4.1 Administrator Tasks for Native File Access for Macintosh Services

Native File Access for Macintosh provides several ways to simplify your administration tasks and customize how Macintosh workstations interact with the network. Tasks and issues to:

4.1.1 Creating Simple Passwords for Several Macintosh Users

You can create simple passwords for users one at a time using iManager or ConsoleOne®. The process for creating simple passwords is the same for Macintosh and Windows users. See Two Methods for Creating Simple Passwords for Windows Users for instructions on creating simple passwords.

If you want to create passwords for several Macintosh users at once, you can add the CLEARTEXT option to the LOAD AFPTCP command at the server console. For example:

LOAD AFPTCP CLEARTEXT

When the CLEARTEXT option is added to the AFPTCP command, users logging in to the server from a Macintosh workstation are prompted to provide their eDirectory® username and eDirectory password. After the eDirectory password is verified, a simple password is automatically created and stored in eDirectory. The simple password is the same as the eDirectory password.

The CLEARTEXT option is meant to be a temporary way to create simple passwords for many Macintosh users. After Macintosh users have created simple passwords, the AFPTCP NLM™ should be loaded without the CLEARTEXT option.

WARNING:The CLEARTEXT option allows unencrypted passwords to be sent over the network. If you are concerned about someone capturing your password over the network, you should not use this option. Instead, you should manage passwords using ConsoleOne on the Administrator workstation.

4.1.2 Enabling and Disabling AFP

Administrators can enable or disable AFP on NetWare servers using iManager. AFP is enabled by default when NetWare 6.5 is installed.

  1. In a Web browser, specify the following in the address (URL) field:

    http://server_IP_address/nps/iManager.html
    

    For example:

    http://192.168.0.1/nps/iManager.html
    
  2. At the login prompt, specify the server administrator username and password.

  3. In the left frame, click File Protocols, then click Enable / Disable AFP.

  4. Type the NetWare server name where you want to enable or disable AFP, or browse and select it.

  5. Select or Deselect the AFP check box to enable or disable AFP.

  6. Click Apply to save your changes.

4.1.3 Enabling and Disabling Delete Inhibit Emulation

Prior to NetWare 6.5 Support Pack 6, if the delete inhibit attribute was set on a directory such as a home directory, AFPTCP.NLM would by default send that information to MAC clients. The MAC OS 10.4.6 client would then enforce that attribute on the files contained within that directory. This resulted in users not being able to delete or rename files in their own home directory.

A new command line switch was added for AFPTCP called DeleteInhibitEmulation. The default if you do not specify this switch when loading AFPTCP.NLM is that AFPTCP does not send delete inhibit or rename inhibit information back to MAC clients. The Delete Inhibit and Rename Inhibit attributes are not enforced on MAC clients without this switch.

To have the Delete Inhibit and Rename Inhibit attributes enforced on MAC clients, load AFPTCP.NLM on the server using the following command:

load afttcp deleteinhibitemulation

You can also unload and reload AFPTCP.NLM without the switch to disable this functionality after enabling it.

4.1.4 Editing the Context Search File

A context search file allows Macintosh users to log in to the network without specifying their full context. The context search file contains a list of contexts that are searched when no context is provided or the object cannot be found in the provided context. When the Macintosh user species a username, the server searches through each context in the list until it finds the correct User object.

Macintosh allows only 31 characters for the username. If the full eDirectory context and username are longer than 31 characters, you must use a search list to provide access.

HINT:Macintosh users do not need to specify a context or have an entry in the context search file if their User objects are placed in the same container as the Server object.

If User objects with the same name exist in different contexts, the first one in the context search list will be used.

To edit the context search file, do the following:

  1. Using any text editor, edit the ctxs.cfg file stored in the sys:\etc directory of the server running Novell Native File Access Protocols.

  2. On separate lines, specify the contexts to search.

    For example, if you had users with full eDirectory distinguished names such as Robert.sales.acme, Maria.graphics.marketing.acme, Sophia.graphics.marketing, and Ivan.marketing.acme, then you would specify the following contexts to the ctxs.cfg file:

    • sales.acme
    • graphics.marketing.acme
    • marketing.acme
  3. Save the file in the sys:\etc directory.

    The file is read the next time a Macintosh user logs in.

When Macintosh users log in, they specify only a username and a password. The system finds the User object in the context specified in the ctxs.cfg file.

