User manual APPLE LEOPARD - FILE SERVICES ADMINISTRATION

Mac OS X Server File Services Administration For Version 10.5 Leopard K Apple Inc. © 2007 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Inc. is not responsible for printing or clerical errors. Apple 1 Infinite Loop Cupertino CA 95014-2084 www.apple.com The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the "keyboard" Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AppleShare, AppleTalk, Bonjour, ColorSync, Mac, Macintosh, QuickTime, Xgrid, Xsan, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Finder and Spotlight are trademarks of Apple Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. UNIX is a registered trademark of The Open Group. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products. 019-0933/2007-09-01 1 Contents Preface 9 9 9 10 11 12 12 13 13 15 15 16 16 17 17 17 17 19 19 20 20 22 24 24 24 25 25 28 29 30 31 About This Guide What's New in File Services What's in This Guide Using Onscreen Help Mac OS X Server Administration Guides Viewing PDF Guides on Screen Printing PDF Guides Getting Documentation Updates Getting Additional Information Understanding File Services Protocol Overview Protocol Comparison Protocol Security Comparison Deployment Planning Determining the Best Protocol for Your Needs Determining Hardware Requirements for Your Needs Planning for Outages and Failovers Setting Up File Service Permissions Permissions in the Mac OS X Environment Kinds of Permissions Standard Permissions ACLs Supported Volume Formats and Protocols Access Control Entries (ACEs) What's Stored in an ACE Explicit and Inherited ACEs Understanding Inheritance Rules of Precedence Tips and Advice Common Folder Configurations File Services Access Control Chapter 1 Chapter 2 3 32 32 32 32 32 32 33 33 Chapter 3 35 35 36 36 36 37 37 37 38 38 38 39 39 39 40 41 42 43 44 46 47 48 48 48 49 49 50 50 55 56 56 57 58 58 Customizing Shared Network Resources Share Points in the Network Folder Adding System Resources to the Network Library Folder Security Considerations Restricting Access to File Services Restricting Access to Everyone Restricting Access to NFS Share Points Restricting Guest Access Setting Up Share Points Share Points and the Mac OS X Network Folder Automounting Share Points and Network Home Folders Setup Overview Before Setting Up a Share Point Client Privileges File Sharing Protocols Shared Information Organization Security Network Home Folders Disk Quotas Setting Up a Share Point Creating a Share Point Setting Privileges Changing AFP Settings for a Share Point Changing SMB Settings for a Share Point Changing FTP Settings for a Share Point Exporting an NFS Share Point Resharing NFS Mounts as AFP Share Points Automatically Mounting Share Points for Clients Managing Share Points Checking File Sharing Status Disabling a Share Point Disabling a Protocol for a Share Point Viewing Share Point Configuration and Protocol Settings Viewing Share Point Content and Privileges Managing Share Point Access Privileges Changing the Protocols Used by a Share Point Changing NFS Share Point Client Access Enabling Guest Access to a Share Point Setting Up a Drop Box Setting Up a Network Library Using Mac OS X Server for Network Attached Storage 4 Contents 60 61 61 62 62 62 Chapter 4 65 65 66 66 66 66 67 67 68 68 69 70 71 72 72 72 73 73 74 74 75 75 76 77 77 78 78 79 79 80 80 80 81 82 83 83 Configuring Spotlight for Share Points Configuring Time Machine Backup Destination Monitoring Share Point Quotas Setting SACL Permissions Setting SACL Permissions for Users and Groups Setting SACL Permissions for Administrators Working with AFP Service Kerberos Authentication Automatic Reconnect Find Content AppleTalk Support AFP Service Specifications Setup Overview Turning AFP Service On Setting Up AFP Service Configuring General Settings Configuring Access Settings Configuring Logging Settings Configuring Idle Users Settings Starting AFP Service Managing AFP Service Checking AFP Service Status Viewing AFP Service Logs Viewing AFP Graphs Viewing AFP Connections Stopping AFP Service Enabling Bonjour Browsing Limiting Connections Keeping an Access Log Disconnecting a User Automatically Disconnecting Idle Users Sending a Message to a User Enabling Guest Access Creating a Login Greeting Integrating Active Directory and AFP Services Supporting AFP Clients Mac OS X Clients Connecting to the AFP Server in Mac OS X Changing the Default User Name for AFP Connections Setting Up a Mac OS X Client to Automatically Mount a Share Point Connecting to the AFP Server from Mac OS 8 and Mac OS 9 Clients Setting up a Mac OS 8 or Mac OS 9 Client to Automatically Mount a Share Point Contents 5 83 84 86 87 88 88 89 89 90 90 91 Chapter 5 93 93 94 95 95 96 97 98 98 99 100 100 100 101 101 102 102 103 103 104 104 105 105 106 106 106 107 107 108 Configuring IP Failover IP Failover Overview Acquiring Master Address--Chain of Events Releasing Master Address--Chain of Events IP Failover Setup Connecting the Master and Backup Servers to the Same Network Connecting the Master and Backup Servers Together Configuring the Master Server for IP Failover Configuring the Backup Server for IP Failover Configuring the AFP Reconnect Server Key Viewing the IP Failover Log Working with SMB Service File Locking with SMB Share Points Setup Overview Turning On SMB Service Setting Up SMB Service Configuring General Settings Configuring Access Settings Configuring Logging Settings Configuring Advanced Settings Starting SMB Service Managing SMB Service Viewing SMB Service Status Viewing SMB Service Logs Viewing SMB Graphs Viewing SMB Connections Stopping SMB Service Enabling or Disabling Virtual Share Points Working with NFS Service Setup Overview Before Setting Up NFS Service Turning On NFS Service Setting Up NFS Service Configuring NFS Settings Starting NFS Service Managing NFS Service Checking NFS Service Status Viewing NFS Connections Stopping NFS Service Viewing Current NFS Exports Chapter 6 6 Contents Chapter 7 109 109 110 110 110 113 114 114 114 115 116 116 116 116 117 118 119 119 119 120 120 120 121 121 122 122 122 123 123 124 124 125 125 125 125 126 126 126 126 126 127 127 Working with FTP Service A Secure FTP Environment FTP Users The FTP Root Folder FTP User Environments On-the-Fly File Conversion Kerberos Authentication FTP Service Specifications Setup Overview Before Setting Up FTP Service Server Security and Anonymous Users Turning On FTP Service Setting Up FTP Service Configuring General Settings Configuring Greeting Messages Displaying Banner and Welcome Messages Displaying Messages Using message.txt Files Using README Messages Configuring FTP Logging Settings Configuring FTP Advanced Settings Starting FTP Service Permitting Anonymous User Access Creating an Uploads Folder for Anonymous Users Changing the User Environment Changing the FTP Root Folder Managing FTP Service Checking FTP Service Status Viewing the FTP Service Log Viewing FTP Graphs Viewing FTP Connections Stopping FTP Service Solving Problems Problems with Share Points If Users Can't Access Shared Optical Media If Users Can't Access External Volumes Using Server Admin If Users Can't Find a Shared Item If Users Can't Open Their Home Folder If Users Can't Find a Volume or Folder to Use as a Share Point If Users Can't See the Contents of a Share Point Problems with AFP Service If Users Can't Find the AFP Server If Users Can't Connect to the AFP Server Chapter 8 Contents 7 127 127 127 128 128 128 128 129 129 129 130 130 130 Glossary Index 131 139 If Users Don't See the Login Greeting Problems with SMB Service If Windows Users Can't See the Windows Server in Network Neighborhood If Users Can't Log In to the Windows Server Problems with NFS Service Problems with FTP Service If FTP Connections Are Refused If Clients Can't Connect to the FTP Server If Anonymous FTP Users Can't Connect Problems with IP Failover If IP Failover Does Not Occur If IP Failover Mail Notifications Are Not Working If You Are Still Having Problems After Failover Occurs 8 Contents This guide describes how to configure and use file services with Mac OS X Server. File sharing requires file server administrators to manage user privileges for all shared folders and files. Configuring Mac OS X Server as a file server offers you reliable high-performance file sharing using native protocols for Mac, Windows, and Linux workgroups. The server fits seamlessly into any environment, including mixed-platform networks. Mac OS X Server v10.5 delivers expanded functions of current features and introduces enhancements to support heterogeneous networks, maximize user productivity, and make file services more secure and easier to manage. What's New in File Services File services contain several changes and enhancements that provide ease of use and greater functionality, such as:  Sharing functionality has been relocated to Server Admin. This combines the share point configuration with the configuration of the file service protocols in one tool.  Spotlight is now supported in AFP. Spotlight indexing allows you to do quick searches of network volumes. You can turn on Spotlight indexing for a share point in Server Admin.  NFS supports Kerberos authentication. Kerberos is a standard network authentication protocol used to provide secure authentication and communication over open networks. What's in This Guide This guide includes the following chapters:  Chapter 1, "Understanding File Services," provides an overview of Mac OS X Server file services. Preface 9 About This Guide  Chapter 2, "Setting Up File Service Permissions," explains standard permissions and ACLs and discusses related security issues.  Chapter 3, "Setting Up Share Points," describes how to share specific volumes and directories by using Apple Filing Protocol (AFP), Server Message Block (SMB)/ Common Internet File System (CIFS) protocol, File Transfer Protocol (FTP), and Network File System (NFS) protocol. It also describes how to set standard and ACL permissions.  Chapter 4, "Working with AFP Service," describes how to set up and manage AFP service in Mac OS X Server and also describes how you can set up IP Failover in Mac OS X Server.  Chapter 5, "Working with SMB Service," describes how to set up and manage SMB service in Mac OS X Server.  