Skip to content

Instantly share code, notes, and snippets.

@nspassov
Forked from mwhooker/AppleVolumes.default
Created April 12, 2020 12:24
Show Gist options
  • Save nspassov/74bb390f988f2df4102e4898857b6321 to your computer and use it in GitHub Desktop.
Save nspassov/74bb390f988f2df4102e4898857b6321 to your computer and use it in GitHub Desktop.
#
# CONFIGURATION FOR AFPD
#
# Each single line defines a virtual server that should be available.
# Though, using "\" character, newline escaping is supported.
# Empty lines and lines beginning with `#' are ignored.
# Options in this file will override both compiled-in defaults
# and command line options.
#
#
# Format:
# - [options] to specify options for the default server
# "Server name" [options] to specify an additional server
#
#
# The following options are available:
# Transport Protocols:
# -[no]tcp Make "AFP over TCP" [not] available
# -[no]ddp Make "AFP over AppleTalk" [not] available.
# If you have -proxy specified, specify -uamlist "" to
# prevent ddp connections from working.
#
# -transall Make both available
#
# Transport Options:
# -ipaddr <ipaddress> Specifies the IP address that the server should
# advertise and listens to. The default is advertise
# the first IP address of the system, but to listen
# for any incoming request. The network address may
# be specified either in dotted-decimal format for
# IPv4 or in hexadecimal format for IPv6.
# This option also allows to use one machine to
# advertise the AFP-over-TCP/IP settings of another
# machine via NBP when used together with the -proxy
# option.
# -server_quantum <number>
# Specifies the DSI server quantum. The minimum
# value is 1MB. The max value is 0xFFFFFFFF. If you
# specify a value that is out of range, you'll get
# the default value (currently the minimum).
# -admingroup <groupname>
# Specifies the group of administrators who should
# all be seen as the superuser when they log in.
# Default is disabled.
# -ddpaddr x.y Specifies the DDP address of the server.
# the default is to auto-assign an address (0.0).
# this is only useful if you're running on
# a multihomed host.
# -port <number> Specifies the TCP port the server should respond
# to (default is 548)
# -fqdn <name:port> specify a fully-qualified domain name (+optional
# port). this gets discarded if the server can't
# resolve it. this is not honored by appleshare
# clients <= 3.8.3 (default: none)
# -hostname <name> Use this instead of the result from calling
# hostname for dertermening which IP address to
# advertise, therfore the hostname is resolved to
# an IP which is the advertised. This is NOT used for
# listening and it is also overwritten by -ipaddr.
# -proxy Run an AppleTalk proxy server for specified
# AFP/TCP server (if address/port aren't given,
# then first IP address of the system/548 will
# be used).
# if you don't want the proxy server to act as
# a ddp server as well, set -uamlist to an empty
# string.
# -slp Register this server with the Service Location
# Protocol (if SLP support was compiled in).
# -nozeroconf Don't register this server with the Multicats
# DNS Protocol.
# -advertise_ssh Allows Mac OS X clients (10.3.3-10.4) to
# automagically establish a tunneled AFP connection
# through SSH. This option is not so significant
# for the recent Mac OS X. See the Netatalk Manual
# in detail.
#
#
# Authentication Methods:
# -uampath <path> Use this path to look for User Authentication Modules.
# (default: /usr/local/libexec/netatalk-uams)
# -uamlist <a,b,c> Comma-separated list of UAMs.
# (default: uams_dhx.so,uams_dhx2.so)
#
# some commonly available UAMs:
# uams_guest.so: Allow guest logins
#
# uams_clrtxt.so: (uams_pam.so or uams_passwd.so)
# Allow logins with passwords
# transmitted in the clear.
#
# uams_randnum.so: Allow Random Number and Two-Way
# Random Number exchange for
# authentication.
