Apple MAC OS X SERVER 10.3 File Services Administration

Mac OS X Server File Services Administration

For Version 10.3 or Later



Apple Computer, Inc.

The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services.

The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.

Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Macintosh, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, and Power Mac are trademarks of Apple Computer, Inc.

Adobe and PostScript are trademarks of Adobe Systems Incorporated.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.

034-2346/09-20-03

Chapter 1 9 About File Services

Overview

Privileges

11 12 12 12 13 13 13 14 14 15

Explicit Privileges The User Categories Owner, Group, and Everyone Hierarchy of Privileges Client Users and Privileges Privileges in the Mac OS X Environment

Customizing the Mac OS X Network Globe

Share Points in the Network Globe Adding System Resources to the Network Library Folder

Security Considerations

Restricting Access for Unregistered Users (Guests)

For More Information About File Services

Chapter 2 17 Setting Up Share Points

Overview

Before You Begin

17 18 18 18 19 19 19

23 24 25

Consider the Privileges Your Clients Need Decide on Which Protocols to Use Organize Your Shared Information For Your Windows Users Consider Security Share Points for Network Home Directories

Disk Quotas Setup Overview Setting Up a Share Point

Creating a Share Point and Setting Privileges

Changing Apple File Settings for a Share Point

Changing Windows (SMB) Settings for a Share Point

Changing FTP Settings for a Share Point

Setting Up an NFS Share Point

Resharing NFS Mounts as AFP Share Points

29 30 30 30

31 31

31 32 32 33 33

Automatically Mounting Share Points for Clients

Managing Share Points

Disabling a Share Point Disabling a Protocol for a Share Point Viewing Share Points Copying Privileges to Enclosed Items Viewing Share Point Settings Changing Share Point Owner and Privilege Settings Changing the Protocols Used by a Share Point Changing NFS Share Point Client Scope Allowing Guest Access to a Share Point Setting Up a Drop Box Using Workgroup Manager With Mac OS X Server Version 10.1.5

Chapter 3 37 AFP Service

General Information

37 38 38 38 38 39

42 43 44 44 44 45 45 46 46 47 47 48 48 49 49 50 50

Kerberos Authentication Automatic Reconnect Find By Content AppleTalk Support Apple File Service Specifications

Setting Up AFP Service

Changing General Settings Changing Access Settings Changing Logging Settings Changing Idle User Settings Starting AFP Service

Managing AFP Service

Checking Service Status Viewing Service Logs Stopping Apple File Service Enabling NSL and Rendezvous Browsing Enabling AppleTalk Browsing Limiting Connections Keeping an Access Log Archiving AFP Service Logs Disconnecting a User Disconnecting Idle Users Automatically Sending a Message to a User Allowing Guest Access Creating a Login Greeting

Supporting AFP Clients

Mac OS X Clients

Contents

Mac OS 8 and Mac OS 9 Clients

Chapter 4 55 Windows Service

General Information

55 56 56 56 57 58 59 59

61 62 62 63 63

64 64

65 65

66 66 66

67 67

Windows File Services Specifications

Before You Set Up Windows Services

Ensuring the Best Cross-Platform Experience Windows User Password Validation

Setting Up Windows Services

Changing General Settings Changing Access Settings Changing Logging Settings Changing Advanced Settings Starting Windows Service

Managing Windows Services

Stopping Windows Services Changing the Windows Server Name Changing the Workgroup Checking Service Status Registering with a WINS Server Enabling Domain Browsing Limiting Connections Allowing Guest Access Choosing What to Record in the Log Disconnecting a User

Supporting Windows Clients

TCP/IP Connecting to the Server Using Network Neighborhood Connecting to the Server by Name or Address in Windows

Chapter 5 69 NFS Service

Overview

Before You Set Up NFS Service

71 72 72 73 73 73

Security Considerations Setup Overview Setting Up NFS Service

Configuring NFS Settings Managing NFS Service

Starting and Stopping NFS Service

Viewing NFS Service Status

74 Viewing Current NFS Exports

Contents

Chapter 6 75 FTP Service

75 Overview 75 A Secure FTP Environment 76 FTP Users

76 FTP User Environments 80 On-the-Fly File Conversion 80 Kerberos Authentication 80 FTP service specifications

81 Before You Set Up FTP Service 81 Server Security and Anonymous Users

82 Setup Overview

83 Setting Up File Transfer Protocol (FTP) Service

83 Changing General Settings 84 Changing the Greeting Messages 84 Choosing Logging Options

85 Changing Advanced Settings

85 Creating an Uploads Folder for Anonymous Users 86 Starting FTP Service 86 Managing FTP Service 86 Stopping FTP Service

