Provided by: netatalk_2.0.3-9_i386 bug


       afpd.conf  -  Configuration file used by afpd(8) to determine the setup
       of its file sharing services


       /etc/netatalk/afpd.conf is the  configuration  file  used  by  afpd  to
       determine  the behavior and configuration of the different virtual file
       servers that it provides.

       Any line not prefixed with # is interpreted.  The  configuration  lines
       are  composed like: server name [ options ] If a - is used instead of a
       server name, the default server is  specified.  Server  names  must  be
       quoted  if  they contain spaces. They must not contain ":" or "@".  The
       path name must be a fully qualified path name, or  a  path  name  using
       either  the  ~  shell  shorthand  or any of the substitution variables,
       which are listed below.


              Each server has to be configured on a single line.

       The possible options and their meanings are:


       -defaultvol [path]
              Specifies  path  to  AppleVolumes.default   file   (default   is

       -systemvol [path]
              Specifies   path   to   AppleVolumes.system   file  (default  is

              Enables or disables reading of  the  users’  individual  volumes
              file entirely.

              Enables  or  disables  reading  of the users’ individual volumes
              file before processing the global AppleVolumes.default file.


       -uamlist [uams list]
              Comma   separated   list    of    UAMs.    (The    default    is

              The most commonly used UAMs are:

                     allows guest logins

                     (   or   Allow  logins  with
                     passwords transmitted in the clear.

                     allows Random Number and Two-Way Random  Number  Exchange
                     for  authentication  (requires a separate file containing
                     the passwords, either /etc/netatalk/afppasswd file or the
                     one  specified  via  -passwdfile.  See  afppasswd(1)  for

                     (     or     Allow
                     Diffie-Hellman eXchange (DHX) for authentication.

                     Allow Kerberos V for authentication (optional)

       -uampath [path]
              Sets  the  default  path  for  UAMs  for this server (default is

       -k5keytab [path], -k5service [service], -k5realm [realm]
              These are  required  if  the  server  supports  the  Kerberos  5
              authentication UAM.


       With  OS  X  Apple introduced the AFP3 protocol. One of the big changes
       was, that AFP3 uses Unicode names encoded as UTF-8 decomposed. Previous
       AFP/OS versions used codepages like MacRoman, MacCentralEurope, etc.

       To be able to serve AFP3 and older clients at the same time, afpd needs
       to be able to convert between  UTF-8  and  Mac  codepages.  Even  OS  X
       clients  partly  still  rely  on codepages. As there’s no way, afpd can
       detect the codepage a pre AFP3 client uses,  you  have  to  specify  it
       using the -maccodepage option. The default is MacRoman, which should be
       fine for most western users.

       As afpd needs to interact with unix operating system as well, it need’s
       to  be  able to convert from UTF-8/MacCodepage to the unix codepage. By
       default afpd uses the systems LOCALE, or ASCII if your  system  doesn’t
       support  locales. You can set the unix codepage using the -unixcodepage
       option. If you’re using extended characters in the configuration  files
       for afpd, make sure your terminal matches the -unixcodepage.

       -unixcodepage [CODEPAGE]
              Specifies  the  servers  unix  codepage,  e.g.  "ISO-8859-15" or
              "UTF8". This is used to  convert  strings  to/from  the  systems
              locale,  e.g.  for  authenthication,  server messages and volume
              names. Defaults to LOCALE if your system supports it,  otherwise
              ASCII will be used.

       -maccodepage [CODEPAGE]
              Specifies  the  mac  clients codepage, e.g. "MAC_ROMAN". This is
              used to convert strings and filenames to  the  clients  codepage
              for  OS9  and  Classic, i.e. for authentication and AFP messages
              (SIGUSR2 messaging). This will  also  be  the  default  for  the
              volumes maccharset. Defaults to MAC_ROMAN.


       -loginmaxfail [number]
              Sets  the  maximum  number of failed logins, if supported by the
              UAM (currently none)

       -passwdfile [path]
              Sets the path to the Randnum UAM passwd  file  for  this  server
              (default is /etc/netatalk/afppasswd).