Chapter 6, "Working with NFS Service," describes how to set up and manage NFS service in Mac OS X Server.  Chapter 7, "Working with FTP Service," describes how to set up and manage FTP service in Mac OS X Server.  Chapter 8, "Solving Problems," lists potential solutions to common problems you might encounter while working with the file services in Mac OS X Server. In addition, the Glossary provides brief definitions of terms used in this guide. Note: Because Apple periodically releases new versions and updates to its software, images shown in this book may be different from what you see on your screen. Using Onscreen Help You can get task instructions onscreen in Help Viewer while you're managing Mac OS X Server. You can view help on a server or an administrator computer. (An administrator computer is a Mac OS X computer with Mac OS X Server administration software installed on it.) To get help for an advanced configuration of Mac OS X Server: m Open Server Admin or Workgroup Manager and then:  Use the Help menu to search for a task you want to perform.  Choose Help > Server Admin Help or Help > Workgroup Manager Help to browse and search the help topics. The onscreen help contains instructions taken from Server Administration and other advanced administration guides described in "Mac OS X Server Administration Guides," next. 10 Preface About This Guide Mac OS X Server Administration Guides Getting Started covers basic installation and initial setup methods for a standard, workgroup, or covers installation and setup for standard and workgroup configurations of Mac OS X Server. For advanced configurations, Server Administration covers planning, installation, setup, and general server administration. A suite of additional guides, listed below, covers advanced planning, setup, and management of individual services. You can get these guides in PDF format from the Mac OS X Server documentation website: www.apple.com/server/documentation This guide ... Getting Started and Installation & Setup Worksheet Command-Line Administration File Services Administration iCal Service Administration iChat Service Administration Mac OS X Security Configuration Mac OS X Server Security Configuration Mail Service Administration Network Services Administration Open Directory Administration Podcast Producer Administration Print Service Administration QuickTime Streaming and Broadcasting Administration Server Administration tells you how to: Install Mac OS X Server and set it up for the first time. Install, set up, and manage Mac OS X Server using UNIX commandline tools and configuration files. Share selected server volumes or folders among server clients using the AFP, NFS, FTP, and SMB protocols. Set up and manage iCal shared calendar service. Set up and manage iChat instant messaging service. Make Mac OS X computers (clients) more secure, as required by enterprise and government customers. Make Mac OS X Server and the computer it's installed on more secure, as required by enterprise and government customers. Set up and manage IMAP, POP, and SMTP mail services on the server. Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall, NAT, and RADIUS services on the server. Set up and manage directory and authentication services, and configure clients to access directory services. Set up and manage Podcast Producer service to record, process, and distribute podcasts. Host shared printers and manage their associated queues and print jobs. Capture and encode QuickTime content. Set up and manage QuickTime streaming service to deliver media streams live or on demand. Perform advanced installation and setup of server software, and manage options that apply to multiple services or to the server as a whole. Use NetBoot, NetInstall, and Software Update to automate the management of operating system and other software used by client computers. Use data and service settings from an earlier version of Mac OS X Server or Windows NT. System Imaging and Software Update Administration Upgrading and Migrating Preface About This Guide 11 This guide ... User Management Web Technologies Administration Xgrid Administration and High Performance Computing Mac OS X Server Glossary tells you how to: Create and manage user accounts, groups, and computers. Set up managed preferences for Mac OS X clients. Set up and manage web technologies, including web, blog, webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV. Set up and manage computational clusters of Xserve systems and Mac computers. Learn about terms used for server and storage products. Viewing PDF Guides on Screen While reading the PDF version of a guide onscreen:  Show bookmarks to see the guide's outline, and click a bookmark to jump to the corresponding section.  Search for a word or phrase to see a list of places where it appears in the document. Click a listed place to see the page where it occurs.  Click a cross-reference to jump to the referenced section. Click a web link to visit the website in your browser. Printing PDF Guides If you want to print a guide, you can take these steps to save paper and ink:  Save ink or toner by not printing the cover page.  Save color ink on a color printer by looking in the panes of the Print dialog for an option to print in grays or black and white.  Reduce the bulk of the printed document and save paper by printing more than one page per sheet of paper. In the Print dialog, change Scale to 115% (155% for Getting Started). Then choose Layout from the untitled pop-up menu. If your printer supports two-sided (duplex) printing, select one of the Two-Sided options. Otherwise, choose 2 from the Pages per Sheet pop-up menu, and optionally choose Single Hairline from the Border menu. (If you're using Mac OS X v10.4 or earlier, the Scale setting is in the Page Setup dialog and the Layout settings are in the Print dialog.) You may want to enlarge the printed pages even if you don't print double sided, because the PDF page size is smaller than standard printer paper. In the Print dialog or Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has CDsize pages). 12 Preface About This Guide Getting Documentation Updates Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides.  To view new onscreen help topics for a server application, make sure your server or administrator computer is connected to the Internet and click "Latest help topics" or "Staying current" in the main help page for the application.  To download the latest guides in PDF format, go to the Mac OS X Server documentation website: www.apple.com/server/documentation Getting Additional Information For more information, consult these resources:  Read Me documents--important updates and special information. Look for them on the server discs.  Mac OS X Server website (www.apple.com/server/macosx)--gateway to extensive product and technology information.  Mac OS X Server Support website (www.apple.com/support/macosxserver)--access to hundreds of articles from Apple's support organization.  Apple Training website (www.apple.com/training)--instructor-led and self-paced courses for honing your server administration skills.  Apple Discussions website (discussions.apple.com)--a way to share questions, knowledge, and advice with other administrators.  Apple Mailing Lists website (www.lists.apple.com)--subscribe to mailing lists so you can communicate with other administrators using email.  Apple Filing Protocol (AFP) website (developer.apple.com/documentation/Networking/ Conceptual/AFP)--manual describing AFP.  Samba website (www.samba.org)--information about Samba, the open source software on which SMB service in Mac OS X Server are based.  Common Internet File System (CIFS) website (www.ubiqx.org/cifs)--detailed description of how CIFS works.  File Transfer Protocol (FTP) website (www.faqs.org/rfcs/rfc959.html)--home of the FTP Request for Comments (RFC) document.  File Transfer Protocol (TFTP) website (asg.web.cmu.edu/rfc/rfc1350.html)--home of the TFTP RFC document. Note: RFC documents provide an overview of a protocol or service that can be helpful for novice administrators, and more detailed technical information for experts. You can search for RFC documents at www.faqs.org/rfcs. Preface About This Guide 13 14 Preface About This Guide 1 Understanding File Services 1 This chapter provides an overview of Mac OS X Server file services. Mac OS X Server includes several file services that help you manage and maintain your shared network resources. Understanding each service and its associated protocol helps you determine how to plan and configure your network for optimum performance and security. Protocol Overview File services provide a way for client computers to access and share files, applications, and other resources on a network. Each file service uses a protocol to communicate between the server and client computers. Depending on your network configuration, you can choose from the following file services:  AFP service uses Apple Filing Protocol (AFP) to share resources with clients who use Macintosh computers.  SMB service uses the Server Message Block/Common Internet File System (SMB/CIFS) protocol to share resources with and provide name resolutions for clients who use Windows or Windows-compatible computers.  FTP service uses File Transfer Protocol (FTP) to share files with anyone using FTP client software.  NFS service uses the Network File System (NFS) protocol to share files and folders with users (typically UNIX users) who have NFS client software. After configuring your file services, you can manage your shared network resources by monitoring network activity and controlling access to each service. 