87 Allowing Anonymous User Access

87 Changing the User Environment 88 Changing the FTP Root Directory 88 Viewing the Log 89 Displaying Banner and Welcome Messages 89 Displaying Messages Using message.txt Files 89 Using README Messages

Chapter 7 91 Solving Problems

91 General Problems 91 Users Can’t Access a CD-ROM Disc 91 Users Can’t Find a Shared Item 91 Users Can’t See the Contents of a Share Point

91 You Can’t Find a Volume or Directory to Use as a Share Point 92 Solving Problems With Apple File Service 92 User Can’t Find the Apple File Server 92 User Can’t Connect to the Apple File Server 92 User Doesn’t See Login Greeting 93 Solving Problems With Windows Services 93 User Can’t See the Windows Server in the Network Neighborhood 93 User Can’t Log in to the Windows Server

94 Solving Problems With File Transfer Protocol (FTP) 94 FTP Connections Are Refused

6 Contents

94 Clients Can’t Connect to the FTP Server 94 Anonymous FTP Users Can’t Connect

95 Solving Problems With Home Directories 95 Users Can’t Open Their Home Directories

Glossary 97

Index 99

Contents 7

1 About File Services

This chapter gives an overview of Mac OS X Server file services, important concepts, and related security issues.

Overview

File services let clients of the Mac OS X Server access shared files, applications, and other resources over a network.

Mac OS X Server includes file services based on four common protocols:

• AFP service uses the Apple Filing Protocol (AFP) to share resources with clients who

use Macintosh or Macintosh-compatible computers.

• Windows service uses the Server Message Block (SMB) protocol to share resources

with and provide name resolution for clients who use Windows or Windowscompatible computers.

• FTP service uses the File Transfer Protocol to share files with anyone using FTP client

software.

• NFS service uses the Network File System to share files and folders with users

(typically UNIX users) who have NFS client software.

You can use the following Mac OS X Server applications to set up and manage file services:

• Server Admin Use to turn on and configure individual file services for each protocol

• Workgroup Manager Use to create share points and set access privileges

You can also perform most setup and management tasks by typing commands at a command prompt in Terminal. For more information, see the file services chapter of the command-line administration guide.

Privileges

Privileges specify the type of access users have to shared items. There are four types of access privileges you can assign to a share point, folder, or file: Read & Write, Read Only, Write Only, and None. The table below shows how the privileges affect user access to different types of shared items (files, folders, and share points).

Read

Users can

Open a shared file Yes Yes No No

Copy a shared file Yes Yes No No

Open a shared folder or share point Yes Yes No No

Copy a shared folder or share point Yes Yes No No

Edit a shared file’s contents Yes No No No

Move items into a shared folder or share point Yes No Yes No

Move items out of a shared folder or share point Yes No No No

& Write

Read Only

Write Only

None

You can assign everyone but its owner Write Only privileges to a folder to create a drop box. The folder’s owner can see and modify the drop box’s contents. Everyone else can only copy files and folders into the drop box, without seeing what it contains.

Note: QuickTime Streaming Server and WebDAV have separate privileges settings. For information about QTSS, refer to the QTSS online help and the QuickTime website (www.apple.com/quicktime/products/qtss/). You’ll find information about Web privileges in the Web technologies administration guide.

10 Chapter 1 About File Services

Explicit Privileges

Share points and the shared items they contain (including both folders and files) have separate privileges. If you move an item to a different folder, it retains its own privileges and doesn’t automatically adopt the privileges of the folder where you moved it. In the following illustration, the second folder (Designs) and the third folder (Documents) were assigned privileges that are different from those of their parent folders:

Read & Write

Engineering

Designs

Read Only

Read & Write

Documents

You can also set up an AFP or SMB share point so that new files and folders inherit the privileges of their parent folder. See “Changing Apple File Settings for a Share Point” on page 23 or “Changing Windows (SMB) Settings for a Share Point” on page 24.

The User Categories Owner, Group, and Everyone

You can assign access privileges separately to three categories of users:

Owner

A user who creates a new item (file or folder) on the file server is its owner and automatically has Read & Write privileges for that folder. By default, the owner of an item and the server administrator are the only users who can change its access privileges, that is, allow a group or everyone to use the item. The administrator can also transfer ownership of the shared item to another user.

