use FTP so that FTP users can access the share point See Creating a Share Point on page 39 and Changing FTP Settings for a Share Point on page 43 Step 9 Start FTP service After you configure FTP service start the service to make it available See Starting FTP Service on page 120 Before Setting Up FTP Service When determining whether to offer FTP service consider the type of information you will share and who your clients are FTP works well when you want to transfer large files such as applications and databases In addition if you want to permit guest anonymous users to download files FTP is a secure way to provide this service Chapter 7 Working with FTP Service 115 116 A U N Server Security and Anonymous Users Enabling anonymous FTP poses a security risk to your server and data because you open your server to users that you do not know The access privileges you set for the files and folders on your server are the most important way to keep information secure The default settings for FTP prevent anonymous users from performing the following actions Deleting files e Renaming files e Overwr
129. ou want to serve data to your client computers TCP separates data into packets small bits of data sent over the network using IP and uses error correction to make sure information is transmitted properly UDP is a correctionless and connectionless transport protocol UDP doesn t break data into packets so it uses fewer system resources It s more scalable than TCP and a good choice for a heavily used server because it puts a smaller load on the server However do not use UDP if remote clients are using the service TCP provides better performance for clients than UDP However unless you have a specific performance concern select both TCP and UDP Click Save From the Command Line You can also change NFS service settings using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Chapter 6 Working with NFS Service 105 106 Starting NFS Service You start NFS service to make NFS exports available to your client users To start NFS service Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select NFS Click Start NFS below the Servers list The service runs until you stop it and restarts if your server is restarted Managing NFS Service Use Server Admin to manage NFS service settings Checking NFS Service Status Use Server Admin to check the stat
130. permissions to handle exceptions For example you might want ACLs to apply to all descendants except for a subtree of your folder hierarchy In this case you define ACEs for the root folder and set them to propagate to all descendants Then you select the root folder of the subtree and propagate permissions to remove the ACLs from all descendants of that subtree In the example below the items in white had their ACLs removed by manually propagating ACLs P E mi e C4 uu You can propagate permissions to reapply inheritance in cases where you removed a folder s ACLs and decided to reapply them You can propagate permissions to clear all ACLs at once instead of having to go through a folder hierarchy and manually remove ACEs When you propagate permissions the permissions of bundles and root owned files and folders are not changed For more information about how to manually propagate permissions see Propagating Permissions on page 53 Rules of Precedence Mac OS X Server uses the following rules to control access to files and folders Without ACEs POSIX permissions apply If a file or folder has no ACEs defined for it Mac OS X Server applies standard POSIX permissions With ACEs order is important If a file or folder has one or more ACEs defined for it Mac OS X Server starts with the first ACE in the ACL and works its way down the list until the reque
131. pported in AFP Spotlight indexing allows you to do quick searches of network volumes You can turn on Spotlight indexing for a share point in Server Admin NFS supports Kerberos authentication Kerberos is a standard network authentication protocol used to provide secure authentication and communication over open networks What s in This Guide This guide includes the following chapters e Chapter 1 Understanding File Services provides an overview of Mac OS X Server file services 10 Chapter 2 Setting Up File Service Permissions explains standard permissions and ACLs and discusses related security issues Chapter 3 Setting Up Share Points describes how to share specific volumes and directories by using Apple Filing Protocol AFP Server Message Block SMB Common Internet File System CIFS protocol File Transfer Protocol FTP and Network File System NFS protocol It also describes how to set standard and ACL permissions Chapter 4 Working with AFP Service describes how to set up and manage AFP service in Mac OS X Server and also describes how you can set up IP Failover in Mac OS X Server Chapter 5 Working with SMB Service describes how to set up and manage SMB service in Mac OS X Server Chapter 6 Working with NFS Service describes how to set up and manage NFS service in Mac OS X Server Chapter 7 Working with FTP Service describes how to set up and manage FTP service in
132. protocol that uses Internet Protocol IP to allow remote users to access files as though they were local NFS can export shared volumes to computers based on IP address and also supports single sign on SSO authentication through Kerberos nfsd daemon An NFS server process that runs continuously behind the scenes and processes NFS protocol and mount protocol requests from clients nfsd can have multiple threads The more NFS server threads the better concurrency Open Directory The Apple directory services architecture which can access authoritative information about users and network resources from directory domains that use LDAP Active Directory protocols or BSD configuration files and network services open source A term for the cooperative development of software by the Internet community The basic principle is to involve as many people as possible in writing and debugging code by publishing the source code and encouraging the formation of a large community of developers who will submit modifications and enhancements oplocks See opportunistic locking opportunistic locking Also known as oplocks A feature of Windows services that prevents users of shared files from changing the same file at the same time Opportunistic locking locks the file or part of the file for exclusive use but also caches the user s changes locally on the client computer for improved performance owner The owner of an item can change access permissions to t
133. pt data during transmission If you don t want client users to change the contents of the shared item select the Read Only checkbox Select Allow subdirectory mounting This permits clients to mount subfolders of an exported NFS share point For example if you export the Users folder all its subfolders can be mounted directly Click OK then click Save Chapter 3 Setting Up Share Points 45 46 Note If you export more than one NFS share point you cannot have nested exports on a single volume which means one exported directory cannot be the child of another exported directory on the same volume From the Command Line You can also set up an NFS share point by using the command line in Terminal For more information see the man pages exports 5 nfs conf 5 and nfsd 8 and the file services chapter of Command Line Administration Resharing NFS Mounts as AFP Share Points Resharing NFS mounts NFS volumes that have been exported to Mac OS X Server enables Mac OS 9 clients to access NFS file services on traditional UNIX networks To reshare an NFS mount as an AFP share point On the NFS server that s exporting the original share point make sure the NFS export maps root to root so that AFP which runs as root can access the files for the clients Restrict the export to the single AFP server seen as the client to the NFS server For even greater security set up a private network for the AFP to NFS connection Open Serv