15 Protocol Comparison When sharing network resources, you may have more than one service turned on depending on the platforms that require access to these resources. The following table describes which service protocols are supported for each platform. Protocol AFP SMB FTP NFS Platform Mac OS X and Mac OS X Server Mac OS X, Mac OS X Server, Windows, UNIX, and Linux Mac OS X, Mac OS X Server, Windows, UNIX, and Linux Mac OS X, Mac OS X Server, Windows, UNIX, and Linux Default Ports 548 137, 138, and 139 21 2049 Protocol Security Comparison When sharing network resources, configure your server to provide the necessary security. AFP and SMB provide some level of encryption to secure password authentication. SMB does not encrypt data transmissions over the network so you should only use it on a securely configured network. FTP does not provide password or data encryption. When using this protocol, make sure your network is securely configured. Instead of using FTP, consider using the scp or sftp command-line tools. These tools securely authenticate and securely transfer files. The following table provides a comparison of the protocols and their authentication and encryption capabilities. Protocol AFP NFS SMB Authentication Cleartext and encrypted (Kerberos) passwords. Data Encryption Can be configured to encrypt all data transmission. Encrypted (Kerberos) password and Can be configured to encrypt all data system authentication. transmission. Cleartext and encrypted (NTLM v1, NTLM v2, LAN Manager, and Kerberos) passwords. All passwords are sent as cleartext. No encryption. Not encrypted and data is visible during transmission. All data is sent as cleartext. No encryption. FTP 16 Chapter 1 Understanding File Services Deployment Planning When planning your network, consider the protocols your network configuration requires. For example, if your network consists of multiplatform computers, consider using SMB and AFP services to permit access to both platforms. Determining the Best Protocol for Your Needs The file service protocols you use depend on your network configuration and what platforms you are supporting. Determining Hardware Requirements for Your Needs If you're sharing network resources with other networks or Ethernet, your firewall must permit communication through all ports associated with your service. Planning for Outages and Failovers When planning for outages and failovers, consider eliminating as many single points of failure throughout your network as possible. A basic example of a single point of failure would be a single computer with a single hard disk and a single power source. If you have a single computer, you can eliminate the single points of failure by:  Configuring your computer with more disk drives using a redundant array of independent disks (RAID). By configuring a RAID you can help prevent data loss. For example, if the main disk fails, the system can still access the data from the other disk drives in the RAID.  Connecting the power source of the computer to a backup power source.  Providing another computer with the same configuration to eliminate the computer as the single point of failure. If you don't have another computer, you can configure your computer to automatically reboot on power failure. This ensures your computer will reboot as soon as power is restored. You can also help diminish the possibility of failure by ensuring that your equipment has proper operational conditions (for example, adequate temperature and humidity levels). A more advanced method of eliminating a single point of failure would involve link aggregation, load balancing, Open Directory replication, data backup, and using Xserve and RAID devices. For more information about these topics, see Xgrid Administration and High Performance Computing. Chapter 1 Understanding File Services 17 18 Chapter 1 Understanding File Services 2 Setting Up File Service Permissions 2 This chapter explains standard permissions and Access Control Lists (ACLs), and discusses related security issues. An important aspect of computer security is the granting and denying of permissions. A permission is the ability to perform a specific operation, such as gaining access to data or executing code. Permissions are granted at the level of folders, subfolders, files, or applications. Use Server Admin to set up file service permissions. In this guide, the term privileges refers to the combination of ownership and permissions, while the term permissions refers to the permission settings that each user category can have (Read & Write, Read Only, Write Only, and None). Permissions in the Mac OS X Environment If you're new to Mac OS X and are not familiar with UNIX, there are differences in the way ownership and permissions are handled compared to Mac OS 9. To increase security and reliability, Mac OS X sets many system folders, such as /Library/, to be owned by the root user (literally, a user named root). Files and folders owned by root can't be changed or deleted by you unless you're logged in as root. Be careful--there are few restrictions on what you can do when you log in as root, and changing system data can cause problems. An alternative to logging in as root is to use the sudo command. Note: The Finder calls the root user system. By default, files and folders are owned by the user who creates them. After they're created, items keep their privileges (a combination of ownership and permissions) even when moved, unless the privileges are explicitly changed by their owners or an administrator. 19 Therefore, new files and folders you create are not accessible by client users if they are created in a folder that the users don't have privileges for. When setting up share points, make sure that items have the correct access privileges for the users you want to share them with. Kinds of Permissions Mac OS X Server supports two kinds of file and folder permissions:  Standard Portable Operating System Interface (POSIX) permissions  Access Control Lists (ACLs) Standard POSIX permissions enable you to control access to files and folders based on three categories of users: Owner, Group, and Others. Although these permissions give you adequate control over who can access a file or a folder, they lack the flexibility and granularity that many organizations require to deal with elaborate user environments. This is where ACLs come in handy. An ACL provides an extended set of permissions for a file or folder and enables you to set multiple users and groups as owners. In addition, ACLs are compatible with Windows Server 2003 and Windows XP, giving you added flexibility in a multiplatform environment. Standard Permissions There are four types of standard POSIX access permissions that you can assign to a share point, folder, or file: Read & Write, Read Only, Write Only, and None. The table below shows how these permissions affect user access to different types of shared items (files, folders, and share points). Users can Open a shared file Copy a shared file Open a shared folder or share point Copy a shared folder or share point Edit a shared file Move items to a shared folder or share point Move items from a shared folder or share point Read & Write Read Only Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No Write Only No No No No No Yes No None No No No No No No No Note: QuickTime Streaming Server (QTSS) and WebDAV have separate permissions settings. For information about QTSS, see the QTSS online help and the QuickTime website (www.apple.com/quicktime/products/qtss). You'll find information about Web permissions in Web Technologies Administration. 20 Chapter 2 Setting Up File Service Permissions Explicit Permissions Share points and the shared items they contain (including folders and files) have separate permissions. If you move an item to a different folder, it retains its permissions and doesn't adopt the permissions of the folder where you moved it. In the following illustration, the second folder (Designs) and the third folder (Documents) were assigned permissions that are different from those of their parent folders: Read & Write Engineering Read Only Designs Read & Write Documents When ACLs are not enabled, you can also set up an AFP or SMB share point so new files and folders inherit the permissions of their parent folder. See "Changing AFP Settings for a Share Point" on page 41, or "Changing SMB Settings for a Share Point" on page 42. The User Categories Owner, Group, and Others You can assign standard POSIX access permissions separately to three categories of users:  Owner--A user who creates an item (file or folder) on the file server is its owner and automatically has Read & Write permissions for that folder. By default, the owner of an item and the server administrator are the only users who can change its access privileges (enable a group or others to use the item). The administrator can also transfer ownership of the shared item to another user. Note: When you copy an item to a drop box on an Apple file server, ownership of the item doesn't change. Only the owner of the drop box or root has access to its contents.  Group--You can put users who need the same access to files and folders in group accounts. Only one group can be assigned access permissions to a shared item. For more information about creating groups, see User Management.  Others--Others is any user (registered user or guest) who can log in to the file server. Chapter 2 Setting Up File Service Permissions 21 Hierarchy of Permissions If a user is included in more than one category of users, each of which has different permissions, these rules apply:  Group permissions override Others permissions.  Owner permissions override Group permissions. For example, when a user is both the owner of a shared item and a member of the group assigned to it, the user has the permissions assigned to the owner. Client Users and Permissions Users of AppleShare Client software can set access privileges for files and folders they own. Users who use Windows file sharing services can also set access privileges. Standard Permission Propagation Server Admin lets you specify which standard permissions to propagate. For example, you can propagate only the permission for Others to all descendants of a folder, and leave the permissions for Owner and Group unchanged. For more information, see "Propagating Permissions" on page 53. ACLs When standard POSIX permissions are not enough, use access control lists (ACLs). An ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user and how these permissions are propagated throughout a folder hierarchy. ACLs in Mac OS X Server enable you to set file and folder access permissions to multiple users and groups in addition to standard POSIX permissions. This makes it easy to set up collaborative environments with smooth file sharing and uninterrupted workflows, without compromising security. ACLs provide an extended set of permissions for a file or folder to give you more granularity when assigning privileges than standard permissions would provide. For example, rather than giving a user full writing permissions, you can restrict him or her to create only folders and not files. Apple's ACL model supports 13 permissions for controlling access to files and folders, as described in the following table. Permission name Change Permissions Take Ownership Read Attributes Type Administration Administration Read Description User can change standard permissions. User can change the file's or folder's ownership to himself or herself. User can view the file's or folder's attributes (for example, name, date, and size). 