Note: When you copy an item to a drop box on an Apple file server, ownership of that item is transferred to the owner of the drop box. This is done because only the owner of the drop box has access to items copied to it.

Group

You can put users who need the same access to files and folders into group accounts. Only one group can be assigned access privileges to a shared item. For more information on creating groups, see the user management guide.

Everyone

Everyone is any user who can log in to the file server: registered users and guests.

Chapter 1 About File Services 11

Hierarchy of Privileges

If a user is included in more than one category of users, each of which has different privileges, these rules apply:

• Group privileges override Everyone privileges.

• Owner privileges override Group privileges.

For example, when a user is both the owner of a shared item and a member of the group assigned to it, the user has the privileges assigned to the owner.

Client Users and Privileges

Users of AppleShare Client software can set access privileges for files and folders they own. Windows file sharing users can set folder properties, but not privileges.

Privileges in the Mac OS X Environment

If you’re new to Mac OS X and are not familiar with UNIX, it’s important to know that there are some differences in the way ownership and privileges are handled compared to Mac OS 9.

To increase security and reliability, Mac OS X sets many system directories, such as /Library, to be owned by the root user (literally, a user named “root”). Files and folders owned by root can’t be changed or deleted by you unless you’re logged in as the root user. Be careful—there are few restrictions on what you can do when you log in as the root, and changing system data can cause problems.

Files and folders are, by default, owned by the user who creates them. After they’re created, items keep their privileges even when moved, unless the privileges are explicitly changed by their owners or an administrator.

Therefore, new files and folders you create are not accessible by client users if they are created in a folder for which the users do not have privileges. When setting up share points, make sure that items allow appropriate access privileges for the users with whom you want to share them.

12 Chapter 1 About File Services

Customizing the Mac OS X Network Globe

The Network globe you find at the top level of a Mac OS X Finder window contains shared network resources. You can customize the contents of the Network globe to suit your clients by setting up automatically-mounting share points. You can provide automatic access to system resources such as fonts and preferences by automatically mounting share points containing them in specific directory locations.

Share Points in the Network Globe

The Network globe on OS X clients represents the /Network directory. By default, the Network globe contains at least these folders:

• Applications

• Library

• Servers

You can mount share points into any of these folders. See “Automatically Mounting Share Points for Clients” on page 29 for instructions.

Additional servers and shared items are added as they are discovered on your network.

Adding System Resources to the Network Library Folder

The Library folder in the Network globe is included in the system search path. This gives you the ability to make available, over the network, any type of system resource usually found in the local Library folder. These resources could include fonts, application preferences, ColorSync profiles, desktop pictures, and so forth. You can use this capability to customize your managed client environment.

For example, suppose you wish to have a specific set of fonts available to each user in a given Open Directory domain. You would create a share point containing the desired fonts and then set the share point to mount automatically as a shared library in /Network/Library/Fonts on client machines. See “Automatically Mounting Share Points for Clients” on page 29 for more information.

Chapter 1 About File Services 13

Security Considerations

Security of your data and your network is critical. The most effective method of securing your network is to assign appropriate privileges for each file, folder, and share point as you create it.

Be careful when creating and granting access to share points, especially if you’re connected to the Internet. Granting access to Everyone, or to World (in NFS service), could potentially expose your data to anyone on the Internet.

NFS share points don’t have the same level of security as AFP and SMB, which require user authentication (typing a user name and password) to gain access to a share point’s contents. If you have NFS clients, you may want to set up a share point to be used only by NFS users.

Restricting Access for Unregistered Users (Guests)

When you configure any file service, you have the option of turning on guest access. Guests are users who can connect to the server anonymously without entering a valid user name or password. Users who connect anonymously are restricted to files and folders with privileges set to Everyone.

To protect your information from unauthorized access, and to prevent people from introducing software that might damage your information or equipment, you can take these precautions using the Sharing module of Workgroup Manager:

• Share individual folders instead of entire volumes. The folders should contain only

those items you want to share.

• Set privileges for Everyone to None for files and folders that guest users shouldn’t

access. Items with this privilege setting can be accessed only by the item’s owner or group.

• Put all files available to guests in one folder or set of folders. Assign the Read Only

privilege to the Everyone category for that folder and each file within it.