134. ptical drives 125 Others user category 20 21 32 Owner user category 20 21 P passive mode FTP 129 Password Server See Open Directory Password Server PDC primary domain controller 96 permissions ACL 20 22 40 administrator 62 Effective Permission Inspector 30 55 folders 19 group 20 21 24 29 guest 33 inheritance 23 25 52 overview 19 propagation of 22 25 30 share points 50 standard 20 24 28 40 50 types 20 22 28 32 user 20 21 24 55 volume 24 POSIX Portable Operating System Interface 20 28 PostAcq 87 power considerations outage planning 17 PreAcq 87 primary domain controller See PDC privileges administrator 21 62 See also permissions problems See troubleshooting ProcessFailover 86 protocols 15 24 See also specific protocols ps tool 73 QuickTime Streaming Server QTSS 20 quotas disk space 39 46 61 R RAID Redundant Array of Independent Disks 17 58 Read and Write privilege 20 141 142 Read Only privilege 20 realms See Kerberos WebDav reconnect server key configuring 90 Redundant Array of Independent Disks See RAID resource forks 114 117 root folder FTP 110 111 122 root permissions 19 S SACLs service access control lists 31 62 scripts NotifyFailover 86 87 PostAcq 87 PreAcq 87 ProcessFailover 86 Test 86 security 16 32 See also access authentication permissions Server Admin access control 24 33 35 file service permissions 19 28 Server Mes
135. r volume you plan to share Users trying to access the share point might have trouble seeing it To create a share point Open Server Admin and connect to the server Click File Sharing Click Volumes to list the available volumes to share To create a share point of an entire volume select the volume from the list To share a folder within a volume select the volume in the list and click Browse to locate and select the folder Click Share If you must create a folder for your share point click Browse click New Folder enter the name of the folder and click Create Click Save By default the new share point is shared using AFP SMB and FTP but not NFS To configure your share point for a specific protocol or to export the share point using NFS click Protocol Options and choose the protocol Settings specific to each protocol are described in the following sections From the Command Line You can also set up a share point using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Chapter 3 Setting Up Share Points 39 40 wu A U N Setting Privileges Mac OS X Server provides two methods of access control to files and folders Standard permissions and ACL permissions These methods are described in the following sections Setting Standard Permissions When you don t need the flexibility and granularity that access control lists ACLs provide or in cas
136. r you specify Before you mount the share point be sure this folder exists on the client computer Click OK Authenticate when prompted Click Save Chapter 3 Setting Up Share Points 47 48 un AeA U N Managing Share Points This section describes day to day tasks you might perform after you set up share points on your server Initial setup information appears in Setting Up a Share Point on page 39 Checking File Sharing Status Use Server Admin to check the status of volumes and share points To view File Sharing status Open Server Admin and connect to the server Click File Sharing Click Volumes to see a list of volumes Each volume includes the disk space used whether quotas are enabled or disabled and the type of volume Click Share Points to see a list of share points Each share point includes the disk space used and whether sharing guest access automount and Spotlight indexing are enabled or disabled To monitor the quotas setup for a volume select the volume and click Quotas below the volume list Disabling a Share Point To stop sharing a share point use File Sharing in Server Admin to remove it from the Share Points list Note Before you delete or rename a share point in Finder disable the share point in Server Admin first To remove a share point Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point you want to remove Cli
137. rd or workgroup server selecting this option also sets the POSIX permissions to 770 and sets the POSIX group to com apple access_backup A share point can be designated as a Time Machine backup in Server Admin To configure Time Machine backup destination Open Server Admin and connect to the server Click File Sharing Click Share Points and select the share point Click Share Point below the list Select the Enable as Time Machine backup destination checkbox Click Save Monitoring Share Point Quotas Use Server Admin to view the space on a volume allocated for a user This space disk quota configured in Workgroup Manager is the maximum size of a user s home folder To monitor share point quotas Open Server Admin and connect to the server Click File Sharing Click Volumes and select the volume you want to monitor Click Quotas below the list Select the Enable quotas on this volume checkbox The disk quota information for the enabled volumes is listed in the Quota Monitor This includes user name space used MB free space MB and limit MB Click Save Chapter 3 Setting Up Share Points 61 62 um A WwW N un A WN Setting SACL Permissions SACLs enable you to specify who has access to AFP FTP and SMB file services This provides you with greater control over who can use the services and which administrators have access to monitor and manage the services Setting SACL Permissions for Users an
138. re point you create Restricting Access to File Services As stated in File Services Access Control on page 31 you can use Service Access Control Lists SACLs to restrict access to AFP FTP and SMB services Restricting Access to Everyone Be careful when creating and granting access to share points especially if you re connected to the Internet Granting access to Everyone or to World in NFS service could expose your data to anyone on the Internet For NFS it is recommended that you do not export volumes to World and that you use Kerberos to provide security of NFS volumes Chapter 2 Setting Up File Service Permissions Restricting Access to NFS Share Points NFS share points without the use of Kerberos don t have the same level of security as AFP and SMB which require user authentication entering a user name and password to gain access to a share point s contents If you have NFS clients you may want to set up a share point to be used only by NFS users or configure NFS with Kerberos NFS doesn t support SACLs For more information see Protocol Security Comparison on page 16 Restricting Guest Access When you configure any file service you can turn on guest access Guests are users who connect to the server anonymously without entering a user name or password Users who connect anonymously are restricted to files and folders that have privileges set to Everyone To protect your information from unauthorized a
139. rface 131 132 command line interface A way of interacting with the computer for example to run programs or modify file system permissions by entering text commands at a shell prompt See also shell shell prompt daemon A program that runs in the background and provides important system services such as processing incoming email or handling requests from the network DHCP Dynamic Host Configuration Protocol A protocol used to dynamically distribute IP addresses to client computers Each time a client computer starts up the protocol looks for a DHCP server and then requests an IP address from the DHCP server it finds The DHCP server checks for an available IP address and sends it to the client computer along with a lease period the length of time the client computer may use the address directory See folder directory domain A specialized database that stores authoritative information about users and network resources the information is needed by system software and applications The database is optimized to handle many requests for information and to find and retrieve information quickly Also called a directory node or simply a directory DNS Domain Name System A distributed database that maps IP addresses to domain names A DNS server also known as a name server keeps a list of names and the IP addresses associated with each name DNS domain A unique name of a computer used in the Domain Name System to translate IP addr