#
# uams_dhx.so: (uams_dhx_pam.so or uams_dhx_passwd.so)
# Allow Diffie-Hellman eXchange
# (DHX) for authentication.
#
# uams_dhx2.so: (uams_dhx2_pam.so or uams_dhx2_passwd.so)
# Allow Diffie-Hellman eXchange 2
# (DHX2) for authentication.
#
# Password Options:
# -[no]savepassword [Don't] Allow clients to save password locally
# -passwdfile <path> Use this path to store Randnum passwords.
# (Default: /usr/local/etc/afppasswd. The only other
# useful value is ~/.passwd. See 'man afppasswd'
# for details.)
# -passwdminlen <#> minimum password length. may be ignored.
# -[no]setpassword [Don't] Allow clients to change their passwords.
# -loginmaxfail <#> maximum number of failed logins. this may be
# ignored if the uam can't handle it.
#
# AppleVolumes files:
# -defaultvol <path> Specifies path to AppleVolumes.default file
# (default /usr/local/etc/AppleVolumes.default,
# same as -f on command line)
# -systemvol <path> Specifies path to AppleVolumes.system file
# (default /usr/local/etc/AppleVolumes.system,
# same as -s on command line)
# -[no]uservolfirst [Don't] read the user's ~/AppleVolumes or
# ~/.AppleVolumes before reading
# /usr/local/etc/AppleVolumes.default
# (same as -u on command line)
# -[no]uservol [Don't] Read the user's volume file
# -closevol Immediately unmount volumes removed from
# AppleVolumes files on SIGHUP sent to the afp
# master process.
#
# Miscellaneous:
# -authprintdir <path> Specifies the path to be used (per server) to
# store the files required to do CAP-style
# print authentication which papd will examine
# to determine if a print job should be allowed.
# These files are created at login and if they
# are to be properly removed, this directory
# probably needs to be umode 1777
# -guestname "user" Specifies the user name for the guest login
# (default "nobody", same as -g on command line)
# -loginmesg "Message" Client will display "Message" upon logging in
# (no default, same as -l "Message" on commandline)
# -nodebug Switch off debugging
# -client_polling With this switch enabled, afpd won't advertise
# that it is capable of server notifications, so that
# connected clients poll the server every 10 seconds
# to detect changes in opened server windows.
# Note: Depending on the number of simultaneously
# connected clients and the network's speed, this can
# lead to a significant higher load on your network!
# -sleep <number> AFP 3.x wait number hours before disconnecting
# clients in sleep mode. Default 10 hours
# -tickleval <number> Specify the tickle timeout interval (in seconds).
# Note, this defaults to 30 seconds, and really
# shouldn't be changed. If you want to control
# the server idle timeout, use the -timeout option.
# -timeout <number> Specify the number of tickles to send before
# timing out a connection.
# The default is 4, therefore a connection will
# timeout in 2 minutes.
# -[no]icon [Don't] Use the platform-specific icon. Recent
# Mac OS don't display it any longer.
# -volnamelen <number>
# Max length of UTF8-MAC volume name for Mac OS X.
# Note that Hangul is especially sensitive to this.
# 255: limit of spec
# 80: limit of generic Mac OS X (default)
# 73: limit of Mac OS X 10.1, if >= 74
# Finder crashed and restart repeatedly.
# Mac OS 9 and earlier is not influenced by this,
# Maccharset volume names are always limitted to 27.
# -[un]setuplog "<logtype> <loglevel> [<filename>]"
# Specify that any message of a loglevel up to the
# given loglevel should be logged to the given file.
# If the filename is ommited the loglevel applies to
# messages passed to syslog.
#
# By default (no explicit -setuplog and no buildtime
# configure flag --with-logfile) afpd logs to syslog
# with a default logging setup equivalent to
# "-setuplog default log_info".