• Assign Read & Write privileges to the Everyone category for a folder only if guests

must be able to change or add items in the folder. Make sure you keep a backup copy of information in this folder.

• Check folders frequently for changes and additions and use a virus-protection

program regularly to check the server for viruses.

• Disable anonymous FTP access using the FTP service settings in Server Admin.

• Don’t export NFS volumes to World. Restrict NFS exports to a subnet or a specific list

of computers.

14 Chapter 1 About File Services

For More Information About File Services

For more information about the protocols used by file services, see these resources:

• Apple Filing Protocol (AFP) www.apple.com/developer/

• Server Message Block (SMB) protocol (for Windows file services) www.samba.org

• FTP You can find a Request for Comments (RFC) document about FTP at

www.faqs.org/rfcs/rfc959.html. To obtain the UNIX manual pages for FTP, open the Terminal application in Mac OS X. At the prompt, type man ftp and press Return.

• NFS Search the Web for “Network File System”

RFC documents provide an overview of a protocol or service that can be helpful for novice administrators, as well as more detailed technical information for experts. You can search for RFC documents by number at this website: www.faqs.org/rfcs.

Chapter 1 About File Services 15

2 Setting Up Share Points

This chapter shows how to share specific volumes and directories via the AFP, SMB, FTP, and NFS protocols.

Overview

You use the Sharing module of Workgroup Manager to share information with clients of the Mac OS X Server and control access to shared information by assigning access privileges.

To share individual folders or entire volumes that reside on the server, you set up share points. A share point is a folder, hard disk, hard disk partition, CD, or DVD that you make accessible over the network. It’s the point of access at the top level of a hierarchy of shared items. Users with privileges to access share points see them as volumes mounted on their desktops or in their Finder windows.

Before You Begin

Consider the following topics before you set up a share point.

Consider the Privileges Your Clients Need

Before you set up a share point, you need to understand how privileges for shared items work. Consider which users need access to shared items and what type of privileges you want those users to have. Privileges are described in Chapter 1 (see “Privileges” on page 10).

Decide on Which Protocols to Use

You also need to know which protocols clients will use to access the share points. In general, you will want to set up unique share points for each type of client and share each using a single protocol:

• Mac OS clients—Apple Filing Protocol (AFP)

• Windows clients—Server Message Block (SMB)

• UNIX clients—Network File System (NFS)

• FTP clients—File Transfer Protocol (FTP)

In some cases you might want to share an item using more than one protocol. For example, Mac OS and Windows users might want to share graphics or word processing files that can be used on either platform. In a case such as this, you can create a single share point that supports users of both platforms.

Conversely, you might want to set up share points using a single protocol even though you have different kinds of clients. For example, if most of your clients are UNIX users and just a few are Mac OS clients, you may want to share items using only NFS to keep your setup simple. Keep in mind, however, that NFS doesn’t provide many AFP features that Mac OS users are accustomed to, such as performance optimization or quick file searching.

Organize Your Shared Information

Once you have created share points, users will start to form “mental maps” of the organization of the share points and the items they contain. Changing share points and moving information around can cause confusion. If you can, organize shared information before you set up the share points. This is especially important if you’re setting up network home directories.

For Your Windows Users

If you share applications or documents that are exclusively for Windows users, you can set up an SMB share point to be used only by them. This provides a single point of access for your Windows users and lets them take advantage of both opportunistic and strict file locking.

18 Chapter 2 Setting Up Share Points

Opportunistic Locking (oplocks)

SMB share points in Mac OS X Server support the improved performance offered by opportunistic locking (“oplocks”).

In general, file locking prevents multiple clients from modifying the same information at the same time; a client locks the file or part of the file to gain exclusive access. Opportunistic locking grants this exclusive access but also allows the client to cache its changes locally (on the client computer) for improved performance.

To enable oplocks, you change the Windows protocol settings for a share point using Workgroup Manager.

Important: Do not enable oplocks for a share point that’s using any protocol other

than SMB.

Strict Locking

It’s normally the responsibility of a client application to see if a file is locked before it tries to open it. A poorly written application may fail to check for locks, and could corrupt a file already being used by someone else.

Strict locking, which is enabled by default, helps prevent this. When strict locking is enabled, the SMB server itself checks for and enforces file locks.

Consider Security

Review the issues discussed in “Security Considerations” on page 14.