140. rver ownership of the item doesn t change Only the owner of the drop box or root has access to its contents e Group You can put users who need the same access to files and folders in group accounts Only one group can be assigned access permissions to a shared item For more information about creating groups see User Management e Others Others is any user registered user or guest who can log in to the file server Chapter 2 Setting Up File Service Permissions 21 22 Hierarchy of Permissions If a user is included in more than one category of users each of which has different permissions these rules apply e Group permissions override Others permissions e Owner permissions override Group permissions For example when a user is both the owner of a shared item and a member of the group assigned to it the user has the permissions assigned to the owner Client Users and Permissions Users of AppleShare Client software can set access privileges for files and folders they own Users who use Windows file sharing services can also set access privileges Standard Permission Propagation Server Admin lets you specify which standard permissions to propagate For example you can propagate only the permission for Others to all descendants of a folder and leave the permissions for Owner and Group unchanged For more information see Propagating Permissions on page 53 ACLs When standard POSIX permissions are not enough us
141. rview File services provide a way for client computers to access and share files applications and other resources on a network Each file service uses a protocol to communicate between the server and client computers Depending on your network configuration you can choose from the following file services AFP service uses Apple Filing Protocol AFP to share resources with clients who use Macintosh computers SMB service uses the Server Message Block Common Internet File System SMB CIFS protocol to share resources with and provide name resolutions for clients who use Windows or Windows compatible computers FTP service uses File Transfer Protocol FTP to share files with anyone using FTP client software NFS service uses the Network File System NFS protocol to share files and folders with users typically UNIX users who have NFS client software After configuring your file services you can manage your shared network resources by monitoring network activity and controlling access to each service 16 Protocol Comparison When sharing network resources you may have more than one service turned on depending on the platforms that require access to these resources The following table describes which service protocols are supported for each platform Protocol Platform Default Ports AFP Mac OS X and Mac OS X Server 548 SMB Mac OS X Mac OS X Server Windows UNIX and Linux 137 138 and 139 FTP Mac OS X Mac OS X Server
142. s on page 105 Step 4 Create share points and share them using NFS Use the Sharing service of Server Admin to specify the share points you want to export share using NFS For NFS users to access the share point you must explicitly configure a share point to use NFS 103 104 See Creating a Share Point on page 39 Exporting an NFS Share Point on page 44 and Automatically Mounting Share Points for Clients on page 47 When you export a share point NFS automatically starts When you delete all exports the service stops To see if NFS service is running open Server Admin select NFS from the list of services for your server and click Overview Before Setting Up NFS Service Mac OS X 10 5 offers NFS with Kerberos providing another secure file sharing service Secure access to NFS shared items is controlled by Kerberos the client software and file permissions NFS with Kerberos can be configured to only grant access to shared volumes based on the IP address of a computer and a user s single sign on credentials If your network has both Mac OS X v10 4 and Mac OS X v10 5 computers you can permit authentication through both system authentication and Kerberos by setting the Minimum Security option to Any then export your NFS share to World This requires users in a Kerberos realm to get a ticket granting ticket from a single sign on Kerberos server before accessing NFS shared volumes and still permits Mac OS X v10
143. s Can t Access Shared Optical Media If users can t access shared optical media e Make sure the optical media is a share point e If you share multiple media make sure that each has a unique name in the Sharing pane If Users Can t Access External Volumes Using Server Admin Make sure the server is logged in 125 126 If Users Can t Find a Shared Item If users can t find a shared item Check the access privileges for the item The user must have Read access privileges to the share point where the item is located and to each folder in the path to the item e Server administrators don t see share points the same way a user does over AFP because administrators see everything on the server To see share points from a user s perspective select Enable administrator to masquerade as any registered user in the Access pane of the Settings pane of AFP service in Server Admin You can also log in using a user s name and password e Although DNS is not required for file services an incorrectly configured DNS could cause a file service to fail For more information about DNS configuration see Network Services Administration If Users Can t Open Their Home Folder If users can t open their home folder e Make sure the share point used for home folders is set up as an automount for home folders in Server Admin e Make sure the share point is created in the same Open Directory domain as user accounts e Make sure the client compu
144. s and folders In the case of POSIX permissions you can specify the following to propagate e Owner name e Group name e Owner permissions e Group permissions e Others permissions The ability to select which information to propagate gives you specific control over who can access files and folders For ACL permissions you can only propagate the entire ACL You can t propagate individual ACEs To propagate folder permissions Open Server Admin and connect to the server Chapter 3 Setting Up Share Points 53 54 N DO Ww A UN AO uu A WwW N N DO UW A U N Click File Sharing Click Share points and select the share point you want to update from the list Click Permissions below the list From the Action menu button gear choose Propagate Permissions Select the permissions you want to propagate Click OK Server Admin propagates the selected permissions to all descendants Removing the ACL from a File To remove the inherited ACL from a file use Server Admin Note Because the ACEs of a file are usually inherited they may appear dimmed To remove the ACL from a file Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Permissions below the list Select all ACEs in the ACL Permissions list and click the Delete button Click Save Server Admin removes all ACEs from the ACL of a file The only permiss