#
# If build with --with-logfile[=somefile]
# (default logfile /var/log/netatalk.log) afpd
# defaults to a setup that is equivalent to
# "-setuplog default log_info [netatalk.log|somefile]"
#
# logtypes: Default, AFPDaemon, Logger, UAMSDaemon
# loglevels: LOG_SEVERE, LOG_ERROR, LOG_WARN,
# LOG_NOTE, LOG_INFO, LOG_DEBUG,
# LOG_DEBUG6, LOG_DEBUG7, LOG_DEBUG8,
# LOG_DEBUG9, LOG_MAXDEBUG
#
# Example: Useful default config
# -setuplog "default log_info /var/log/afpd.log"
#
# Debugging config
# -setuplog "default log_maxdebug /var/log/afpd.log"
#
# -signature { user:<text> | auto }
# Specify a server signature. This option is useful
# while running multiple independent instances of
# afpd on one machine (eg. in clustered environments,
# to provide fault isolation etc.).
# Default is "auto".
# "auto" signature type allows afpd generating
# signature and saving it to afp_signature.conf
# automatically (based on random number).
# "host" signature type switches back to "auto"
# because it is obsoleted.
# "user" signature type allows administrator to
# set up a signature string manually.
# Examples: three servers running on one machine:
# first -signature user:USERS
# second -signature user:USERS
# third -signature user:ADMINS
# First two servers will act as one logical AFP
# service. If user logs in to first one and then
# connects to second one, session will be
# automatically redirected to the first one. But if
# client connects to first and then to third,
# will be asked for password twice and will see
# resources of both servers.
# Traditional method of signature generation causes
# two independent afpd instances to have the same
# signature and thus cause clients to be redirected
# automatically to server (s)he logged in first.
# -k5keytab <path>
# -k5service <service>
# -k5realm <realm>
# These are required if the server supports
# Kerberos 5 authentication
# -ntdomain
# -ntseparator
# Use for eg. winbind authentication, prepends
# both strings before the username from login and
# then tries to authenticate with the result
# through the availabel and active UAM authentication
# modules.
#
# Codepage Options:
# -unixcodepage <CODEPAGE> Specifies the servers unix codepage,
# e.g. "ISO-8859-15" or "UTF8".
# This is used to convert strings to/from
# the systems locale, e.g. for authenthication.
# Defaults to LOCALE if your system supports it,
# otherwise ASCII will be used.
#
# -maccodepage <CODEPAGE> Specifies the legacy clients (<= Mac OS 9)
# codepage, e.g. "MAC_ROMAN".
# This is used to convert strings to the
# systems locale, e.g. for authenthication
# and SIGUSR2 messaging. This will also be
# the default for volumes maccharset.
#
# CNID related options:
# -cnidserver <ipaddress:port>
# Specifies the IP address and port of a
# cnid_metad server, required for CNID dbd
# backend. Defaults to localhost:4700.
# The network address may be specified either
# in dotted-decimal format for IPv4 or in
# hexadecimal format for IPv6.
#
# Avahi (Bonjour) related options:
# -mimicmodel <model>
# Specifies the icon model that appears on
# clients. Defaults to off. Examples: RackMac
# (same as Xserve), PowerBook, PowerMac, Macmini,
# iMac, MacBook, MacBookPro, MacBookAir, MacPro,
# AppleTV1,1, AirPort
#
#
# Some examples:
#
# The simplest case is to not have an afpd.conf.
#
# 4 servers w/ names server1-3 and one w/ the hostname. servers
# 1-3 get routed to different ports with server 3 being bound
# specifically to address 192.168.1.3
#
# -
# server1 -port 12000
# server2 -port 12001
# server3 -port 12002 -ipaddr 192.168.1.3
#
# a dedicated guest server, a user server, and a special
# AppleTalk-only server:
#
# "Guest Server" -uamlist uams_guest.so \
# -loginmesg "Welcome guest! I'm a public server."
# "User Server" -uamlist uams_dhx2.so -port 12000
# "special" -ddp -notcp -defaultvol <path> -systemvol <path>
#
"Time Machine" -uamlist uams_dhx2.so
"Public Share" -uamlist uams_guest.so,uams_dhx2.so
# default:
# - -tcp -noddp -uamlist uams_dhx.so,uams_dhx2.so -nosavepassword
- -tcp -noddp -setuplog "default log_maxdebug /var/log/afpd.log"
