Provided by:
netatalk_2.0.3-9_i386 
NAME
afpd.conf - Configuration file used by afpd(8) to determine the setup
of its file sharing services
DESCRIPTION
/etc/netatalk/afpd.conf is the configuration file used by afpd to
determine the behavior and configuration of the different virtual file
servers that it provides.
Any line not prefixed with # is interpreted. The configuration lines
are composed like: server name [ options ] If a - is used instead of a
server name, the default server is specified. Server names must be
quoted if they contain spaces. They must not contain ":" or "@". The
path name must be a fully qualified path name, or a path name using
either the ~ shell shorthand or any of the substitution variables,
which are listed below.
Note
Each server has to be configured on a single line.
The possible options and their meanings are:
APPLEVOLUMES FILES
-defaultvol [path]
Specifies path to AppleVolumes.default file (default is
/etc/netatalk/AppleVolumes.default).
-systemvol [path]
Specifies path to AppleVolumes.system file (default is
/etc/netatalk/AppleVolumes.system).
-[no]uservol
Enables or disables reading of the users’ individual volumes
file entirely.
-[no]uservolfirst
Enables or disables reading of the users’ individual volumes
file before processing the global AppleVolumes.default file.
AUTHENTICATION METHODS
-uamlist [uams list]
Comma separated list of UAMs. (The default is
uams_clrtxt.so,uams_dhx.so).
The most commonly used UAMs are:
uams_guest.so
allows guest logins
uams_clrtxt.so
(uams_pam.so or uams_passwd.so) Allow logins with
passwords transmitted in the clear.
uams_randum.so
allows Random Number and Two-Way Random Number Exchange
for authentication (requires a separate file containing
the passwords, either /etc/netatalk/afppasswd file or the
one specified via -passwdfile. See afppasswd(1) for
details
uams_dhx.so
(uams_dhx_pam.so or uams_dhx_passwd.so) Allow
Diffie-Hellman eXchange (DHX) for authentication.
uam_gss.so
Allow Kerberos V for authentication (optional)
-uampath [path]
Sets the default path for UAMs for this server (default is
/etc/netatalk/uams).
-k5keytab [path], -k5service [service], -k5realm [realm]
These are required if the server supports the Kerberos 5
authentication UAM.
CODEPAGE OPTIONS
With OS X Apple introduced the AFP3 protocol. One of the big changes
was, that AFP3 uses Unicode names encoded as UTF-8 decomposed. Previous
AFP/OS versions used codepages like MacRoman, MacCentralEurope, etc.
To be able to serve AFP3 and older clients at the same time, afpd needs
to be able to convert between UTF-8 and Mac codepages. Even OS X
clients partly still rely on codepages. As there’s no way, afpd can
detect the codepage a pre AFP3 client uses, you have to specify it
using the -maccodepage option. The default is MacRoman, which should be
fine for most western users.
As afpd needs to interact with unix operating system as well, it need’s
to be able to convert from UTF-8/MacCodepage to the unix codepage. By
default afpd uses the systems LOCALE, or ASCII if your system doesn’t
support locales. You can set the unix codepage using the -unixcodepage
option. If you’re using extended characters in the configuration files
for afpd, make sure your terminal matches the -unixcodepage.
-unixcodepage [CODEPAGE]
Specifies the servers unix codepage, e.g. "ISO-8859-15" or
"UTF8". This is used to convert strings to/from the systems
locale, e.g. for authenthication, server messages and volume
names. Defaults to LOCALE if your system supports it, otherwise
ASCII will be used.
-maccodepage [CODEPAGE]
Specifies the mac clients codepage, e.g. "MAC_ROMAN". This is
used to convert strings and filenames to the clients codepage
for OS9 and Classic, i.e. for authentication and AFP messages
(SIGUSR2 messaging). This will also be the default for the
volumes maccharset. Defaults to MAC_ROMAN.