145. s third party developers List Folder Contents Read User can list folder contents and read files Read Data Traverse Folder Read User can open subfolders and run a program Execute File Read Permissions Read User can view the file s or folder s standard permissions using the Get Info or Terminal commands Write Attributes Write User can change the file s or folder s standard attributes Write Extended Write User can change the file s or folder s other attributes Attributes Create Files Write Write User can create files and change files Data Create Folder Append Write User can create subfolders and add data to files Data Delete Write User can delete file or folder Delete Subfolders and Write User can delete subfolders and files Files In addition to these permissions the Apple ACL model defines four types of inheritance that specify how these permissions are propagated e Apply to this folder Apply Administration Read and Write permissions to this folder Apply to child folders Apply permissions to subfolders Apply to child files Apply permissions to the files in this folder Apply to all descendants Apply permissions to all descendants To learn how this option works with the previous two see Understanding Inheritance on page 25 The ACL Use Model The ACL use model focuses on access control at the folder level with most ACLs applied to files as the result of inheritance Fo
146. sage Block Common Internet File System See SMB CIFS service access control lists See SACLs Service Location Protocol See SLP shared files See file sharing share points access control 32 37 40 47 51 AFP 37 41 client access 37 47 56 command line tools 39 disabling 48 102 drop box 57 60 61 enabling 102 exporting 44 56 108 FTP 37 43 111 home folders 36 38 111 management of 48 mounting 36 46 82 naming 39 NFS 32 37 44 56 108 permissions 21 protocols 49 removing 48 49 setup 35 SMB CIFS 37 42 troubleshooting 125 viewing 49 virtual 98 99 102 Workgroup Manager 35 Sharing service 48 See also share points sharing tool 39 showmount tool 108 single points of failure 17 Index SMB CIFS Server Message Block Common Internet File System protocol service accessing 97 authentication 16 97 connections 101 127 file sharing 93 graphs 101 logs 98 100 management of 100 overview 93 permissions 24 ports for 16 settings 95 setup 94 share points 37 42 software requirements 16 starting 99 status checking 100 stopping 102 turning on 95 Spotlight 60 61 66 standalone Windows services 96 standard permissions 20 24 28 40 50 static share points 36 strict locking 43 93 subnets 44 128 T tail tool 73 TCP Transmission Control Protocol 105 TCP IP troubleshooting 127 129 Test 86 Time Machine configuring as a backup destination 61 top tool 73 Transmission Control Protocol
147. sers Can t See the Windows Server in Network Neighborhood If Users Can t Log In to the Windows Server Problems with NFS Service Problems with FTP Service If FTP Connections Are Refused If Clients Can t Connect to the FTP Server If Anonymous FTP Users Can t Connect Problems with IP Failover If IP Failover Does Not Occur If IP Failover Mail Notifications Are Not Working If You Are Still Having Problems After Failover Occurs Contents About This Guide Preface This guide describes how to configure and use file services with Mac OS X Server File sharing requires file server administrators to manage user privileges for all shared folders and files Configuring Mac OS X Server as a file server offers you reliable high performance file sharing using native protocols for Mac Windows and Linux workgroups The server fits seamlessly into any environment including mixed platform networks Mac OS X Server v10 5 delivers expanded functions of current features and introduces enhancements to support heterogeneous networks maximize user productivity and make file services more secure and easier to manage What s New in File Services File services contain several changes and enhancements that provide ease of use and greater functionality such as e Sharing functionality has been relocated to Server Admin This combines the share point configuration with the configuration of the file service protocols in one tool Spotlight is now su
148. server The list of services appears From the expanded Servers list select AFP Click Start AFP below the Servers list The service runs until you stop it and restarts if your server is restarted From the Command Line You can also start AFP service using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Managing AFP Service This section describes typical day to day tasks you might perform after you set up AFP service on your server Initial setup information appears in Setting Up AFP Service on page 68 Checking AFP Service Status Use Server Admin to check the status of AFP service To view AFP service status Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP To see information such as whether the service is running when it started its throughput the number of connections and whether guest access is enabled click Overview To review access and error logs click Logs To choose which log to view use the View pop up menu To see graphs of connected users or throughput click Graphs Use the pop up menus to choose which graph to view and to choose the duration of time to graph data for Chapter 4 Working with AFP Service To see a list of connected users click Connections The list includes the user name connection status
149. service has the following default specifications Maximum number of connected users depending on your license agreement Unlimited hardware dependent Maximum volume size 16 terabytes TCP port number 548 Location of log files Library Logs AppleFileService Bonjour registration type afpserver Chapter 4 Working with AFP Service Setup Overview Here is an overview of the basic steps for setting up AFP service Step 1 Turn AFP service on Before configuring AFP service AFP must be turned on See Turning AFP Service On on page 67 Step 2 Configure AFP General settings Configure the General settings to advertise the AFP share point enable Mac OS 8 and Mac OS 9 clients to find the server and specify a logon greeting See Configuring General Settings on page 68 Step 3 Configure AFP Access settings Use Access settings to permit guest AFP users limit the number of simultaneous Windows client connections or set AFP authentication options See Configuring Access Settings on page 69 Step 4 Configure AFP Logging settings Use Logging settings to specify how much information is recorded in AFP log files See Configuring Logging Settings on page 70 Step 5 Configure AFP Idle Users settings Use Idle Users settings to disconnect idle clients enable clients to reconnect after sleeping within a specified time limit and customize a disconnect message See Configuring Idle Users Settings on page 71
150. sing the sharing and 1s commands in Terminal For more information see the file services chapter of Command Line Administration Managing Share Point Access Privileges This section describes typical tasks you might perform to manage access privileges for your share point Changing POSIX Permissions You use Server Admin to view and change the standard POSIX permissions for a share point To change standard POSIX permissions for a share point Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Permissions below the list To alter the POSIX permissions change the owner and group of the shared item dragging names from the Users and Groups drawer to the owner or group records in the permissions table The owner and group records are listed under the POSIX heading The owner record is the one with the single user icon and the group record is the one with the group icon Open the drawer by clicking the Add button To change the permissions for the Owner Group and Others everyone use the Permissions pop up menu in the appropriate row of the permissions table Chapter 3 Setting Up Share Points N AO UW A U N N AO Ww A UN Others is any user who is not the owner and does not belong to the group but can log in to the file server From the Command Line You can also change a share point s privileges using the chmod chgrp an