# This file looks empty when viewed with "vi". In fact, there is one
# '~', so users with no AppleVolumes file in their home directory get
# their home directory by default.
#
# volume format:
# :DEFAULT: [all of the default options except volume name]
# path [name] [casefold:x] [options:z,l,j] \
# [allow:a,@b,c,d] [deny:a,@b,c,d] [dbpath:path] [password:p] \
# [rwlist:a,@b,c,d] [rolist:a,@b,c,d] [limitsize:value in bytes] \
# [preexec:cmd] [root_preexec:cmd] [postexec:cmd] [root_postexec:cmd] \
# [allowed_hosts:IPv4 address[/IPv4 netmask bits]] \
# [denied_hosts:IPv4 address[/IPv4 netmask bits]] \
# ... more, see below ...
#
# name: volume name. it can't include the ':' character
#
#
# variable substitutions:
# you can use variables for both <path> and <name> now. here are the
# rules:
# 1) if you specify an unknown variable, it will not get converted.
# 2) if you specify a known variable, but that variable doesn't have
# a value, it will get ignored.
#
# the variables:
# $b -> basename of path
# $c -> client's ip or appletalk address
# $d -> volume pathname on server
# $f -> full name (whatever's in the gecos field)
# $g -> group
# $h -> hostname
# $i -> client ip without tcp port or appletalk network
# $s -> server name (can be the hostname)
# $u -> username (if guest, it's whatever user guest is running as)
# $v -> volume name (either ADEID_NAME or basename of path)
# $z -> zone (may not exist)
# $$ -> $
#
#
# casefold options [syntax: casefold:option]:
# tolower -> lowercases names in both directions
# toupper -> uppercases names in both directions
# xlatelower -> client sees lowercase, server sees uppercase
# xlateupper -> client sees uppercase, server sees lowercase
#
# allow/deny/rwlist/rolist format [syntax: allow:user1,@group]:
# user1,@group,user2 -> allows/denies access from listed users/groups
# rwlist/rolist control whether or not the
# volume is ro for those users.
# allowed_hosts -> Only listed hosts and networks are allowed,
# all others are rejected. Example:
# allowed_hosts:10.1.0.0/16,10.2.1.100
# denied_hosts -> Listed hosts and nets are rejected,
# all others are allowed. Example:
# denied_hosts: 192.168.100/24,10.1.1.1
# preexec -> command to be run when the volume is mounted,
# ignore for user defined volumes
# root_preexec -> command to be run as root when the volume is mounted,
# ignore for user defined volumes
# postexec -> command to be run when the volume is closed,
# ignore for user defined volumes
# root_postexec -> command to be run as root when the volume is closed,
# ignore for user defined volumes
# veto -> hide files and directories,where the path matches
# one of the "/" delimited vetoed names. Matches are
# partial, e.g. path is /abc/def/file and veto:/abc/
# will hide the file.
# adouble -> specify the format of the metadata files.
# default is "v2". netatalk 1.x used "v1".
# "osx" cannot be treated normally any longer.
# volsizelimit -> size in MiB. Useful for TimeMachine: limits the
# reported volume size, thus preventing TM from using
# the whole real disk space for backup.
# Example: "volsizelimit:1000" would limit the
# reported disk space to 1 GB.
#
# codepage options [syntax: options:charsetname]
# volcharset -> specifies the charset to be used
# as the volume codepage
# e.g. "UTF8", "UTF8-MAC", "ISO-8859-15"
# maccharset -> specifies the charset to be used
# as the legacy client (<=Mac OS 9) codepage
# e.g. "MAC_ROMAN", "MAC_CYRILLIC"
#
# perm -> default permission value
# OR with the client requested perm
# Use with options:upriv
# dperm -> default permission value for directories
# OR with the client requested perm
# Use with options:upriv
# fperm -> default permission value for files
# OR with the client requested perm
# Use with options:upriv
# umask -> set perm mask
# Use with options:upriv
# dbpath:path -> store the database stuff in the following path.
# cnidserver:server[:port]
# -> Query this servername or IP address
# (default:localhost) and port (default: 4700)
# for CNIDs. Only used with CNID backend "dbd".
# This option here overrides any setting from
# afpd.conf:cnidserver.
# password:password -> set a volume password (8 characters max)
# cnidscheme:scheme -> set the cnid scheme for the volume,
# default is [dbd]
# available schemes: [dbd last tdb]
# ea -> none|auto|sys|ad
# Specify how Extended Attributes are stores. default
# is auto.
# auto: try "sys" (by setting an EA on the shared
# directory itself), fallback to "ad". Requires
# writable volume for performing the test.
# Note: options:ro overwrites "auto" with "none."
# sys: Use filesystem EAs
# ad: Use files in AppleDouble directories
# none: No EA support
#
#
# miscellaneous options [syntax: options:option1,option2]:
# tm -> enable TimeMachine support
# prodos -> make compatible with appleII clients.