PASSWORD OPTIONS
-loginmaxfail [number]
Sets the maximum number of failed logins, if supported by the
UAM (currently none)
-passwdfile [path]
Sets the path to the Randnum UAM passwd file for this server
(default is /etc/netatalk/afppasswd).
-passwdminlen [number]
Sets the minimum password length, if supported by the UAM
-[no]savepassword
Enables or disables the ability of clients to save passwords
locally
-[no]setpassword
Enables or disables the ability of clients to change their
passwords via chooser or the "connect to server" dialog
TRANSPORT PROTOCOLS
-[no]ddp
Enables or disables AFP-over-Appletalk. If -proxy is specified,
you must instead use -uamlist "" to prevent DDP connections from
working.
-[no]tcp
Enables or disables AFP-over-TCP
-transall
Make both available (default)
TRANSPORT OPTIONS
-advertise_ssh
Allows Mac OS X clients (10.3.3 or above) to automagically
establish a tunneled AFP connection through SSH. If this option
is set, the server’s answers to client’s FPGetSrvrInfo requests
contain an additional entry. It depends on both client’s
settings and a correctly configured and running sshd(8) on the
server to let things work.
Note
Setting this option is not recommended since globally encrypting
AFP connections via SSH will increase the server’s load
significantly. On the other hand, Apple’s client side
implementation of this feature in MacOS X versions prior to
10.3.4 contained a security flaw.
-ddpaddr [ddp address]
Specifies the DDP address of the server. The default is to
auto-assign an address (0.0). This is only useful if you are
running AppleTalk on more than one interface.
-fqdn [name:port]
Specifies a fully-qualified domain name, with an optional port.
This is discarded if the server cannot resolve it. This option
is not honored by AppleShare clients <= 3.8.3. This option is
disabled by default. Use with caution as this will involve a
second name resolution step on the client side. Also note that
afpd will advertise this name:port combination but not
automatically listen to it.
-ipaddr [ip address]
Specifies the IP address that the server should advertise and
listens to (the default is the first IP address of the system).
This option also allows to use one machine to advertise the
AFP-over-TCP/IP settings of another machine via NBP when used
together with the -proxy option.
-port [port number]
Allows a different TCP port to be used for AFP-over-TCP. The
default is 548.
-proxy Runs an AppleTalk proxy server for the specified AFP-over-TCP
server. If the address and port aren’t given, then the first IP
address of the system and port 548 will be used. If you don’t
want the proxy server to act as a DDP server as well, set
-uamlist "".
-server_quantum [number]
This specifies the DSI server quantum. The minimum value is
303840 (0x4A2E0). The maximum value is 0xFFFFFFFFF. If you
specify a value that is out of range, the default value will be
set (which is the minimum). Do not change this value unless
you’re absolutely sure, what you’re doing
-noslp Do not register this server using the Service Location Protocol
(if SLP support was compiled in). This is useful if you are
running multiple servers and want one to be hidden, perhaps
because it is advertised elsewhere, ie. by a SLP Directory
Agent. -noslp Do not register this server using the Multicast
DNS Protocol (if Zeroconf support was compiled in).
MISCELLANEOUS OPTIONS
-admingroup [group]
Allows users of a certain group to be seen as the superuser when
they log in. This option is disabled by default.
-authprintdir [path]
Specifies the path to be used (per server) to store the files
required to do CAP-style print authentication which papd will
examine to determine if a print job should be allowed. These
files are created at login and if they are to be properly
removed, this directory probably needs to be umode 1777.
Note
-authprintdir will only work for clients connecting via DDP.
Almost all modern Clients will use TCP.
-client_polling
With this switch enabled, afpd won’t advertise that it is
capable of server notifications, so that connected clients poll
the server every 10 seconds to detect changes in opened server
windows. Note: Depending on the number of simultaneously
connected clients and the network’s speed, this can lead to a
significant higher load on your network!
Note
Do not use this option any longer as Netatalk 2.0 correctly
supports server notifications, allowing connected clients to
update folder listings in case another client changed the
contents.