       -passwdminlen [number]
              Sets the minimum password length, if supported by the UAM

              Enables  or  disables  the  ability of clients to save passwords

              Enables or disables the  ability  of  clients  to  change  their
              passwords via chooser or the "connect to server" dialog


              Enables  or disables AFP-over-Appletalk. If -proxy is specified,
              you must instead use -uamlist "" to prevent DDP connections from

              Enables or disables AFP-over-TCP

              Make both available (default)


              Allows  Mac  OS  X  clients  (10.3.3  or above) to automagically
              establish a tunneled AFP connection through SSH. If this  option
              is  set, the server’s answers to client’s FPGetSrvrInfo requests
              contain  an  additional  entry.  It  depends  on  both  client’s
              settings  and  a correctly configured and running sshd(8) on the
              server to let things work.

              Setting this option is not recommended since globally encrypting
              AFP   connections  via  SSH  will  increase  the  server’s  load
              significantly.  On  the  other   hand,   Apple’s   client   side
              implementation  of  this  feature  in  MacOS X versions prior to
              10.3.4 contained a security flaw.

       -ddpaddr [ddp address]
              Specifies the DDP address of  the  server.  The  default  is  to
              auto-assign  an  address  (0.0).  This is only useful if you are
              running AppleTalk on more than one interface.

       -fqdn [name:port]
              Specifies a fully-qualified domain name, with an optional  port.
              This  is  discarded if the server cannot resolve it. This option
              is not honored by AppleShare clients <= 3.8.3.  This  option  is
              disabled  by  default.  Use  with caution as this will involve a
              second name resolution step on the client side. Also  note  that
              afpd   will   advertise   this  name:port  combination  but  not
              automatically listen to it.

       -ipaddr [ip address]
              Specifies the IP address that the server  should  advertise  and
              listens  to (the default is the first IP address of the system).
              This option also allows to use  one  machine  to  advertise  the
              AFP-over-TCP/IP  settings  of  another machine via NBP when used
              together with the -proxy option.

       -port [port number]
              Allows a different TCP port to be  used  for  AFP-over-TCP.  The
              default is 548.

       -proxy Runs  an  AppleTalk  proxy server for the specified AFP-over-TCP
              server. If the address and port aren’t given, then the first  IP
              address  of  the  system and port 548 will be used. If you don’t
              want the proxy server to act  as  a  DDP  server  as  well,  set
              -uamlist "".

       -server_quantum [number]
              This  specifies  the  DSI  server  quantum. The minimum value is
              303840 (0x4A2E0). The  maximum  value  is  0xFFFFFFFFF.  If  you
              specify  a value that is out of range, the default value will be
              set (which is the minimum). Do  not  change  this  value  unless
              you’re absolutely sure, what you’re doing

       -noslp Do  not register this server using the Service Location Protocol
              (if SLP support was compiled in). This  is  useful  if  you  are
              running  multiple  servers  and  want  one to be hidden, perhaps
              because it is advertised  elsewhere,  ie.  by  a  SLP  Directory
              Agent.   -noslp  Do not register this server using the Multicast
              DNS Protocol (if Zeroconf support was compiled in).


       -admingroup [group]
              Allows users of a certain group to be seen as the superuser when
              they log in. This option is disabled by default.

       -authprintdir [path]
              Specifies  the  path  to be used (per server) to store the files
              required to do CAP-style print authentication  which  papd  will
              examine  to  determine  if  a print job should be allowed. These
              files are created at login  and  if  they  are  to  be  properly
              removed, this directory probably needs to be umode 1777.

              -authprintdir  will  only  work  for clients connecting via DDP.
              Almost all modern Clients will use TCP.

              With this switch  enabled,  afpd  won’t  advertise  that  it  is
              capable  of server notifications, so that connected clients poll
              the server every 10 seconds to detect changes in  opened  server
              windows.   Note:  Depending  on  the  number  of  simultaneously
              connected clients and the network’s speed, this can  lead  to  a
              significant higher load on your network!

              Do  not  use  this  option  any longer as Netatalk 2.0 correctly
              supports server notifications,  allowing  connected  clients  to
              update  folder  listings  in  case  another  client  changed the

       -cnidserver [ipaddress:port]
              Specifies the IP  address  and  port  of  a  cnid_metad  server,
              required for CNID dbd backend. Defaults to localhost:4700.