4.1.5 Creating a Guest User Account

Novell Native File Access Protocols let you create a Guest User object. Macintosh users are accustomed to being able to log in as Guest with no password required.

  1. From the Administrator Workstation, use ConsoleOne to create a User object named Guest.

  2. Determine and assign the appropriate rights to the Guest object by double-clicking Guest object and clicking Rights to Files and Folders.

  3. Remove the ability for the user to change the password by clicking Restrictions and deselecting Allow User to Change Password.

  4. Enable the Guest account by adding the full eDirectory context of the Guest object to the context search file as described in Editing the Context Search File.

  5. Unload and reload the afptcp.nlm program with the GUESToption to make the Guest button available on the login screen.

Any Macintosh user can now log in as Guest with no password and receive the access rights assigned to the Guest object.

4.1.6 Renaming Volumes

Volumes can be renamed so that they appear in Chooser under a different name.

  1. Using any text editor, create a file named afpvol.cfg.

  2. On separate lines, specify the current name of the volume and, in quotes, the new name of the volume. For example:

    • server1.sys "System Volume"
    • server1.img "Graphics"
    • #The above volume contains image files.

    NOTE:The pound sign (#) marks a line as a comment.

  3. Save the file in the sys:\etc directory of the server running Novell Native File Access Protocols.

    After the volume has been renamed, it keeps the name even if you delete the file and restart the server. To return to the previous name, repeat these steps and rename the volume to its original name.

    For example:

    System volume "server1.sys" .

  4. Unload and reload the afptcp.nlm program.

Volumes will appear to Macintosh users with the new volume names.

4.1.7 AFP Console Commands

Several server console commands are provided with AFP to help you perform certain AFP-related tasks. The following table lists the AFP-related server console commands and gives a brief description of each command. To execute an AFP console command, specify the command followed by any desired command line switches or parameters.

Table 4-1 AFP Console Commands

Command

Description

AFPLog {ON | OFF}{log text}

Turns the logging feature on or off, and adds a log message to the log. When logging is on, AFP log and error messages are written to the SYS:\ETC\AFPTCP.LOG file. Specifying this command followed by a string of text appends that string of text into the log file. This allows you to insert your own comment into the log.

AFPCount {ON | OFF | EnumOff}

If AFPCount is set to ON, AFP enumerates the contents of every directory that it opens and returns accurate counts of the number of offspring (files and directories) in a directory. This option makes AFP slower, but returns accurate counts to Macintosh clients. If AFPCount is set to OFF, empty directories return a count of 0 offspring and non-empty directories return an estimate count. This option improves performance, but does not provide accurate counts. If this option is set to EnumOff, a standard estimate is provided for all enumerate requests, including those for empty directories.This command lets you choose to have accurate counts, or to have estimates that speed up performance.

AFPVolInfo {volume name}{all}

Displays AFP information about a specific volume, or all volumes mounted on the server.

AFPNames {case-sensitive | case-insensitive}{all}{volume}

Lets you specify whether a volume should operate in case-sensitive mode or in case-insensitive mode. The default for new volumes is case-sensitive mode. You can also specify whether you want case sensitivity to apply to a specific volume or all volumes on the server.

AFPClearText {ON | OFF}

AFPClearText controls whether logging in with a clear-text password is allowed. Clear-text passwords are not encrypted. This mode should normally be set to OFF to require encrypted safe passwords. Turning this option on should only be done for debugging or in situations where password security is not important.

AFPRightsMode {defaultRights | noSharing ||all}

Setting this option to defaultRights causes AFPTCP to return default rights for users, groups, and everyone. Setting this option to noSharing causes AFPTCP to return actual rights for the current user only. This disables file sharing from the Macintosh. Setting this option to all causes AFPTCP to return actual rights for users, groups and everyone.

AFPSetWorldRights {ON | OFF}

Setting this option to ON lets users set rights and give access to network directories and their contents for everyone (world). Setting this option to OFF causes AFPTCP to ignore the Set rights requests coming from Macintosh clients so users cannot set rights to give access to others.

AFPGuest {ON | OFF}

Setting this option to ON or OFF lets the user enable or disable guest logins through AFP.

AFPvolume {ON | OFF}{netware volume name}

Setting this option to ON or OFF lets you choose whether or not a volume appears as an advertised AFP volume to Macintosh clients. You must specify the NetWare volume you want this switch to apply to. Turning this switch off causes volume to not appear to Macintosh clients as a volume that is available to be mapped to.