151. site at www apple support Note Apple file service does not support AppleTalk connections so clients must use TCP IP to access file services To connect from Mac OS 8 or Mac OS 9 Open the Chooser and click AppleShare Select a file server and click OK Enter your user name and password or select Guest and then click Connect Select the volume you want to use and click OK Setting up a Mac OS 8 or Mac OS 9 Client to Automatically Mount a Share Point As an alternative to using the network mount feature of AFP or NFS clients can set their computers to automatically mount server volumes To set a Mac OS 8 or Mac OS 9 client to automatically mount a server volume Use the Chooser to mount the volume on the client computer In the select item dialog that appears after you log in select the server volume you want to mount automatically Configuring IP Failover IP failover is a technology that allows you to set up two computers in a master backup relationship so that if the master computer fails the backup computer transparently assumes the role of the master with minimal disruption in service Chapter 4 Working with AFP Service 83 84 For example if you have a home directory server with 1 000 users and you don t have a backup server your users can t access their files if the directory server fails But if you set up another server as a backup then even if the master server fails the users can access their files through the b
152. sted permission is satisfied or denied The ACE order can be changed from the command line using the chmod command Deny permissions override other permissions When you add ACEs Server Admin lists Deny permissions above Allow permissions because Deny permissions have precedence over Allow permissions When evaluating permissions if Mac OS X Server finds a Deny permission it ignores remaining permissions the user has in the same ACL and applies the Deny permission Chapter 2 Setting Up File Service Permissions For example if you add an ACE for the user Mei and enable her reading permissions and then add another ACE for a group in which Mei is a member and deny the group reading permissions Server Admin reorders the permissions so that the Deny permission is above the Allow permission The result is that Mac OS X Server applies the Deny permission for Mei s group and ignores the Allow permission for Mei e Allow permissions are cumulative When evaluating Allow permissions for a user in an ACL Mac OS X Server defines the user s permissions as the union of all permissions assigned to the user including standard POSIX permissions After evaluating ACEs Mac OS X Server evaluates the standard POSIX permissions defined on the file or folder Then based on the evaluation of ACL and standard POSIX permissions Mac OS X Server determines what type of access a user has to a shared file or folder Tips and Advice Mac OS X Server combines tr
153. t select FTP Click Settings then click Advanced For Authenticated users see choose the type of user environment you want to use FTP Root and Share Points Home Folder with Share Points or Home Folder Only For more information see FTP Users on page 110 To change the FTP root enter the new pathname in the FTP Root field For more information see The FTP Root Folder on page 110 From the Command Line You can also change FTP service settings using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Starting FTP Service You must start FTP service to make it available to your users To start FTP service Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select FTP Click Start FTP below the Servers list From the Command Line You can also start FTP service using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Permitting Anonymous User Access You can permit guests to log in to your FTP server with the user name ftp or anonymous They don t need a password to log in but they are prompted to enter an email address For better security do not enable anonymous access Chapter 7 Working with FTP Service aA uu A WwW To enable anonymous FTP servi
154. t display it at all For example in recent releases of the FTP client Fetch you set a preference to display server messages The banner message appears when a user contacts the server before they log in The welcome message appears after they successfully log in To display banner and welcome messages to users Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select FTP Click Settings then click Messages Select Show welcome message Select Show banner message Click Save From the Command Line You can also change the FTP service banner message using the serveradmin command in Terminal or by editing the files Library FTPServer Messages banner txt and Library FTPServer Messages welcome txt For more information see the file services chapter of Command Line Administration Chapter 7 Working with FTP Service Displaying Messages Using message txt Files If an FTP user opens a folder on your server that contains a file named message txt the file contents appear as a message The user sees the message only the first time they connect to the folder during an FTP session You can use the message to notify users of important information or changes Using README Messages If you place a file named README in a folder an FTP user who opens that folder receives a message letting them know that the file exists
155. ter is set to use the correct Open Directory domain using Directory Utility If Users Can t Find a Volume or Folder to Use as a Share Point If users can t find a volume or folder to use as a share point e Make sure the volume or folder name does not contain a slash character The Share Points pane of Server Admin lists the volumes and folders on your server but it can t correctly display the names of volumes and folders that include the slash character e Make sure you re not using special characters in the name of the volume or folder If Users Can t See the Contents of a Share Point If you set Write Only access privileges to a share point users can t see its contents Change the access privileges to Read Only or to Read amp Write Problems with AFP Service This section describes potential problems with AFP service and ways to diagnose and resolve them Chapter 8 Solving Problems If Users Can t Find the AFP Server If users can t find the AFP server e Make sure the network settings are correct on the user s computer and on the computer that is running AFP service If you can t connect to other network resources from the user s computer the network connection may not be working e Make sure the file server is running Use the Ping pane in Network Utility to check whether the server at the specified IP address can receive packets from clients over the network e Check the name you assigned to the file server and m
156. the server Open Directory Administration Podcast Producer Administration Set up and manage directory and authentication services and configure clients to access directory services Set up and manage Podcast Producer service to record process and distribute podcasts Print Service Administration Host shared printers and manage their associated queues and print jobs QuickTime Streaming and Broadcasting Administration Capture and encode QuickTime content Set up and manage QuickTime streaming service to deliver media streams live or on demand Server Administration Perform advanced installation and setup of server software and manage options that apply to multiple services or to the server as a whole System Imaging and Software Update Administration Use NetBoot NetInstall and Software Update to automate the management of operating system and other software used by client computers Upgrading and Migrating Use data and service settings from an earlier version of Mac OS X Server or Windows NT Preface About This Guide 12 This guide tells you how to User Management Create and manage user accounts groups and computers Set up managed preferences for Mac OS X clients Web Technologies Administration Set up and manage web technologies including web blog webmail wiki MySQL PHP Ruby on Rails and WebDAV Xgrid Administration and High Set up and manage computatio