22 Chapter 2 Setting Up File Service Permissions Permission name Read Extended Attributes List Folder Contents (Read Data) Traverse Folder (Execute File) Read Permissions Write Attributes Write Extended Attributes Create Files (Write Data) Type Read Read Read Read Write Write Write Description User can view the file's or folder's attributes added by third-party developers. User can list folder contents and read files. User can open subfolders and run a program. User can view the file's or folder's standard permissions using the Get Info or Terminal commands. User can change the file's or folder's standard attributes. User can change the file's or folder's other attributes. User can create files and change files. User can create subfolders and add data to files. User can delete file or folder. User can delete subfolders and files. Create Folder (Append Write Data) Delete Write Delete Subfolders and Write Files In addition to these permissions, the Apple ACL model defines four types of inheritance that specify how these permissions are propagated:  Apply to this folder: Apply (Administration, Read, and Write) permissions to this folder.  Apply to child folders: Apply permissions to subfolders.  Apply to child files: Apply permissions to the files in this folder.  Apply to all descendants: Apply permissions to all descendants. To learn how this option works with the previous two, see "Understanding Inheritance" on page 25. The ACL Use Model The ACL use model focuses on access control at the folder level, with most ACLs applied to files as the result of inheritance. Folder-level control determines which users have access to the contents of a folder; inheritance determines how a defined set of permissions and rules pass from the container to the objects in it. Without use of this model, administration of access control would quickly become a nightmare: you would need to create and manage ACLs on thousands or millions of files. In addition, controlling access to files through inheritance frees applications from maintaining extended attributes or explicit ACEs when saving a file because the system automatically applies inherited ACEs to files. For information about explicit ACEs, see "Explicit and Inherited ACEs" on page 25. Chapter 2 Setting Up File Service Permissions 23 ACLs and Standard Permissions You can set ACL permissions for files and folders in addition to standard permissions. For more information about how Mac OS X Server uses ACL and standard permissions to determine what users can and cannot do to a file or folder, see "Rules of Precedence" on page 28. ACL Management In Mac OS X Server, you create and manage ACLs in the Permissions pane of File Sharing in Server Admin. The Get Info window in Finder displays the logged-in user's effective permissions. For information about setting up and managing ACLs, see "Setting ACL Permissions" on page 40 and "Managing Share Point Access Privileges" on page 50. In addition to using Server Admin to set and view ACL permissions you can also use the command-line tools ls and chmod. For more information, see the corresponding man pages and Command-Line Administration. You define ACLs for share points, files, and folders using Server Admin. Supported Volume Formats and Protocols Only HFS+ provides local file system support for ACLs. In addition, only SMB and AFP provide network file system support for ACLs in Windows and Apple networks respectively. Access Control Entries (ACEs) An access control entry (ACE) is an entry in an ACL that specifies, for a group or a user, access permissions to a file or folder, and the rules of inheritance. What's Stored in an ACE An ACE contains the following fields:  User or Group. An ACE stores a universally unique ID for a group or user, which permits unambiguous resolution of identity.  Type. An ACE supports two permission types, Allow and Deny, which determine whether permissions are granted or denied in Server Admin.  Permission. This field stores the settings for the 13 permissions supported by the Apple ACL model.  Inherited. This field specifies whether the ACE is inherited from the parent folder.  Applies To. This field specifies what the ACE permission is for. 24 Chapter 2 Setting Up File Service Permissions Explicit and Inherited ACEs Server Admin supports two types of ACEs:  Explicit ACEs, which are those you create in an ACL. See "Adding ACEs to ACLs" on page 51.  Inherited ACEs, which are ACEs you created for a parent folder that were inherited by a descendant file or folder. Note: Inherited ACEs cannot be edited unless you make them explicit. Server Admin enables you to convert an inherited ACE to an explicit ACE. For more information, see "Changing the Inherited ACEs for a Folder to Explicit" on page 53. Understanding Inheritance ACL inheritance lets you determine how permissions pass from a folder to its descendants. The Apple ACL Inheritance Model The Apple ACL inheritance model defines four options that you select or deselect in Server Admin to control the application of ACEs (in other words, how to propagate permissions through a folder hierarchy): Inheritance option Apply to this folder Apply to child folders Apply to child files Apply to all descendants 1 If Description Apply (Administration, Read, and Write) permissions to this folder Apply permissions to subfolders Apply permissions to the files in this folder Apply permissions to all descendants1 you want an ACE to apply to all descendants without exception, you must select the "Apply to child folders" and "Apply to child files" options in addition to this option. For more information, see "ACL Inheritance Combination" on page 27. Mac OS X Server propagates ACL permissions at two well-defined times:  By the kernel at file or folder creation time--when you create a file or folder, the kernel determines what permissions the file or folder inherits from its parent folder.  When initiated by administrator tools--for example, when using the Propagate Permissions option in Server Admin. Chapter 2 Setting Up File Service Permissions 25 The figure below shows how Server Admin propagates two ACEs (managers and design_team) after ACE creation. Bold text represents an explicit ACE and regular text an inherited ACE. managers Jupiter Docs managers Design managers design_team Notes managers Projects managers Spec managers design_team Lander managers lander_team Model managers lander_team 26 Chapter 2 Setting Up File Service Permissions ACL Inheritance Combination When you set inheritance options for an ACE in Server Admin, you can choose from 12 unique inheritance combinations for propagating ACL permissions. Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants Chapter 2 Setting Up File Service Permissions 27 ACL Permission Propagation Server Admin provides a feature that lets you force the propagation of ACLs. Although this is done automatically by Server Admin, there are cases when you may want to manually propagate permissions:  You can propagate permissions to handle exceptions. For example, you might want ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this case, you define ACEs for the root folder and set them to propagate to all descendants. Then, you select the root folder of the subtree and propagate permissions to remove the ACLs from all descendants of that subtree. In the example below, the items in white had their ACLs removed by manually propagating ACLs.  You can propagate permissions to reapply inheritance in cases where you removed a folder's ACLs and decided to reapply them.  You can propagate permissions to clear all ACLs at once instead of having to go through a folder hierarchy and manually remove ACEs.  When you propagate permissions, the permissions of bundles and root-owned files and folders are not changed. For more information about how to manually propagate permissions, see "Propagating Permissions" on page 53. Rules of Precedence Mac OS X Server uses the following rules to control access to files and folders:  Without ACEs, POSIX permissions apply. If a file or folder has no ACEs defined for it, Mac OS X Server applies standard POSIX permissions.  With ACEs, order is important. If a file or folder has one or more ACEs defined for it, Mac OS X Server starts with the first ACE in the ACL and works its way down the list until the requested permission is satisfied or denied. The ACE order can be changed from the command line using the chmod command.  Deny permissions override other permissions. When you add ACEs, Server Admin lists Deny permissions above Allow permissions because Deny permissions have precedence over Allow permissions. When evaluating permissions, if Mac OS X Server finds a Deny permission, it ignores remaining permissions the user has in the same ACL and applies the Deny permission. 28 Chapter 2 Setting Up File Service Permissions For example, if you add an ACE for the user Mei and enable her reading permissions and then add another ACE for a group in which Mei is a member and deny the group reading permissions, Server Admin reorders the permissions so that the Deny permission is above the Allow permission. The result is that Mac OS X Server applies the Deny permission for Mei's group and ignores the Allow permission for Mei.  