       -guestname [name]
              Specifies the user that guests should use (default is "nobody").
              The name should be quoted.

       -icon  Use the platform-specific icon

       -loginmesg [message]
              Sets a message to be displayed when clients logon to the server.
              The  message  should  be  in  unixcodepage and should be quoted.
              Extended characters are allowed.

              Disables debugging.

       -sleep [number]
              AFP 3.x waits number hours before disconnecting clients in sleep
              mode. Default is 10 hours.

       -signature { user:<text> | host }
              Specify  a server signature. This option is useful while running
              multiple independent instances of afpd on one machine  (eg.   in
              clustered environments, to provide fault isolation etc.). "host"
              signature type allows afpd  generating  signature  automatically
              (based  on  machine  primary  IP address). "user" signature type
              allows administrator to set up a signature string manually.  The
              maximum length is 16 characters

              Three server definitions using 2 different server signatures

              first -signature user:USERS
              second -signature user:USERS
              third -signature user:ADMINS

              First  two servers will appear as one logical AFP service to the
              clients - if user logs in to first  one  and  then  connects  to
              second  one,  session  will  be  automatically redirected to the
              first one. But if client connects to first and  then  to  third,
              will  be asked for password twice and will see resources of both
              servers.  Traditional method of signature generation causes  two
              independent  afpd  instances to have the same signature and thus
              cause clients to be redirected  automatically  to  server  (s)he
              logged in first.



              Extended logging capabilities are only available if Netatalk was
              built using --with-logfile. As of Netatalk 2.0, the  default  is
              --without-logfile  since the logger code is partially broken and
              needs a complete rewrite (the -setuplog option might not work as
              expected). If Netatalk was built without logger support then the
              daemons log to syslog.

       -[un]setuplog "<logtype> <loglevel> [<filename>]"
              Specify that  the  given  loglevel  should  be  applied  to  log
              messages  of the given logtype and that these messages should be
              logged to the  given  file.  If  the  filename  is  ommited  the
              loglevel  applies to messages passed to syslog. Each logtype may
              have a loglevel applied to syslog and a loglevel  applied  to  a
              single  file.   Latter  -setuplog settings will override earlier
              ones of the same logtype (file or syslog).

              logtypes: Default, Core, Logger, CNID, AFP

              Daemon loglevels:  LOG_SEVERE,  LOG_ERROR,  LOG_WARN,  LOG_NOTE,
              LOG_INFO,   LOG_DEBUG,   LOG_DEBUG6,   LOG_DEBUG7,   LOG_DEBUG8,
              LOG_DEBUG9, LOG_MAXDEBUG

              Some ways to change afpds logging behaviour via -[un]setuplog


              -setuplog "logger log_maxdebug /var/log/netatalk-logger.log"
              -setuplog "afpdaemon log_maxdebug /var/log/netatalk-afp.log"
              -unsetuplog "default level file"
              -setuplog "default log_maxdebug"


       These options are useful for debugging only.

       -tickleval [number]
              Sets the tickle timeout interval (in seconds). Defaults to 30.

       -timeout [number]
              Specify the number of  tickles  to  send  before  timing  out  a
              connection.  The  default  is  4,  therefore  a  connection will
              timeout after 2 minutes.


       afpd.conf default configuration

       - -transall -uamlist,

       afpd.conf MacCyrillic setup / UTF8 unix locale

       - -transall -maccodepage mac_cyrillic -unixcodepage utf8

       afpd.conf setup for Kerberos V auth

       - -transall -uamlist,,, \
       -k5service afpserver -k5keytab /path/to/afpserver.keytab \
       -k5realm YOUR.REALM -fqdn your.fqdn.namel:548

       afpd.conf letting afpd appear as three servers on the net

       "Guest Server" -uamlist -loginmesg "Welcome guest!"
       "User Server" -uamlist -port 12000
       "special" -notcp -defaultvol <path> -systemvol <path>


       afpd(8), afppasswd(1), AppleVolumes.default(5)