157. the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Settings then click General Advertise the AFP share point using Bonjour by selecting Enable Bonjour registration This option lets clients browse for the share point using the Mac OS X Connect to Server command or the Mac OS 9 Network Browser For information about Service Location Protocol SLP and IP multicasting see Network Services Administration If you have Mac OS 8 and Mac OS 9 clients with special language needs choose the correct character set from the Encoding for older clients pop up menu When Mac OS 9 or earlier clients are connected the server converts file names from the system s UTF 8 character encoding to the chosen set This has no effect on Mac OS X client users Enter the message you want users to see in the Logon Greeting field The message does not appear when a user logs in to their home folder To prevent users from seeing the greeting repeatedly select Do not send same greeting twice to the same user Chapter 4 Working with AFP Service Click Save From the Command Line You can also change AFP service settings using the serveradmin command in Terminal or by changing the AFP preferences file For more information see the file services chapter of Command Line Administration Configuring Access Settings Use the Access pane of AFP Settings in Server Admin
158. these entries using Server Admin To remove a folder s inherited ACEs Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Permissions below the list Chapter 3 Setting Up Share Points 5 ao uu A U N From the Action menu button gear choose Remove Inherited Entries Inherited ACEs appear dimmed unless you chose to make them explicit as described in Changing the Inherited ACEs for a Folder to Explicit on page 53 Click Save Server Admin removes the inherited ACEs From the Command Line You can also remove inherited ACEs using the chmod command in Terminal For more information see the file services chapter of Command Line Administration Changing the Inherited ACEs for a Folder to Explicit Inherited ACEs appear dimmed in the ACL of Server Admin and you can t edit them To change these ACEs for a folder change the inheritance to explicit To change the inherited ACEs of a folder to explicit Open Server Admin and connect to the server Click File Sharing Click Share points and select the share point you want to update from the list Click Permissions below the list From the Action menu button gear choose Make Inherited Entries Explicit Click Save Now you can edit the ACEs Propagating Permissions Server Admin enables you to specify what permissions to propagate to all descendant file
159. tion and playing of movies QuickTime Streaming Server See QTSS Samba Open source software that provides file print authentication authorization name resolution and network service browsing to Windows clients using the SMB protocol server A computer that provides services such as file service mail service or web service to other computers or network devices Server Message Block See SMB share point A folder hard disk or hard disk partition or optical disc that s accessible over the network A share point is the point of access at the top level of a group of shared items Share points can be shared using AFP SMB NFS an export or FTP short name An abbreviated name for a user The short name is used by Mac OS X for home folders authentication and email addresses single sign on An authentication strategy that relieves users from entering a name and password separately for every network service Mac OS X Server uses Kerberos to enable single sign on SLP DA Service Location Protocol Directory Agent A protocol that registers services available on a network and gives users easy access to them When a service is added to the network the service uses SLP to register itself on the network SLP DA uses a centralized repository for registered network services SMB Server Message Block A protocol that allows client computers to access files and network services It can be used over TCP IP the Internet and other network
160. tion of time to graph data for use the pop up menus To update the data in the graphs click the Refresh button below the Servers list Chapter 4 Working with AFP Service 73 74 a uu A WwW Viewing AFP Connections Use Server Admin to view the clients that are connected to the server through the AFP service To view AFP connections Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP To see a list of connected users click Connections The list includes user name connection status user s IP address or domain name duration of connection and the time since the last data transfer idle time You can send a disconnect message to all client computers and stop the service by clicking Stop entering when the service will be stopped entering a message and clicking Send You can send a message to a user by selecting the user from the list clicking Send Message entering the message and clicking Send You can send a disconnect message to individual client computers and disconnect them from the server by clicking Disconnect entering when the user will be disconnected entering a message and clicking Send Important Disconnected users may lose unsaved changes in open files To update the list of connected users click the Refresh button below the Servers list Stopping AFP Service Use Server Admin to stop
161. to control client connections and guest access To configure AFP service Access settings Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Click Settings then click Access Choose the authentication method you want to use from the Authentication pop up menu Standard Kerberos or Any Method If necessary permit unregistered users to access AFP share points by selecting Enable Guest access Guest access is a convenient way to provide occasional users with access to files and other items but for better security don t select this option Note After you permit guest access for Apple file service in general you can still selectively enable or disable guest access for individual share points Enable an administrator to log in using a user s name with an administrator password and thereby experience AFP service as the user would by selecting Enable administrator to masquerade as any registered user Restrict the number of simultaneous client connections by clicking the button next to the Client Connections or Guest Connections field and enter a number The maximum number of simultaneous users is limited by the type of license you have For example if you have a 10 user license for your server a maximum of 10 users can connect at one time Select Unlimited if you do not want to restrict the maximum number
162. to view the active clients that are connected to the server through the NFS service To view NFS connections Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select NFS To see a list of active users click Connections The list includes the user name the user IP address or domain name the time since the last data transfer idle time NFS requests and the bytes read and written To update the list of connected users click the Refresh button below the Servers list Stopping NFS Service Use Server Admin to stop NFS service and disconnect users Users who are connected when you stop NFS service may lose unsaved changes in open files To stop NFS service after warning users Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select NFS Click Connections then see if users are connected to an NFS shared volume If you stop the service while users are connected your connected users may lose unsaved data Click Stop NFS From the Command Line You can also stop NFS service immediately using the serveradmin command in Terminal For more information see the file services chapter of Command Line Administration Chapter 6 Working with NFS Service 107 Viewing Current NFS Exports Use the Terminal application to view a l