Allow permissions are cumulative. When evaluating Allow permissions for a user in an ACL, Mac OS X Server defines the user's permissions as the union of all permissions assigned to the user, including standard POSIX permissions. After evaluating ACEs, Mac OS X Server evaluates the standard POSIX permissions defined on the file or folder. Then, based on the evaluation of ACL and standard POSIX permissions, Mac OS X Server determines what type of access a user has to a shared file or folder. Tips and Advice Mac OS X Server combines traditional POSIX permissions with ACLs. This combination provides great flexibility and a fine level of granularity in controlling access to files and folders. However, if you're not careful in how you assign privileges, it'll be very hard for you to keep track of how permissions are assigned. Note: With 17 permissions, you can choose from a staggering 98,304 combinations. Add to that a sophisticated folder hierarchy, many users and groups, and many exceptions, and you have a recipe for considerable confusion. This section offers useful tips and advice to help you get the most out of access control in Mac OS X Server and avoid the pitfalls. Manage Permissions at the Group Level Assign permissions to groups first, and assign permissions to individual users only when there is an exception. For example, you can assign all teachers in a school district Read and Write permissions to a certain share point, but deny Anne Johnson, a temporary teacher, permission to read a certain folder in the share point's folder hierarchy. Using groups is the most efficient way of assigning permissions. After creating groups and assigning them permissions, you can add and remove users from groups without reassigning permissions. Gradually Add Permissions Assign only necessary permissions and then add permissions only when needed. As long as you're using Allow permissions, Mac OS X Server combines the permissions. For example, you can assign the Students group partial reading permissions on an entire share point. Then, where needed in the folder hierarchy, you can give the group more reading and writing permissions. Chapter 2 Setting Up File Service Permissions 29 Use the Deny Rule Only When Necessary When Mac OS X Server encounters a Deny permission, it stops evaluating other permissions the user might have for a file or folder and applies the Deny permission. Therefore, use Deny permissions only when absolutely necessary. Keep a record of these Deny permissions so that you can delete them when they are not needed. Always Propagate Permissions Inheritance is a powerful feature, so take advantage of it. By propagating permissions down a folder hierarchy, you save yourself the time and effort required to manually assign permissions to descendants. Use the Effective Permission Inspector Frequently use the Effective Permission Inspector to make sure users have the correct access to important resources. This is especially important after changing ACLs. Sometimes, you might inadvertently give someone more or fewer permissions than needed. The inspector helps you detect these cases. For more information about the inspector, see "Determining a User's File or Folder Permissions" on page 55. Protect Applications from Being Modified If you are sharing applications, make sure you set permissions for applications so that no one, except a trusted few, can change them. This is a vulnerability that attackers can exploit to introduce viruses or Trojan horses in your environment. Keep It Simple You can unnecessarily complicate file access management if you're not careful. Keep it simple. If standard POSIX permissions do the job, use those, but if you must use ACLs, avoid customizing permissions unless you need to. Also, use simple folder hierarchies when feasible. A little strategic planning can help you create effective and manageable shared hierarchies. Common Folder Configurations When sharing files and folders between computers, custom permissions can be set to grant or restrict access to those files and folders. Before you begin setting custom file and folder permissions, you might want to investigate how the file and folder will be shared, who has access, and what type of access you want users to have. A recommended way to manage file and folder permissions is to create groups of users who share the same privileges. 30 Chapter 2 Setting Up File Service Permissions Depending on your network environment you can use either POSIX, ACL, or both to manage file or folder access. The following table shows examples of the POSIX permissions and the ACL permissions necessary to configure some common folder sharing settings. Folder Drop box ACL (Everyone) Permission Type: Allow Select the following checkboxes:  Traverse Folder  Create Files  Create Folder  All inheritance options Permission Type: Allow Select the following checkboxes:  List Folder Contents  Create Files  Create Folder Permission Type: Deny  Delete  Apply to this folder  Apply to all descendants POSIX Owner: read, write, execute Group: read, write, execute Other: write For example: drwxrwx-wSet the owner to root or localadmin and set the group to admin. Owner: read, write, execute Group: read, write, execute Other: no permissions For example: drwxrwx--Set the owner to root and set the group to admin. Owner: read, write, execute Group: read only Other: read only For example: drwxr--r-- Backup share Home folder File Services Access Control Server Admin in Mac OS X Server enables you to configure service access control lists (SACLs), which enable you to specify which users and groups have access to AFP, FTP, and SMB file services. Using SACLs enables you to add another layer of access control on top of standard POSIX and ACL permissions. Only users and groups listed in a SACL have access to its corresponding service. For example, if you want to prevent users from accessing a server's AFP share points, including home folders, remove the users from the AFP service's SACL. For information about restricting access to file services using SACLs, see "Setting SACL Permissions" on page 62. Chapter 2 Setting Up File Service Permissions 31 Customizing Shared Network Resources The Network folder (/Network/), accessible from the Mac OS X Finder sidebar, contains shared network resources. You can customize the contents of the Network folder for client computers by setting up automatically mounting share points. Share Points in the Network Folder By default, the Network folder contains at least these subfolders:  Applications  Library  Servers You can mount share points in any of these subfolders. For more information, see "Automatically Mounting Share Points for Clients" on page 47. More servers and shared items are added as they are discovered on your network. Adding System Resources to the Network Library Folder The Library folder, located in /Network/, is included in the system search path. This gives you the ability to make any type of system resource (usually found in the local Library folder) available on the network. These resources could include fonts, application preferences, ColorSync profiles, desktop pictures, and so forth. You can use this capability to customize your managed client environment. For example, suppose you want a specific set of fonts to be available to each user in an Open Directory domain. You would create a share point containing the fonts and then set the share point to mount automatically as a shared library on client computers in / Network/Library/Fonts/. For more information, see "Automatically Mounting Share Points for Clients" on page 47. Security Considerations The most effective method of securing your network is to assign correct privileges for each file, folder, and share point you create. Restricting Access to File Services As stated in "File Services Access Control" on page 31, you can use Service Access Control Lists (SACLs) to restrict access to AFP, FTP, and SMB services. Restricting Access to Everyone Be careful when creating and granting access to share points, especially if you're connected to the Internet. Granting access to Everyone, or to World (in NFS service), could expose your data to anyone on the Internet. For NFS, it is recommended that you do not export volumes to World and that you use Kerberos to provide security of NFS volumes. 32 Chapter 2 Setting Up File Service Permissions Restricting Access to NFS Share Points NFS share points without the use of Kerberos don't have the same level of security as AFP and SMB, which require user authentication (entering a user name and password) to gain access to a share point's contents. If you have NFS clients, you may want to set up a share point to be used only by NFS users or configure NFS with Kerberos. NFS doesn't support SACLs. For more information, see "Protocol Security Comparison" on page 16. Restricting Guest Access When you configure any file service, you can turn on guest access. Guests are users who connect to the server anonymously without entering a user name or password. Users who connect anonymously are restricted to files and folders that have privileges set to Everyone. To protect your information from unauthorized access, and to prevent people from introducing software that might damage your information or equipment, take the following precautions by using File Sharing in Server Admin:  Depending on the controls you want to place on guest access to a share point, consider the following options:  Set privileges for Everyone to None for files and folders that guest users shouldn't access. Items with this privilege setting can be accessed only by the item's owner or group.  Put all files available to guests in one folder or set of folders and then assign the Read Only privilege to the Everyone category for that folder and each file in it.  Assign Read & Write privileges to the Everyone category for a folder only if guests must be able to change or add items in the folder. Make sure you keep a backup copy of information in this folder.  Don't export NFS volumes to World. Restrict NFS exports to a subnet or a specific list of computers.  Disable access to guests or anonymous users over AFP, FTP, and SMB using Server Admin.  