Provided by: netatalk_2.0.3-3ubuntu1_i386 bug


       afpd.conf  -  Configuration file used by afpd(8) to determine the setup
       of its file sharing services


       /etc/netatalk/afpd.conf is the  configuration  file  used  by  afpd  to
       determine  the behavior and configuration of the different virtual file
       servers that it provides.

       Any line not prefixed with # is interpreted.  The  configuration  lines
       are  composed like: server name [ options ] If a - is used instead of a
       server name, the default server is  specified.  Server  names  must  be
       quoted  if  they contain spaces. They must not contain ":" or "@".  The
       path name must be a fully qualified path name, or  a  path  name  using
       either  the  ~  shell  shorthand  or any of the substitution variables,
       which are listed below.


              Each server has to be configured on a single line.

       The possible options and their meanings are:


       -defaultvol [path]
              Specifies  path  to  AppleVolumes.default   file   (default   is

       -systemvol [path]
              Specifies   path   to   AppleVolumes.system   file  (default  is

              Enables or disables reading of  the  users’  individual  volumes
              file entirely.

              Enables  or  disables  reading  of the users’ individual volumes
              file before processing the global AppleVolumes.default file.


       -uamlist [uams list]
              Comma   separated   list    of    UAMs.    (The    default    is

              The most commonly used UAMs are:

                     allows guest logins

                     (   or   Allow  logins  with
                     passwords transmitted in the clear.

                     allows Random Number and Two-Way Random  Number  Exchange
                     for  authentication  (requires a separate file containing
                     the passwords, either /etc/netatalk/afppasswd file or the
                     one  specified  via  -passwdfile.  See  afppasswd(1)  for

                     (     or     Allow
                     Diffie-Hellman eXchange (DHX) for authentication.

                     Allow Kerberos V for authentication (optional)

       -uampath [path]
              Sets  the  default  path  for  UAMs  for this server (default is

       -k5keytab [path], -k5service [service], -k5realm [realm]
              These are  required  if  the  server  supports  the  Kerberos  5
              authentication UAM.


       With  OS  X  Apple introduced the AFP3 protocol. One of the big changes
       was, that AFP3 uses Unicode names encoded as UTF-8 decomposed. Previous
       AFP/OS versions used codepages like MacRoman, MacCentralEurope, etc.

       To be able to serve AFP3 and older clients at the same time, afpd needs
       to be able to convert between  UTF-8  and  Mac  codepages.  Even  OS  X
       clients  partly  still  rely  on codepages. As there’s no way, afpd can
       detect the codepage a pre AFP3 client uses,  you  have  to  specify  it
       using the -maccodepage option. The default is MacRoman, which should be
       fine for most western users.

       As afpd needs to interact with unix operating system as well, it need’s
       to  be  able to convert from UTF-8/MacCodepage to the unix codepage. By
       default afpd uses the systems LOCALE, or ASCII if your  system  doesn’t
       support  locales. You can set the unix codepage using the -unixcodepage
       option. If you’re using extended characters in the configuration  files
       for afpd, make sure your terminal matches the -unixcodepage.

       -unixcodepage [CODEPAGE]
              Specifies  the  servers  unix  codepage,  e.g.  "ISO-8859-15" or
              "UTF8". This is used to  convert  strings  to/from  the  systems
              locale,  e.g.  for  authenthication,  server messages and volume
              names. Defaults to LOCALE if your system supports it,  otherwise
              ASCII will be used.

       -maccodepage [CODEPAGE]
              Specifies  the  mac  clients codepage, e.g. "MAC_ROMAN". This is
              used to convert strings and filenames to  the  clients  codepage
              for  OS9  and  Classic, i.e. for authentication and AFP messages
              (SIGUSR2 messaging). This will  also  be  the  default  for  the
              volumes maccharset. Defaults to MAC_ROMAN.


       -loginmaxfail [number]
              Sets  the  maximum  number of failed logins, if supported by the
              UAM (currently none)

       -passwdfile [path]
              Sets the path to the Randnum UAM passwd  file  for  this  server
              (default is /etc/netatalk/afppasswd).