163. ttings Use the General settings to select the server role and provide the description computer name and workgroup for the server To configure SMB General settings Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select SMB Click Settings then click General From the Role pop up menu set the Windows server role Choose Standalone Server if you want your server to provide SMB file and print services to users with accounts in the server local directory domain The server will not provide authentication services for Windows domain login on Windows computers This is the default Choose Domain Member if you want your server to provide Windows file and print services to users who log in to the Windows domain of a Mac OS X Server PDC or the Active Directory domain of a Windows server A domain member can host user profiles and network home folders for user accounts on the PDC or the Active Directory domain Choose Primary Domain Controller PDC if you want your server to host a Windows domain to store user group and computer records and to provide authentication for domain login and other services If no domain member server is available the PDC server can provide Windows file and print services and it can host user profiles and network home folders for users with user accounts on the PDC Choose Backup Dom
164. u may want to move folders and files to different locations before setting up the share point You may want to partition a disk into volumes so you can give each volume different access privileges or create folders that have different levels of access See Shared Information Organization on page 38 Step 3 Set up share points and set privileges When you designate an item to be a share point you also set its privileges You create share points and set privileges using File Sharing in Server Admin See Setting Up a Share Point on page 39 Chapter 3 Setting Up Share Points Step 4 Turn specific file services on For users to access share points you must turn on the required Mac OS X Server file services For example if you use Apple File Protocol with your share point you must turn on AFP service You can share an item using more than one protocol See Chapter 5 Working with SMB Service on page 93 Chapter 6 Working with NFS Service on page 103 or Chapter 7 Working with FTP Service on page 109 Before Setting Up a Share Point Before you set up a share point consider the following topics e Client privileges e File sharing protocols e Shared information organization e Security e Network home folders e Disk quotas Client Privileges Before you set up a share point you should understand how privileges for shared items work Determine which users need access to shared items and what permissions
165. uestions knowledge and advice with other administrators Apple Mailing Lists website www lists apple com subscribe to mailing lists so you can communicate with other administrators using email Apple Filing Protocol AFP website developer apple com documentation Networking Conceptual AFP manual describing AFP Samba website www samba org information about Samba the open source software on which SMB service in Mac OS X Server are based Common Internet File System CIFS website www ubiqx org cifs detailed description of how CIFS works File Transfer Protocol FTP website www fags org rfcs rfc959 html home of the FTP Request for Comments RFC document File Transfer Protocol TFTP website asg web cmu edu rfc rfc1350 html home of the TFTP RFC document Note RFC documents provide an overview of a protocol or service that can be helpful for novice administrators and more detailed technical information for experts You can search for RFC documents at www faqs org rfcs Preface About This Guide 13 14 Preface About This Guide Understanding File Services This chapter provides an overview of Mac OS X Server file services Mac OS X Server includes several file services that help you manage and maintain your shared network resources Understanding each service and its associated protocol helps you determine how to plan and configure your network for optimum performance and security Protocol Ove
166. urity assign None to Others To create a drop box using ACL permissions add two types of ACEs e If you want users to only copy items to a drop box but not see its contents add ACEs that deny them Administration and Read permissions and give only Traverse Folder Create File Write Data and Create Folder Append Data permissions e If you want users to have full control of the drop box add ACEs that give them full Administration Read Write and inheritable permissions For more information see Setting ACL Permissions on page 40 Click Save From the Command Line You can also set up a drop box using the mkdir and chmod commands in Terminal For more information see the file services chapter of Command Line Administration Chapter 3 Setting Up Share Points 57 58 Setting Up a Network Library Configuring a network library creates a repository on the network for shared information such as default configurations fonts images and other common resources A shared library is automatically mounted at Network Library and is accessible through Finder Guest access must be enabled to grant all users access to the network library All users or groups who are logged into the network with guest access will have access to this shared information and the network library becomes part of the default search path Access to the network library can be restricted using access controls To configure a network library Open Server Admin
167. us of Mac OS X Server devices and services To view NFS service status Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select NFS Click Overview The Overview pane tells you whether the service is running and whether nfsd portmap rpc lockd and rpc statd processes are running The nfsd process responds to all NFS protocol and mount protocol requests from client computers that have mounted folders The portmap process enables client computers to find nfs daemons always one process The rpc lockd daemon provides file and record locking services in an NFS environment The rpc statd daemon cooperates with rpc statd daemons on other hosts to provide a status monitoring service If a local NFS service quits unexpectedly and restarts the local rpc statd daemon notifies the hosts being monitored at the time the service quit To see a list of connected users click Connections The list includes the user name the user IP address or domain name the time since the last data transfer idle time NFS requests and the bytes read and written Chapter 6 Working with NFS Service From the Command Line You can also check the NFS service status using the ps nfsd status OF serveradmin commands in Terminal For more information see the file services chapter of Command Line Administration Viewing NFS Connections Use Server Admin