Share individual folders instead of entire volumes. The folders should contain only those items you want to share. Chapter 2 Setting Up File Service Permissions 33 34 Chapter 2 Setting Up File Service Permissions 3 Setting Up Share Points 3 This chapter describes how to share specific volumes and directories by using AFP, SMB, FTP, and NFS, and it shows how to set standard and ACL permissions. You use File Sharing in Server Admin to share information with clients of Mac OS X Server and to control access to shared information by assigning access privileges. To share folders or volumes on the server, set up share points. A share point is a folder, hard disk, hard disk partition, CD, or DVD whose files are available for access across a network. It's the point of access at the top level of a hierarchy of shared items. Users with access privileges to share points see them as volumes mounted on their desktops or in their Finder windows. Share Points and the Mac OS X Network Folder If you configure your computer to connect to LDAP directory domains and you set it with specific data mappings, you can control the access and availability of network services by using Server Admin to:  Identify share points and shared domains that you want to mount automatically in a user's /Network/ folder, accessible by clicking Network in the Finder sidebar.  Add user records and group records (as defined in Workgroup Manager) and configure their access. When configuring share points, you must define the users or groups that will access the share points. You can use Workgroup Manager to:  Define user and group records and configure their settings.  Define lists of computers that have the same preference settings and that are available to the same users and groups. For more information about configuring users and groups, see User Management. 35 Automounting You can configure client computers to automatically mount share points. These share points can be static or dynamic:  Static share points are mounted on demand. You can assign statically mounted share points to specific folders.  Dynamic share points are mounted on demand and are in the /Network/Servers/ server_name/ folder. Share Points and Network Home Folders Network authenticated users can have their home folder stored locally on the client computer they are using or on a network server. Network home folders are an extension of simple automounts. A home folder share point is mounted when the user logs in, and provides the user the same environment to store files as if the folders were on the local computer. The benefit of network home folders is that they can be accessed by any client computer that logs in to a specific server that provides network home folder services for that user. For more information, see "Network Home Folders" on page 38. Setup Overview You use File Sharing in Server Admin to create share points and set privileges for them. Here is an overview of the basic steps for setting up share points: Step 1: Read "Before Setting Up a Share Point" For issues you should consider before sharing information about your network, read "Before Setting Up a Share Point" on page 37. Step 2: Locate or create the information you want to share Decide which volumes, partitions, or folders you want to share. You may want to move folders and files to different locations before setting up the share point. You may want to partition a disk into volumes so you can give each volume different access privileges or create folders that have different levels of access. See "Shared Information Organization" on page 38. Step 3: Set up share points and set privileges When you designate an item to be a share point, you also set its privileges. You create share points and set privileges using File Sharing in Server Admin. See "Setting Up a Share Point" on page 39. 36 Chapter 3 Setting Up Share Points Step 4: Turn specific file services on For users to access share points, you must turn on the required Mac OS X Server file services. For example, if you use Apple File Protocol with your share point, you must turn on AFP service. You can share an item using more than one protocol. See Chapter 5, "Working with SMB Service," on page 93; Chapter 6, "Working with NFS Service," on page 103; or Chapter 7, "Working with FTP Service," on page 109. Before Setting Up a Share Point Before you set up a share point, consider the following topics:  Client privileges  File sharing protocols  Shared information organization  Security  Network home folders  Disk quotas Client Privileges Before you set up a share point, you should understand how privileges for shared items work. Determine which users need access to shared items and what permissions you want those users to have. Permissions are described in Chapter 2 (see "Kinds of Permissions" on page 20). File Sharing Protocols You also must know which protocols clients use to access the share points. In general, you should set up unique share points for each type of client and share them using a single protocol:  Mac OS clients--Apple Filing Protocol (AFP)  Windows clients--Server Message Block (SMB)  UNIX clients--Network File System (NFS)  FTP clients--File Transfer Protocol (FTP) Note: With unified locking, applications can use locks to coordinate access to files even when using different protocols. This permits users working on multiple platforms to share files across AFP, SMB, and NFS protocols without worrying about file corruption caused by locking issues between protocols. In some cases you might want to share an item using more than one protocol. For example, Mac OS and Windows users might want to share graphics or word processing files that either file protocol can use. If so, you can create a single share point that supports both platforms. Chapter 3 Setting Up Share Points 37 Conversely, you might want to set up share points that support a single protocol even though you have different kinds of clients. For example, if most of your clients are UNIX users and only a few are Mac OS clients, you may want to share items using only NFS to keep your setup simple. However, keep in mind that NFS doesn't provide many AFP features that Mac OS users are accustomed to, such as Spotlight searching, native ACL, and extended attribute support. Also, if you share applications or documents that are exclusively for Windows users, you can set up an SMB share point to be used only by them. This provides a single point of access for your Windows users and lets them take advantage of opportunistic and strict file locking. For more information about file locking, see "File Locking with SMB Share Points" on page 93. Note: If you enable AFP and SMB services on your server, Mac OS clients can connect to the server over AFP or SMB. If Windows users want to connect to your server over AFP, they must use third-party AFP client software. Shared Information Organization Organize shared information before you set up the share points, especially if you're setting up network home folders. After you create share points, users form mental maps of the organization of the share points and the items they contain. Changing share points and moving information around can cause confusion. Security Review the issues discussed in "Security Considerations" on page 32. Network Home Folders If you're setting up a share point on your server to store user home folders, keep these points in mind:  The /Users share point is set up by default to be used for storing home folders when you install Mac OS X Server. You can use this preconfigured share point for user home folders or you can create one on a local volume.  The Automount settings for the share point should indicate that it's used for user home folders.  The share point should be in the same Open Directory domain where user accounts are defined.  To provide service to all types of clients, the complete pathname of an AFP or NFS network home folder must not contain spaces and must not exceed 89 characters. For more information, see Apple Knowledge Base article 107695 at docs.info.apple.com/article.html?artnum=107695. 38 Chapter 3 Setting Up Share Points Disk Quotas You can set the maximum size of a user's home folder by setting a quota on the Home pane of the user's account settings in Workgroup Manager. To set space quotas for other share points, you must use the command line. See the file services chapter of Command-Line Administration. Setting Up a Share Point This section describes how to create share points and set share point access privileges. It also describes how to share using specific protocols (AFP, SMB, FTP, or NFS) and how to automatically mount share points on clients' desktops For more tasks that you might perform after you set up sharing on your server, see "Managing Share Points" on page 48. Creating a Share Point You use File Sharing in Server Admin to share volumes (including disks, CDs, and DVDs), partitions, and individual folders by setting up share points. Note: Don't use a slash (/) in the name of a folder or volume you plan to share. Users trying to access the share point might have trouble seeing it. To create a share point: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Volumes to list the available volumes to share. To create a share point of an entire volume, select the volume from the list. To share a folder within a volume, select the volume in the list and click Browse to locate and select the folder. 4 Click Share. If you must create a folder for your share point, click Browse, click New Folder, enter the name of the folder, and click Create. 5 Click Save. By default, the new share point is shared using AFP, SMB, and FTP, but not NFS. To configure your share point for a specific protocol or to export the share point using NFS, click Protocol Options and choose the protocol. Settings specific to each protocol are described in the following sections. From the Command Line You can also set up a share point using the sharing command in Terminal. For more information, see the file services chapter of Command-Line Administration. Chapter 3 Setting Up Share Points 39 Setting Privileges Mac OS X Server provides two methods of access control to files and folders: Standard permissions and ACL permissions. These methods are described in the following sections. Setting Standard Permissions When you don't need the flexibility and granularity that access control lists (ACLs) provide, or in cases where ACLs are not supported, use the standard POSIX permissions (Read & Write, Read Only, Write Only, and None) to control access to a share point and its contents. To set standard permissions on a share point: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point from the list. 4 Click Permissions below the list. 5 To set the owner or group of the shared item, enter names or drag names from the Users and Groups drawer to the owner or group records in the permissions table. The owner and group records are listed under the POSIX heading. The owner record is the one with the single user icon and the group record is the one with the group icon. To open the drawer, click the Add (+) button. If you don't see a recently created user or group, click the Refresh button (below the Servers list). Owner and group names can also be edited by double clicking the proper permissions record and dragging into or typing in the User/Group field in the window that is displayed. Note: To change the autorefresh interval, choose Server Admin > Preferences and change the value of the "Auto-refresh status every" field. 