Share Points for Network Home Directories

If you’re setting up a share point on your server to store user home directories, keep these points in mind:

• There’s a share point named Users already set up when you install Mac OS X Server

that you can use for home directories.

• Make sure you set the Network Mount settings for the share point to indicate that it’s

used for user home directories.

• Make sure you create the share point in the same Open Directory domain as your

user accounts.

Disk Quotas

You can limit the disk space a user’s home directory can occupy by setting a quota on the Home pane of the user’s account settings in Workgroup Manager.

To set space quotas for other share points, you must use the command line. See the file services chapter of the command-line administration guide.

Chapter 2 Setting Up Share Points 19

Setup Overview

You use the Sharing module of Workgroup Manager to create share points and set privileges for them.

Here is an overview of the basic steps for setting up share points:

Step 1: Read “Before You Begin”

Read “Before You Begin” on page 17 for issues you should consider before sharing information on your network.

Step 2: Locate or create the information you want to share

Decide which volumes, partitions, or folders you want to share. You may want to move folders and files to different locations before setting up the share point. You may want to partition a disk into volumes so you can give each volume different access privileges or create folders that will have different levels of access. See “Organize Your Shared Information” on page 18.

Step 3: Set up share points and set privileges

When you designate an item to be a share point, you set its privileges at the same time. You create share points and set privileges in the Sharing module of Workgroup Manager. See “Setting Up a Share Point” on page 21.

Step 4: Turn specific file services on

For users to access share points, you must turn on the required Mac OS X Server file services. For example, if you use Apple File Protocol with your share point, you must turn on AFP service. You can share an item using more than one protocol. See Chapter 3, “AFP Service,” on page 37, Chapter 4, “Windows Service,” on page 55, Chapter 5, “NFS Service,” on page 69, or Chapter 6, “FTP Service,” on page 75.

20 Chapter 2 Setting Up Share Points

Setting Up a Share Point

This section describes:

• How to create share points

• How to set share point access privileges

• How to share using specific protocols (AFP, SMB, FTP, or NFS)

• How to automatically mount share points on clients’ desktops

You use Workgroup Manager to accomplish these tasks.

See “Managing Share Points” on page 30 for additional tasks that you might perform after you have set up sharing on your server.

Chapter 2 Setting Up Share Points 21

Creating a Share Point and Setting Privileges

You use the Sharing module of Workgroup Manager to share volumes (including disks, CDs and DVDs), partitions, and individual folders by setting up share points.

Note: Don’t use a slash (/) in the name of a folder or volume you plan to share. Users trying to access the share point might have trouble seeing it.

To create a share point and set privileges:

1 Open Workgroup Manager and click Sharing.

2 Click All and select the item you want to share.

3 Click General.

4 Select “Share this item and its contents.”

5 To control who has access to the share point, change the owner or group of the shared

item. Type names or drag names from the Users & Groups drawer.

To open the drawer, click Users & Groups. If you don’t see a recently created user or group, click Refresh. To change the autorefresh interval, choose Workgroup Manager > Preferences.

6 Use the pop-up menus next to the fields to change the privileges for the Owner, Group,

and Everyone.

Everyone is any user who can log in to the file server: registered users and guests.

7 (Optional) To apply the ownership and privileges of the share point to all files and

folders it contains, click Copy. This overrides privileges that other users may have set.

8 Click Save.

The new share point is shared using the AFP, SMB, and FTP protocols, but not NFS.

To change protocol settings, stop sharing via a particular protocol, or export the share point using NFS, click Protocol and choose the protocol from the pop-up menu. Settings specific to each protocol are described in the following sections.

From the Command Line

You can also set up a share point using the sharing command in Terminal. For more information, see the file services chapter of the command-line administration guide.

22 Chapter 2 Setting Up Share Points

Changing Apple File Settings for a Share Point

You can use Workgroup Manager to choose whether a share point is available via AFP and to change settings such as the share point name that AFP clients see, whether guest access is allowed, or the permissions model for new items.

The default settings for a new share point should make it readily accessible to Mac OS 8, Mac OS 9, and Mac OS X clients.

To change the settings of an AFP share point:

1 Open Workgroup Manager and click Sharing.

2 Click Share Points and select the share point.

3 Click Protocols and choose Apple File Settings from the pop-up menu.

4 To provide AFP access to the share point, select “Share this item using AFP.”

5 To allow unregistered users to access the share point, select “Allow AFP guest access.”

For greater security, do not select this item.