-cnidserver [ipaddress:port]
Specifies the IP address and port of a cnid_metad server,
required for CNID dbd backend. Defaults to localhost:4700.
-guestname [name]
Specifies the user that guests should use (default is "nobody").
The name should be quoted.
-icon Use the platform-specific icon
-loginmesg [message]
Sets a message to be displayed when clients logon to the server.
The message should be in unixcodepage and should be quoted.
Extended characters are allowed.
-nodebug
Disables debugging.
-sleep [number]
AFP 3.x waits number hours before disconnecting clients in sleep
mode. Default is 10 hours.
-signature { user:<text> | host }
Specify a server signature. This option is useful while running
multiple independent instances of afpd on one machine (eg. in
clustered environments, to provide fault isolation etc.). "host"
signature type allows afpd generating signature automatically
(based on machine primary IP address). "user" signature type
allows administrator to set up a signature string manually. The
maximum length is 16 characters
Three server definitions using 2 different server signatures
first -signature user:USERS
second -signature user:USERS
third -signature user:ADMINS
First two servers will appear as one logical AFP service to the
clients - if user logs in to first one and then connects to
second one, session will be automatically redirected to the
first one. But if client connects to first and then to third,
will be asked for password twice and will see resources of both
servers. Traditional method of signature generation causes two
independent afpd instances to have the same signature and thus
cause clients to be redirected automatically to server (s)he
logged in first.
LOGGING OPTIONS
Note
Extended logging capabilities are only available if Netatalk was
built using --with-logfile. As of Netatalk 2.0, the default is
--without-logfile since the logger code is partially broken and
needs a complete rewrite (the -setuplog option might not work as
expected). If Netatalk was built without logger support then the
daemons log to syslog.
-[un]setuplog "<logtype> <loglevel> [<filename>]"
Specify that the given loglevel should be applied to log
messages of the given logtype and that these messages should be
logged to the given file. If the filename is ommited the
loglevel applies to messages passed to syslog. Each logtype may
have a loglevel applied to syslog and a loglevel applied to a
single file. Latter -setuplog settings will override earlier
ones of the same logtype (file or syslog).
logtypes: Default, Core, Logger, CNID, AFP
Daemon loglevels: LOG_SEVERE, LOG_ERROR, LOG_WARN, LOG_NOTE,
LOG_INFO, LOG_DEBUG, LOG_DEBUG6, LOG_DEBUG7, LOG_DEBUG8,
LOG_DEBUG9, LOG_MAXDEBUG
Some ways to change afpdâ€â€™s logging behaviour via -[un]setuplog
Example:
-setuplog "logger log_maxdebug /var/log/netatalk-logger.log"
-setuplog "afpdaemon log_maxdebug /var/log/netatalk-afp.log"
-unsetuplog "default level file"
-setuplog "default log_maxdebug"
DEBUG OPTIONS
These options are useful for debugging only.
-tickleval [number]
Sets the tickle timeout interval (in seconds). Defaults to 30.
-timeout [number]
Specify the number of tickles to send before timing out a
connection. The default is 4, therefore a connection will
timeout after 2 minutes.
EXAMPLES
afpd.conf default configuration
- -transall -uamlist uams_clrtxt.so,uams_dhx.so
afpd.conf MacCyrillic setup / UTF8 unix locale
- -transall -maccodepage mac_cyrillic -unixcodepage utf8
afpd.conf setup for Kerberos V auth
- -transall -uamlist uams_clrtxt.so,uams_dhx.so,uams_guest.so,uams_gss.so \
-k5service afpserver -k5keytab /path/to/afpserver.keytab \
-k5realm YOUR.REALM -fqdn your.fqdn.namel:548
afpd.conf letting afpd appear as three servers on the net
"Guest Server" -uamlist uams_guest.so -loginmesg "Welcome guest!"
"User Server" -uamlist uams_dhx.so -port 12000
"special" -notcp -defaultvol <path> -systemvol <path>
SEE ALSO
afpd(8), afppasswd(1), AppleVolumes.default(5)