6 To change the permissions for the Owner, Group, and Others, use the Permission popup menu in the appropriate row of the permissions table. Others is any user that logs in to the file server who is not the owner and does not belong to the group. 7 Click Save. The new share point is shared using the AFP, SMB, and FTP protocols, but not NFS. Setting ACL Permissions To configure ACL permissions for a share point or folder, you create a list of access control entries (ACEs). 40 Chapter 3 Setting Up Share Points For each ACE, you can set 17 permissions with Allow, Deny, and Static inheritance, so you have fine-grain control over access permissions, something that you don't have when using standard permissions. For example, you can separate delete permissions from write permissions so that a user can edit a file but cannot delete it. To set ACL permissions on a share point or a folder: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point from the list. 4 Click Permissions below the list. 5 Open the Users and Groups drawer by clicking the Add (+) button. 6 Drag groups and users from the drawer into the ACL Permissions list to create ACEs. By default, each new ACE gives the user or group full read and inheritance permissions. To change ACE settings, see "Editing ACEs" on page 52. The first entry in the list takes precedence over the second, which takes precedence over the third, and so on. For example, if the first entry denies a user the right to edit a file, other ACEs that allow the same user editing permissions are ignored. In addition, the ACEs in the ACL take precedence over standard permissions. For more information about permissions, see "Rules of Precedence" on page 28. 7 To set the appropriate permissions, use the arrows in the column fields for each entry in the list. The ACE order in the list changes depending on the level of access when the permissions are saved. 8 Click Save. Changing AFP Settings for a Share Point You can use Server Admin to choose whether a share point is available through AFP and to change settings such as the share point name that AFP clients see and whether guest access is permitted. The default settings for a new share point should make it readily accessible to Mac OS 8, Mac OS 9, and Mac OS X clients. To change the settings of an AFP share point: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point from the list. 4 Click Share Point below the list. 5 Click Protocol Options. Chapter 3 Setting Up Share Points 41 This opens the protocol window with configuration options for AFP, SMB, FTP, and NFS protocols. 6 Click AFP. 7 Provide AFP access to the share point by selecting "Share this item using AFP." 8 Permit unregistered users to access the share point by selecting "Allow AFP guest access." For greater security, don't select this item. 9 To change the name that clients see when they browse for and connect to the share point using AFP, enter a name in the "Custom AFP name" field. Changing the custom AFP name does not affect the name of the share point itself, only the name that AFP clients see. 10 If you are using only POSIX permissions, choose a method for assigning default access privileges for new files and folders in the share point: To have new items use default POSIX permissions, select "Use standard POSIX behavior." To have new items adopt the privileges of the enclosing item, select "Inherit permissions from parent." 11 Click OK, then click Save. From the Command Line You can also change AFP settings for a share point using the sharing command in Terminal. For more information, see the file services chapter of Command-Line Administration. Changing SMB Settings for a Share Point You can use Server Admin to set share point availability through SMB and to change settings such as the share point name that SMB clients see. You can also use Server Admin to set guest access permissions and the default privileges for new files and folders, and to enable opportunistic locking. For more information about opportunistic locking, see "File Locking with SMB Share Points" on page 93. To change the settings of an SMB share point: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point from the list. 4 Click Share Point below the list. 5 Click Protocol Options. 42 Chapter 3 Setting Up Share Points This opens the protocol window with configuration options for AFP, SMB, FTP, and NFS protocols. 6 Click SMB. 7 Provide SMB access to the share point by selecting "Share this item using SMB." 8 Permit unregistered users to have access to the share point by selecting "Allow SMB guest access." For greater security, don't select this item. 9 To change the name that clients see when they browse for and connect to the share point using SMB, enter a new name in the "Custom SMB name" field. Changing the custom SMB name doesn't affect the name of the share point itself, only the name that SMB clients see. 10 If the share point is only using SMB protocol, select the type of locking for the share point: To permit clients to use opportunistic file locking, select "Enable oplocks." To have clients use standard locks on server files, select "Enable strict locking." 11 If you are using only POSIX permissions, choose a method for assigning default access privileges for new files and folders in the share point: To have new items adopt the privileges of the enclosing item, select "Inherit permissions from parent." To assign specific privileges, select "Assign as follows" and set the Owner, Group, and Others privileges using the pop-up menus. 12 Click OK, then click Save. From the Command Line You can also change a share point's SMB settings using the sharing command in Terminal. For more information, see the file services chapter of Command-Line Administration. Changing FTP Settings for a Share Point You can use Server Admin to set share point availability through FTP and to change settings such as guest access permissions and the share point name that FTP clients see. To change the settings of an FTP share point: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point from the list. 4 Click Share Point below the list. Chapter 3 Setting Up Share Points 43 5 Click Protocol Options. This opens the protocol window with configuration options for AFP, SMB, FTP, and NFS protocols. 6 Click FTP. 7 Make the share point available to FTP clients by selecting "Share this item using FTP." 8 Permit anonymous FTP users to open this item by selecting "Allow FTP guest access." For greater security, don't select this item. 9 To change the name clients see when they browse for and connect to the share point using FTP, enter a new name in the "Custom FTP name" field. Changing the custom FTP name doesn't affect the name of the share point itself, only the name that FTP clients use. 10 Click OK, then click Save. From the Command Line You can also change a share point's FTP settings using the sharing command in Terminal. For more information, see the file services chapter of Command-Line Administration. Exporting an NFS Share Point You can use NFS to export share points to UNIX clients. (Export is the NFS term for sharing.) To export an NFS share point: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point from the list. 4 Click Share Point below the list. 5 Click Protocol Options. This opens the protocol window with configuration options for AFP, SMB, FTP, and NFS protocols. 6 Click NFS. 7 Select "Export this item and its contents to" and choose an audience from the pop-up menu. To limit clients to specific computers, choose "Client List" and click Add (+) to specify the IP addresses of computers that can access the share point. To limit clients to the entire subnet, choose "Subnet" and enter the IP address and subnet mask for the subnet. 44 Chapter 3 Setting Up Share Points Important: Make sure the subnet address you enter is the actual IP network address that corresponds to the subnet mask you chose, and not a client address. Otherwise, your clients can't access the share point. A network calculator helps you select the subnet address and mask for the range of client addresses you want to serve, and you should use one to validate your final address/mask combination. If needed, network calculators are available on the Web. For example, suppose you want to export to clients that have IP addresses in the range 192.168.100.50 through 192.168.100.120. Using a subnet calculator, you discover that the mask 255.255.255.128 applied to any address in this range defines a subnet with a network address of 192.168.100.0 and a range of usable IP addresses from 192.168.100.1 through 192.168.100.126, which includes the desired client addresses. So, in Server Admin you enter subnet address 192.168.100.0 and subnet mask 255.255.255.128 in the NFS Export Settings for the share point. To permit unlimited (and unauthenticated) access to the share point, choose "World." 8 From the Mapping pop-up menu, set the privilege mapping for the NFS share point: Choose "Root to Root" if you want the root user to have root privileges to read, write, and carry out commands. Choose "All to Nobody" if you want users to have minimal privileges to read, write, and carry out commands. Choose "Root to Nobody" if you want the root user on a remote client to have only minimal privileges to read, write, and carry out commands. Choose "None" if you don't want privileges mapped. 