       -passwdminlen [number]
              Sets the minimum password length, if supported by the UAM

              Enables  or  disables  the  ability of clients to save passwords

              Enables or disables the  ability  of  clients  to  change  their
              passwords via chooser or the "connect to server" dialog


              Enables  or disables AFP-over-Appletalk. If -proxy is specified,
              you must instead use -uamlist "" to prevent DDP connections from

              Enables or disables AFP-over-TCP

              Make both available (default)


              Allows  Mac  OS  X  clients  (10.3.3  or above) to automagically
              establish a tunneled AFP connection through SSH. If this  option
              is  set, the server’s answers to client’s FPGetSrvrInfo requests
              contain  an  additional  entry.  It  depends  on  both  client’s
              settings  and  a correctly configured and running sshd(8) on the
              server to let things work.

              Setting this option is not recommended since globally encrypting
              AFP   connections  via  SSH  will  increase  the  server’s  load
              significantly.  On  the  other   hand,   Apple’s   client   side
              implementation  of  this  feature  in  MacOS X versions prior to
              10.3.4 contained a security flaw.

       -ddpaddr [ddp address]
              Specifies the DDP address of  the  server.  The  default  is  to
              auto-assign  an  address  (0.0).  This is only useful if you are
              running AppleTalk on more than one interface.

       -fqdn [name:port]
              Specifies a fully-qualified domain name, with an optional  port.
              This  is  discarded if the server cannot resolve it. This option
              is not honored by AppleShare clients <= 3.8.3.  This  option  is
              disabled  by  default.  Use  with caution as this will involve a
              second name resolution step on the client side. Also  note  that
              afpd   will   advertise   this  name:port  combination  but  not
              automatically listen to it.

       -ipaddr [ip address]
              Specifies the IP address that the server  should  advertise  and
              listens  to (the default is the first IP address of the system).
              This option also allows to use  one  machine  to  advertise  the
              AFP-over-TCP/IP  settings  of  another machine via NBP when used
              together with the -proxy option.

       -port [port number]
              Allows a different TCP port to be  used  for  AFP-over-TCP.  The
              default is 548.

       -proxy Runs  an  AppleTalk  proxy server for the specified AFP-over-TCP
              server. If the address and port aren’t given, then the first  IP
              address  of  the  system and port 548 will be used. If you don’t
              want the proxy server to act  as  a  DDP  server  as  well,  set
              -uamlist "".

       -server_quantum [number]
              This  specifies  the  DSI  server  quantum. The minimum value is
              303840 (0x4A2E0). The  maximum  value  is  0xFFFFFFFFF.  If  you
              specify  a value that is out of range, the default value will be
              set (which is the minimum). Do  not  change  this  value  unless
              you’re absolutely sure, what you’re doing

       -noslp Do  not register this server using the Service Location Protocol
              (if SLP support was compiled in). This  is  useful  if  you  are
              running  multiple  servers  and  want  one to be hidden, perhaps
              because it is advertised  elsewhere,  ie.  by  a  SLP  Directory


       -admingroup [group]
              Allows users of a certain group to be seen as the superuser when
              they log in. This option is disabled by default.

       -authprintdir [path]
              Specifies the path to be used (per server) to  store  the  files
              required  to  do  CAP-style print authentication which papd will
              examine to determine if a print job  should  be  allowed.  These
              files  are  created  at  login  and  if  they are to be properly
              removed, this directory probably needs to be umode 1777.

              -authprintdir will only work for  clients  connecting  via  DDP.
              Almost all modern Clients will use TCP.

              With  this  switch  enabled,  afpd  won’t  advertise  that it is
              capable of server notifications, so that connected clients  poll
              the  server  every 10 seconds to detect changes in opened server
              windows.   Note:  Depending  on  the  number  of  simultaneously
              connected  clients  and  the network’s speed, this can lead to a
              significant higher load on your network!

              Do not use this option any  longer  as  Netatalk  2.0  correctly
              supports  server  notifications,  allowing  connected clients to
              update folder  listings  in  case  another  client  changed  the

       -cnidserver [ipaddress:port]
              Specifies  the  IP  address  and  port  of  a cnid_metad server,
              required for CNID dbd backend. Defaults to localhost:4700.