6 To change the name that clients see when they browse for and connect to the share

point using AFP, type a name in the “Custom AFP name” field.

Changing the custom AFP name does not affect the name of the share point itself, only the name that AFP clients see.

7 Choose a default permissions option for new files and folders.

To have new or copied items keep their original privileges while inheriting the user and group ID of the user who creates or copies them, select “Use Standard UNIX behavior.”

To have new or copied items adopt the privileges of the enclosing folder, select “Inherit permissions from parent.”

Note: Do not select the “Inherit permissions” option for share points that contain home directories.

8 Click Save.

From the Command Line

You can also change AFP settings for a share point using the sharing command in Terminal. For more information, see the file services chapter of the command-line administration guide.

Chapter 2 Setting Up Share Points 23

Changing Windows (SMB) Settings for a Share Point

You can use Workgroup Manager to set whether a share point is available via SMB and to change settings such as the share point name that SMB clients see, whether guest access is allowed, whether opportunistic locking is allowed, and the default privileges for new items.

To change the settings of an SMB share point:

1 Open Workgroup Manager and click Sharing.

2 Click Share Points and select the share point.

3 Click Protocols (on the right) and choose Windows File Settings from the pop-up menu.

4 To provide SMB access to the share point, select “Share this item using SMB.”

5 To allow unregistered users access to the share point, select “Allow SMB guest access.”

For greater security, don’t select this item.

6 To change the name that clients see when they browse for and connect to the share

point using SMB, type a new name in the “Custom SMB name” field.

Changing the custom SMB name doesn’t affect the name of the share point itself, only the name that SMB clients see.

7 To allow clients to use opportunistic file locking, select “Enable oplock.”

To have clients use standard locks on server files, select “Enable strict locking.”

For more information on oplocks, see “Opportunistic Locking (oplocks)” on page 19.

8 Choose a method for assigning default access privileges for new files and folders in the

share point.

To have new items adopt the privileges of the enclosing item, select “Inherit permissions from parent.”

To assign specific privileges, select “Assign as follows” and set the Owner, Group, and Everyone privileges using the pop-up menus.

9 Click Save.

From the Command Line

You can also change a share point’s SMB settings using the sharing command in Terminal. For more information, see the file services chapter of the command-line administration guide.

24 Chapter 2 Setting Up Share Points

Changing FTP Settings for a Share Point

You can use Workgroup Manager to set whether a share point is available via FTP and to change settings such as whether guest access is allowed and the share point name that FTP clients see.

To change the settings of an FTP share point:

1 Open Workgroup Manager and click Sharing.

2 Click Share Points and select the share point.

3 Click Protocols and choose FTP Settings from the pop-up menu.

4 To make the share point available to FTP clients, select “Share this item using FTP.”

5 Select “Allow FTP guest access” to allow anonymous FTP users to open this item.

For greater security, don’t select this item.

6 To change the name clients see when they browse for and connect to the share point

using FTP, type a new name in the “Custom FTP name” field.

Changing the custom FTP name doesn’t affect the name of the share point itself, only the name that FTP clients use.

7 Click Save.

From the Command Line

You can also change a share point’s FTP settings using the sharing command in Terminal. For more information, see the file services chapter of the command-line administration guide.

Chapter 2 Setting Up Share Points 25

Setting Up an NFS Share Point

You can use NFS to export share points to UNIX clients. (Export is the NFS term for sharing.)

Note: Don’t use spaces or slashes (/) in the name of a share point you plan to export using NFS. Spaces and slashes in volume names can cause access problems for NFS clients. If you must use spaces in the name of an NFS share point, use Netinfo Manager to “escape” the spaces in the export record in NetInfo (that is, precede the spaces with a backslash “\”). For example, you would have to change “/folder1/folder two” t o “/folder1/folder\ two”.

To configure an NFS share point:

1 Open Workgroup Manager and click Sharing.

2 Click Share Points and select the share point.

3 Click Protocols and choose NFS Export Settings from the pop-up menu.

4 Select “Export this item and its contents to” and choose an audience from the pop-up

menu.

To limit clients to specific computers, choose “Client” and click Add to specify the IP addresses of computers that can access the share point.

To limit clients to the entire subnet, choose “Subnet” and type the IP address and subnet mask for the subnet.

Important: Make sure that the subnet address you enter is the actual IP network

address that corresponds to the subnet mask you chose (not just one of the client addresses). Otherwise, your clients will be unable to access the share point.

A network calculator can help you select the subnet address and mask for the range of client addresses you want to serve, and you should use one to validate your final address/mask combination. Calculators are available on the Web; use Sherlock or Google to search for “subnet calculator.”

For example, suppose you want to export to clients that have IP addresses in the range

192.168.100.50 through 192.168.100.120. Using a subnet calculator, you can discover that the mask 255.255.255.128 applied to any address in this range defines a subnet with network address 192.168.100.0 and a range of usable IP addresses from 192.168.100.1 through 192.168.100.126, which includes the desired client addresses. So, in Workgroup Manager you enter subnet address 192.168.100.0 and subnet mask 255.255.255.128 in the NFS Export Settings for the share point.

To allow unlimited (and unauthenticated) access to the share point, choose “World.”

Note: If you export more than one NFS share point to “World,” only the last export is available to clients. Don’t create more than one NFS world export on a single server volume.

26 Chapter 2 Setting Up Share Points

5 Select “Map Root user to nobody” if you want the root user on a remote client to have

only minimal privileges to read, write, and execute commands.

6 Select “Map All users to nobody” if you want all users to have minimal privileges to

read, write, and execute.

7 Select “Read-only” if you don’t want client users to be able to modify the contents of

the shared item in any way.

8 Click Save.

File and file range locking (standard POSIX advisory locks) are enabled by default for NFS share points in Mac OS X Server.

From the Command Line

You can also set up an NFS share point by using the niutil command in Terminal to add an entry to the NetInfo /exports directory. For more information, see the file services chapter of the command-line administration guide.

Resharing NFS Mounts as AFP Share Points

Resharing NFS mounts (NFS volumes that have been exported to the Mac OS X Server) as AFP share points allows clients to access NFS volumes using the secure authentication of an AFP connection. Resharing NFS mounts also allows Mac OS 9 clients to access NFS file services on traditional UNIX networks.

Note: Quotas set on the original NFS export are not enforced on the AFP reshare.

To reshare an NFS mount as an AFP share point:

1 On the NFS server that’s exporting the original share, make sure the NFS export maps

root-to-root so that AFP (which runs as root) can access the files for the clients. Restrict the export to the single AFP server (seen as the client to the NFS server). For even greater security, you can set up a private network for the AFP-to-NFS connection.

2 On the AFP server, create a directory named nfs_reshares at the root level of the file

system. Log in to Terminal as admin and use the command:

sudo mkdir /nfs_reshares

The nfs_reshares directory will work with default permissions, but at a minimum must allow read/write for root so that the exports can be mounted there and accessed by the AFP server.

3 Create a subdirectory in the /nfs_reshares directory for each NFS volume you want to

reshare. In Terminal, while logged in as admin, use the command:

sudo mkdir /nfs_reshares/<local mount name>

Replace <local mount name> with the name of the volume as you want it to appear to AFP clients.

Chapter 2 Setting Up Share Points 27

4 On the AFP server, create a mount record that mounts the reshared volume in the

/nfs_reshares directory.

a Open NetInfo Manager, select mounts in the directory browser window, click the lock

at the lower left corner of the window and enter your administrator password.

Note: To authenticate in NetInfo Manager, you must use an administrator account with a basic password. NetInfo Manager can’t authenticate an administrator account that uses Password Server.

b Select New Subdirectory from the Directory menu. The new mount record is named

new_directory. Edit the name property and add two new properties following this format:

name: <nfsservername>:<nfs export path> vfstype: nfs dir: /nfs_reshares/<local mount name>

For example, a mount record to reshare as “myshare” an NFS volume located on a server named “server” at the path /test/lab1 would have the following properties:

name: server:/test/lab1 vfstype: nfs dir: /nfs_reshares/myshare

c Click the lock when finished. In the Confirm Changes dialog, click “Update this copy”

to save your changes.

5 Restart the computer to enable the mount. You can also manually mount the NFS

volume in Terminal with the following command:

sudo mount_nfs <nfsservername>:<nfs export path> /nfs_reshares/<local

mount name>

6 Use the Sharing module in Workgroup Manager to share the NFS mounts as AFP share

points. The NFS mounts appear as normal volumes in the All list. (You can also share the NFS mounts using SMB and FTP, but it’s recommended that you use only AFP.) You can change privileges and ownership, but not enable quotas (quotas work only on local volumes). However, if quotas are enabled on the NFS server, they should apply to the reshared volume as well.