9 From the Minimum Security pop-up menu, set the level of authentication: Choose "Standard" if you don't want to set a level of authentication. Choose "Any" if you want NFS to accept any method authentication. Choose "Kerberos v5" if you want NFS to only accept Kerberos authentication. Choose "Kerberos v5 with data integrity" if you want NFS to accept Kerberos authentication and validate the data (checksum) during transmission. Choose "Kerberos v5 with data integrity and privacy" to have NFS accept Kerberos authentication, to validate with checksum, and to encrypt data during transmission. 10 If you don't want client users to change the contents of the shared item, select the Read Only checkbox. 11 Select Allow subdirectory mounting This permits clients to mount subfolders of an exported NFS share point. For example, if you export the /Users/ folder, all its subfolders can be mounted directly. 12 Click OK, then click Save. Chapter 3 Setting Up Share Points 45 Note: If you export more than one NFS share point, you cannot have nested exports on a single volume, which means one exported directory cannot be the child of another exported directory on the same volume. From the Command Line You can also set up an NFS share point by using the command line in Terminal. For more information, see the man pages exports (5), nfs.conf (5), and nfsd (8), and the file services chapter of Command-Line Administration. Resharing NFS Mounts as AFP Share Points Resharing NFS mounts (NFS volumes that have been exported to Mac OS X Server) enables Mac OS 9 clients to access NFS file services on traditional UNIX networks. To reshare an NFS mount as an AFP share point: 1 On the NFS server that's exporting the original share point, make sure the NFS export maps root-to-root so that AFP (which runs as root) can access the files for the clients. 2 Restrict the export to the single AFP server (seen as the client to the NFS server). For even greater security, set up a private network for the AFP-to-NFS connection. 3 Open Server Admin and connect to the server. 4 Click File Sharing. 5 Control-click in the Volumes or Share Points list, select Mount NFS Share, then enter the URL of the NFS server you intend to reshare. This is the URL that connects to the reshared NFS server. For example, to connect to the reshared NFS mount "widgets" on the root level of the server corp1, use the following URL: nfs://corp1/widgets 6 Click OK. Server Admin creates the NFS mount point. 7 Follow steps 1 through 4 for each NFS volume you want to reshare. 8 Using Server Admin, share the NFS mounts as AFP share points. The NFS mounts appear as normal volumes in the Share Point list. (You can also share the NFS mounts using SMB and FTP, but you should use only AFP.) You can change privileges and ownership, but you can't enable quotas (because quotas work only on local volumes). However, if quotas are enabled on the NFS server, they apply to the reshared volume. Note: Quotas set on the original NFS export are enforced on the AFP reshare. 46 Chapter 3 Setting Up Share Points Automatically Mounting Share Points for Clients You can mount share points automatically on client Mac OS X computers using network mounts. You can automatically mount AFP or NFS share points. When you set a share point to automatically mount, a mount record is created in the Open Directory database. Be sure you create these records in the same shared domain where the user and computer records exist. Note: All users have guest access to network automounted AFP share points. Authenticated access is permitted only for a user's own home folder or if you have Kerberos set to support single sign-on (SSO) authentication. To set up a network mount: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point from the list. 4 Click Share Point below the list. 5 Select the Enable Automount checkbox and click Edit. This opens a configuration window for the automount. 6 From the Directory pop-up menu, choose the directory domain that contains your users and computers. 7 From the Protocol pop-up menu, choose the sharing protocol (AFP or NFS). If you choose AFP, guest access has to be enabled for automounted AFP share points to work, except when all users have access to their home folders using Kerberos SSO authentication. For more information, see "Configuring Access Settings" on page 69. 8 Choose how you want the share point to be used and mounted on client computers: User Home Folders: Select to have the home folders on the share point listed on a user's computer in /Network/Servers/. Shared Applications folder: Select to have the share point appear in /Network/ Applications/ on the user's computer. Shared Library folder: Select to have the share point appear in /Network/Library/. This creates a network library. Custom mount path: Select to have the share point appear in the folder you specify. Before you mount the share point, be sure this folder exists on the client computer. 9 Click OK. 10 Authenticate when prompted. 11 Click Save. Chapter 3 Setting Up Share Points 47 Managing Share Points This section describes day-to-day tasks you might perform after you set up share points on your server. Initial setup information appears in "Setting Up a Share Point" on page 39. Checking File Sharing Status Use Server Admin to check the status of volumes and share points. To view File Sharing status: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Volumes to see a list of volumes. Each volume includes the disk space used, whether quotas are enabled or disabled, and the type of volume. 4 Click Share Points to see a list of share points. Each share point includes the disk space used, and whether sharing, guest access, automount, and Spotlight indexing are enabled or disabled. 5 To monitor the quotas setup for a volume, select the volume and click Quotas below the volume list. Disabling a Share Point To stop sharing a share point, use File Sharing in Server Admin to remove it from the Share Points list. Note: Before you delete or rename a share point in Finder, disable the share point in Server Admin first. To remove a share point: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point you want to remove. 4 Click Unshare. 5 Click Save. Protocol and network mount settings you have made for the item are discarded. From the Command Line You can also disable a share point by using the sharing command in Terminal. For more information, see the file services chapter of Command-Line Administration. 48 Chapter 3 Setting Up Share Points Disabling a Protocol for a Share Point You can use File Sharing in Server Admin to stop sharing a share point using a specific protocol and still permit sharing to continue through other protocols. To stop sharing through a particular protocol: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select the share point you want to reconfigure. 4 Click Share Point below the list. 5 Click Protocol Options and select the protocol. 6 Deselect the "Share this item using" checkbox. You can disable a protocol for all share points by stopping the underlying service that provides support for the protocol. For more information, see "Stopping AFP Service" on page 74, "Stopping NFS Service" on page 107, or "Stopping FTP Service" on page 124. From the Command Line You can also disable a protocol for a share point by using the sharing command in Terminal. For more information, see the file services chapter of Command-Line Administration. Viewing Share Point Configuration and Protocol Settings You can view share point configuration and protocol settings in Server Admin from the Share Points list. To view the share point configuration and protocol settings on a server: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points. You can view the share point name, path, disk space, sharing, guest access, automount, and Spotlight settings. Use tooltips to quickly display the shared and guest access protocols for a share point. 4 Select the share point and click Share Point below the list. 5 View the protocol settings by clicking Protocol Options and selecting the protocol (AFP, SMB, FTP, or NFS). From the Command Line You can also view share point settings using the sharing command in Terminal. For more information, see the file services chapter of Command-Line Administration. Chapter 3 Setting Up Share Points 49 Viewing Share Point Content and Privileges You can use File Sharing in Server Admin to view share point content and access privileges. To view share point content and access privileges on a server: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share Points and select a share point in the list. 4 Click Permissions below the list. You can now view the contents of the selected share point and access items in the folder hierarchy. You can also view the privilege settings (POSIX and ACL) of the share point and each item in the folder hierarchy. From the Command Line You can also view share points and their contents by using the sharing and ls commands in Terminal. For more information, see the file services chapter of Command-Line Administration. Managing Share Point Access Privileges This section describes typical tasks you might perform to manage access privileges for your share point. Changing POSIX Permissions You use Server Admin to view and change the standard POSIX permissions for a share point. To change standard POSIX permissions for a share point: 1 Open Server Admin and connect to the server. 2 Click File Sharing. 3 Click Share points and select the share point you want to update from the list. 4 Click Permissions below the list. To alter the POSIX permissions, change the owner and group of the shared item, dragging names from the Users and Groups drawer to the owner or group records in the permissions table. The owner and group records are listed under the POSIX heading. The owner record is the one with the single user icon and the group record is the one with the group icon. Open the drawer by clicking the Add (+) button. 5 To change the permissions for the Owner, Group, and Others (everyone), use the Permissions pop-up menu in the appropriate row of the permissions table. 50 Chapter 3 Setting Up Share Points