168. user s IP address or domain name duration of connection and the time since the last data transfer idle time From the Command Line You can also check the status of the AFP service process by using the ps or top commands in Terminal or by looking at the log files in Library Logs AppleFileService using the cat or tail command For more information see the file services chapter of Command Line Administration Viewing AFP Service Logs Use Server Admin to view the error and access logs for AFP service if you have enabled them To view logs Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP Choose between access and error logs by clicking Logs then use the View pop up menu Use the Filter field in the upper right to search for specific entries From the Command Line You can also view AFP service logs in Library Logs AppleFileService using the cat or tail commands in Terminal For more information see the file services chapter of Command Line Administration Viewing AFP Graphs Use Server Admin to view AFP graphs To view AFP graphs Open Server Admin and connect to the server Click the triangle to the left of the server The list of services appears From the expanded Servers list select AFP To see graphs of connected users or throughput click Graphs To choose which graph to view and the dura
169. with FTP Service A Secure FTP Environment FTP Users The FTP Root Folder FTP User Environments On the Fly File Conversion Kerberos Authentication FTP Service Specifications Setup Overview Before Setting Up FTP Service Server Security and Anonymous Users Turning On FTP Service Setting Up FTP Service Configuring General Settings Configuring Greeting Messages Displaying Banner and Welcome Messages Displaying Messages Using message txt Files Using README Messages Configuring FTP Logging Settings Configuring FTP Advanced Settings Starting FTP Service Permitting Anonymous User Access Creating an Uploads Folder for Anonymous Users Changing the User Environment Changing the FTP Root Folder Managing FTP Service Checking FTP Service Status Viewing the FTP Service Log Viewing FTP Graphs Viewing FTP Connections Stopping FTP Service Solving Problems Problems with Share Points If Users Can t Access Shared Optical Media If Users Can t Access External Volumes Using Server Admin If Users Can t Find a Shared Item If Users Can t Open Their Home Folder If Users Can t Find a Volume or Folder to Use as a Share Point If Users Can t See the Contents of a Share Point Problems with AFP Service If Users Can t Find the AFP Server If Users Can t Connect to the AFP Server Contents Glossary Index 127 127 127 128 128 128 128 129 129 129 130 130 130 131 139 If Users Don t See the Login Greeting Problems with SMB Service If Windows U
170. xecutes in alphabetical order any script with the prefix PreAcg in the Library Failover IP_address folder PreAcq scripts prepares the backup server to acquire the IP address of the master server By default Mac OS X Server ships with a number of Preacg scripts but you can customize them or add you own The processFailover script configures the network interface to use the IP address of the master server The ProcessFailover script executes in alphabetical order any script with the prefix Postacq in the Library Failover IP_address folder PostAcg scripts run after the backup server acquires the master s IP address As with PreAcg scripts Mac OS X Server ships with a number of Postacg scripts But you can add your own For example a PostaAcq script can notify you an email that failover completed successfully For more information about failoverd NotifyFailover and ProcessFailover see the corresponding man page or the high availability chapter of the Command Line Administration guide Note It takes approximately 30 seconds for failover to complete Releasing Master Address Chain of Events When you trigger failback the following occurs on the backup server The failovera daemon instructs the NotifyFailover script located in usr libexec to notify the users listed in etc hostconfig If no recipient is specified a mail message is sent to the root user failoverd executes the processFailover script located in usr lib
171. xpanded Servers list select FTP Click Settings then click General To indicate the number of times users can try to connect before they are disconnected enter a number in Disconnect client after __ login failures To provide a contact for your users enter an email address following FTP administrator email address From the Authentication pop up menu choose an authentication method To limit the number of authenticated users who can connect to your server at the same time enter a number in the Allow a maximum of __ authenticated users field Authenticated users have accounts on the server You can view or add them using the Accounts module of Workgroup Manager To permit anonymous users to connect to the server select Enable anonymous access Important Before selecting this option review the privileges assigned to your share points under File Privileges in the Sharing pane to make sure there are no security holes Anonymous users can log in using the name ftp or anonymous They do not need a password to log in but they are prompted to enter their email addresses To limit the number of anonymous users who can connect to your server at the same time enter a number in the Allow a maximum of __ anonymous users field If you want to have files that have resource forks listed with a bin suffix so that clients can take advantage of automatic file conversion when transferring them select
172. y want to enlarge the printed pages even if you don t print double sided because the PDF page size is smaller than standard printer paper In the Print dialog or Page Setup dialog try changing Scale to 115 155 for Getting Started which has CD size pages Preface About This Guide Getting Documentation Updates Periodically Apple posts revised help pages and new editions of guides Some revised help pages update the latest editions of the guides To view new onscreen help topics for a server application make sure your server or administrator computer is connected to the Internet and click Latest help topics or Staying current in the main help page for the application To download the latest guides in PDF format go to the Mac OS X Server documentation website www apple com server documentation Getting Additional Information For more information consult these resources Read Me documents important updates and special information Look for them on the server discs Mac OS X Server website www apple com server macosx gateway to extensive product and technology information Mac OS X Server Support website www apple com support macosxserver access to hundreds of articles from Apple s support organization Apple Training website www apple com training instructor led and self paced courses for honing your server administration skills Apple Discussions website discussions apple com a way to share q
173. you want those users to have Permissions are described in Chapter 2 see Kinds of Permissions on page 20 File Sharing Protocols You also must know which protocols clients use to access the share points In general you should set up unique share points for each type of client and share them using a single protocol e Mac OS clients Apple Filing Protocol AFP e Windows clients Server Message Block SMB e UNIX clients Network File System NFS FTP clients File Transfer Protocol FTP Note With unified locking applications can use locks to coordinate access to files even when using different protocols This permits users working on multiple platforms to share files across AFP SMB and NFS protocols without worrying about file corruption caused by locking issues between protocols In some cases you might want to share an item using more than one protocol For example Mac OS and Windows users might want to share graphics or word processing files that either file protocol can use If so you can create a single share point that supports both platforms Chapter 3 Setting Up Share Points 37 38 Conversely you might want to set up share points that support a single protocol even though you have different kinds of clients For example if most of your clients are UNIX users and only a few are Mac OS clients you may want to share items using only NFS to keep your setup simple However keep in mind that NFS doesn
Download Pdf Manuals
Related Search