       -guestname [name]
              Specifies the user that guests should use (default is "nobody").
              The name should be quoted.

       -icon  Use the platform-specific icon

       -loginmesg [message]
              Sets a message to be displayed when clients logon to the server.
              The message should be in  unixcodepage  and  should  be  quoted.
              Extended characters are allowed.

              Disables debugging.

       -sleep [number]
              AFP 3.x waits number hours before disconnecting clients in sleep
              mode. Default is 10 hours.

       -signature { user:<text> | host }
              Specify a server signature. This option is useful while  running
              multiple  independent  instances of afpd on one machine (eg.  in
              clustered environments, to provide fault isolation etc.). "host"
              signature  type  allows  afpd generating signature automatically
              (based on machine primary IP  address).  "user"  signature  type
              allows  administrator to set up a signature string manually. The
              maximum length is 16 characters

              Three server definitions using 2 different server signatures

              first -signature user:USERS
              second -signature user:USERS
              third -signature user:ADMINS

              First two servers will appear as one logical AFP service to  the
              clients  -  if  user  logs  in to first one and then connects to
              second one, session will  be  automatically  redirected  to  the
              first  one.  But  if client connects to first and then to third,
              will be asked for password twice and will see resources of  both
              servers.   Traditional method of signature generation causes two
              independent afpd instances to have the same signature  and  thus
              cause  clients  to  be  redirected automatically to server (s)he
              logged in first.



              Extended logging capabilities are only available if Netatalk was
              built  using  --with-logfile. As of Netatalk 2.0, the default is
              --without-logfile since the logger code is partially broken  and
              needs a complete rewrite (the -setuplog option might not work as
              expected). If Netatalk was built without logger support then the
              daemons log to syslog.

       -[un]setuplog "<logtype> <loglevel> [<filename>]"
              Specify  that  the  given  loglevel  should  be  applied  to log
              messages of the given logtype and that these messages should  be
              logged  to  the  given  file.  If  the  filename  is ommited the
              loglevel applies to messages passed to syslog. Each logtype  may
              have  a  loglevel  applied to syslog and a loglevel applied to a
              single file.  Latter -setuplog settings  will  override  earlier
              ones of the same logtype (file or syslog).

              logtypes: Default, Core, Logger, CNID, AFP

              Daemon  loglevels:  LOG_SEVERE,  LOG_ERROR,  LOG_WARN, LOG_NOTE,
              LOG_INFO,   LOG_DEBUG,   LOG_DEBUG6,   LOG_DEBUG7,   LOG_DEBUG8,
              LOG_DEBUG9, LOG_MAXDEBUG

              Some ways to change afpds logging behaviour via -[un]setuplog


              -setuplog "logger log_maxdebug /var/log/netatalk-logger.log"
              -setuplog "afpdaemon log_maxdebug /var/log/netatalk-afp.log"
              -unsetuplog "default level file"
              -setuplog "default log_maxdebug"


       These options are useful for debugging only.

       -tickleval [number]
              Sets the tickle timeout interval (in seconds). Defaults to 30.

       -timeout [number]
              Specify  the  number  of  tickles  to  send  before timing out a
              connection. The  default  is  4,  therefore  a  connection  will
              timeout after 2 minutes.


       afpd.conf default configuration

       - -transall -uamlist,

       afpd.conf MacCyrillic setup / UTF8 unix locale

       - -transall -maccodepage mac_cyrillic -unixcodepage utf8

       afpd.conf setup for Kerberos V auth

       - -transall -uamlist,,, \
       -k5service afpserver -k5keytab /path/to/afpserver.keytab \
       -k5realm YOUR.REALM -fqdn your.fqdn.namel:548

       afpd.conf letting afpd appear as three servers on the net

       "Guest Server" -uamlist -loginmesg "Welcome guest!"
       "User Server" -uamlist -port 12000
       "special" -notcp -defaultvol <path> -systemvol <path>


       afpd(8), afppasswd(1), AppleVolumes.default(5)