28 Chapter 2 Setting Up Share Points

Automatically Mounting Share Points for Clients

You can mount share points automatically on client computers using network mounts.

You can automatically mount AFP or NFS share points. When you set a share point to automatically mount, a mount record is created in the Open Directory database. Be sure you create these records in the same shared domain in which the user and computer records exist.

Note: All users have guest access to network-mounted AFP share points. Authenticated access is only allowed for a user’s own home directory or if you have Kerberos set up to support single signon.

To set up a network mount:

1 Open Workgroup Manager and click Sharing.

2 Click Share Points and select the share point.

3 Click Network Mount (on the right).

4 Choose the directory domain that contains your users and computers from the Where

pop-up menu.

If the correct directory is already chosen, click the lock to authenticate.

5 Choose the sharing protocol (AFP or NFS) from the Protocol pop-up menu.

6 Choose how you want the share point to be used and mounted on client computers.

User Home Directories: the home directories on the share point are listed on a user’s computer in /Network/Servers (in Servers inside the Network globe in the Finder).

Note: Share points used for home directories should be named using only US ASCII characters. Don’t use multibyte encoding or accented characters.

Shared Applications: the share point appears on the user’s computer in /Network/Applications (in Applications inside the Network globe in the Finder).

Shared Library: the share point appears in /Network/Library (in Library inside the Network globe in the Finder).

“Custom mount path”: the share point appears in the directory you specify. You must make sure that this directory exists on the client computer before the share point can be mounted.

7 Click Save.

Chapter 2 Setting Up Share Points 29

Managing Share Points

This section describes typical day-to-day tasks you might perform after you have set up share points on your server. Initial setup information appears in “Setting Up a Share Point” on page 21.

Disabling a Share Point

To stop sharing a particular share point, you use the Sharing module of Workgroup Manager to remove it from the Share Points list.

You may want to notify users that you are removing a share point so that they know why the share point is no longer available.

To remove a share point:

1 Open Workgroup Manager and click Sharing.

2 Click Share Points and select the share point you want to remove.

3 Click General and deselect “Share this item and its contents.”

Protocol and network mount settings you have made for the item are discarded.

From the Command Line

You can also disable a share point by using the sharing command in Terminal. For more information, see the file services chapter of the command-line administration guide.

Disabling a Protocol for a Share Point

You can use the Sharing module of Workgroup Manager to stop sharing a share point using a particular protocol and still allow sharing to continue via other protocols.

To stop sharing via a particular protocol:

1 Open Workgroup Manager and click Sharing.

2 Click Share Points and select the share point you want to remove.

3 Click Protocols and choose settings for the protocol from the pop-up menu.

4 Deselect “Share this item using...”

You can disable a protocol for all share points by stopping the underlying service that provides support for the protocol. For help, see “Stopping Apple File Service” on page 45, “Stopping Windows Services” on page 61, “Starting and Stopping NFS Service” on page 73, or “Stopping FTP Service” on page 86.

From the Command Line

You can also disable a protocol for a share point by using the sharing command in Terminal. For more information, see the file services chapter of the command-line administration guide.

30 Chapter 2 Setting Up Share Points

+ 73 hidden pages

Apple MAC OS X SERVER 10.3 File Services Administration

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

1 About File Services

Overview

Privileges

Explicit Privileges

The User Categories Owner, Group, and Everyone

Hierarchy of Privileges

Client Users and Privileges

Share Points in the Network Globe

Adding System Resources to the Network Library Folder

Security Considerations

Restricting Access for Unregistered Users (Guests)

For More Information About File Services

2 Setting Up Share Points

Overview

Before You Begin

Consider the Privileges Your Clients Need

Decide on Which Protocols to Use

Organize Your Shared Information

For Your Windows Users

Consider Security

Share Points for Network Home Directories

Disk Quotas

Setup Overview

Setting Up a Share Point

Creating a Share Point and Setting Privileges

Changing Apple File Settings for a Share Point

Changing Windows (SMB) Settings for a Share Point

Changing FTP Settings for a Share Point

Setting Up an NFS Share Point

Resharing NFS Mounts as AFP Share Points

Automatically Mounting Share Points for Clients

Managing Share Points

Disabling a Share Point

Disabling a Protocol for a Share Point