# crlf -> enable crlf translation for TEXT files.
# noadouble -> don't create .AppleDouble unless a resource
# fork needs to be created.
# ro -> mount the volume as read-only.
# mswindows -> enforce filename restrictions imposed by MS
# Windows. this will also invoke a default
# codepage (iso8859-1) if one isn't already
# specified.
# nohex -> don't do :hex translations for anything
# except dot files. specify usedots as well if
# you want that turned off. note: this option
# makes the / character illegal.
# usedots -> don't do :hex translation for dot files. note: when
# this option gets set, certain file names
# become illegal. these are .Parent and
# anything that starts with .Apple.
# invisibledots -> don't do :hex translation for dot files. note: when
# this option gets set, certain file names
# become illegal. these are .Parent and
# anything that starts with .Apple. also, dot
# files created on the unix side are marked invisible.
# limitsize -> limit disk size reporting to 2GB. this is
# here for older macintoshes using newer
# appleshare clients. yucko.
# nofileid -> don't advertise createfileid, resolveid, deleteid
# calls
# root_preexec_close -> a non-zero return code from root_preexec close the
# volume being mounted.
# preexec_close -> a non-zero return code from preexec close the
# volume being mounted.
# nostat -> don't stat volume path when enumerating volumes list
# upriv -> use unix privilege.
# illegalseq -> encode illegal sequence in filename asis,
# ex "\217-", which is not a valid SHIFT-JIS char,
# is encoded as U\217 -
# nocnidcache -> Don't store and read CNID to/from AppleDouble file.
# This should not be used as it also prevents a CNID
# database rebuild with `dbd`!
# caseinsensitive -> The underlying FS is case insensitive (only
# test with JFS in OS2 mode)
# dropbox -> Allows a volume to be declared as being a "dropbox."
# Note that netatalk must be compiled with dropkludge
# support for this to function. Warning: This option
# is deprecated and might not work as expected.
# dropkludge -> same as "dropbox"
# nodev -> always use 0 for device number, helps when the
# device number is not constant across a reboot,
# cluster, ...
#
# The line below sets some DEFAULT, starting with Netatalk 2.1.
:DEFAULT: options:upriv,usedots
# The "~" below indicates that Home directories are visible by default.
# If you do not wish to have people accessing their Home directories,
# please put a pound sign in front of the tilde or delete it.
~
/tank/public "Public Share" rwlist:@nasuser rolist:nobody cnidscheme:dbd options:usedots,upriv
/tank/timemachine "Time Machine" rwlist:@nasuser cnidscheme:dbd options:usedots,upriv,tm
# End of File
# netatalk configuration
# For details see man netatalk.conf
#########################################################################
# Global configuration
#########################################################################
#### machine's AFPserver/AppleTalk name.
#ATALK_NAME=machinename
#### server (unix) and legacy client (<= Mac OS 9) charsets
ATALK_UNIX_CHARSET='LOCALE'
ATALK_MAC_CHARSET='MAC_ROMAN'
#### Don't Edit. export the charsets, read form ENV by apps
export ATALK_UNIX_CHARSET
export ATALK_MAC_CHARSET
#########################################################################
# AFP specific configuration
#########################################################################
#### Set which daemons to run.
#### If you use AFP file server, run both cnid_metad and afpd.
CNID_METAD_RUN=yes
AFPD_RUN=yes
#### maximum number of clients that can connect:
AFPD_MAX_CLIENTS=20
#### UAMs (User Authentication Modules)
#### available options: uams_dhx.so, uams_dhx2.so, uams_guest.so,
#### uams_clrtxt.so(legacy), uams_randnum.so(legacy)
AFPD_UAMLIST="-U uams_guest.so,uams_dhx2.so"
#### Set the id of the guest user when using uams_guest.so
AFPD_GUEST=nobody
#### config for cnid_metad. Default log config:
#CNID_CONFIG="-l log_note"
#########################################################################
# AppleTalk specific configuration (legacy)
#########################################################################
#### Set which legacy daemons to run.
#### If you need AppleTalk, run atalkd.
#### papd, timelord and a2boot are dependent upon atalkd.
#ATALKD_RUN=no
#PAPD_RUN=no
#TIMELORD_RUN=no
#A2BOOT_RUN=no
#### Control whether the daemons are started in the background.
#### If it is dissatisfied that legacy atalkd starts slowly, set "yes".
#### In case using systemd/systemctl, this is not so significant.
#ATALK_BGROUND=no
#### Set the AppleTalk Zone name.
#### NOTE: if your zone has spaces in it, you're better off specifying
#### it in atalkd.conf
#ATALK_ZONE=@zone
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment