6.3 Configuring General Parameters

The general parameters help you define the security and rights features of the AFP server.

  1. Open an Internet browser and enter the URL for iManager.

    The URL is https:// server_ip_address/nps/imanager.html. Replace server_ip_address with the IP address or DNS name of the Linux server running AFP.

  2. Enter your user name and password.

  3. In the left column, select File Protocols, then click AFP.

  4. Select the General tab.

    The following details are displayed:

  5. Modify the parameters, click Ok.

  6. Restart the AFP service, if you have modified Authentication Mechanism and Export All Volumes parameters. For other parameters, reload the AFP service.

6.3.1 Security and Rights

The Security and Rights parameters let you define and set access permissions for the AFP server.

Setting

Description

Allow Guest Login

Select this option to allow users to log in as a guest.

World No Rights Management

Select this option to let users set permissions and give access to network directories and their contents to everyone (world).

If this option is not selected, the AFP server ignores the Set Rights requests coming from Macintosh clients, so the users cannot set permissions to give access to others.

Sharing Rights

Select this option to turn off retrieval rights for the owner, groups, and everyone.

Returns a set of default rights when queried.

The default option is No.

Authentication Mode

Indicates the authentication mechanism to use. The supported methods are:

  • Two-Way Random Key Exchange

  • Cleartext

  • Random Exchange

  • Diffie Hellman

  • DHX2

The default authentication mode is DHX2.

IMPORTANT:The authentication mechanism for Mac 10.7 clients is Diffie-Hellman 2 (DHX2).

If you want to connect to a Mac 10.7 client, ensure that the authentication mode is set to Diffie-Hellman 2.

6.3.2 Threads and Connections

These parameters help you define the processing capabilities of the AFP server.

Setting

Description

Minimum Threads

Indicates the minimum number of threads that should be set for the afptcpd daemon to start.

The minimum number of threads that can be supported is 32.

The default value is 3 threads.

Maximum Threads

Indicates the maximum number of threads that the AFP server can support.

The maximum number of threads that can be supported is 512.

The default value is 32 threads.

Reconnect Period

Indicates the number of minutes the AFP server waits before attempting to reconnect.

The minimum waiting time is 2 minutes and can extend up to 24 hours (1440 minutes).

The default value is 1440 minutes.

IMPORTANT:Maximum and Minimum Thread Range is Changed

Up until OES 11 SP1, valid range for min/max threads is as follows:

Minimum threads: 1 to 32767, default value: 3

Maximum threads: 4 to 32768, default value: 32

In OES11 SP2, the valid thread range is changed to as follows:

Minimum threads: 3 to 32, default value: 3

Maximum threads: 4 to 512, default value: 32

Before migration, manually edit afptcpd.conf file and set the number of threads within the valid range and proceed with the migration procedure. If it is not changed and the minimum or maximum threads is out of the range, then AFP server will use default number of threads.

In case of upgrade, AFP server will auto adjust the minimum or maximum threads values if required. If values of minimum or maximum threads set in the afptcpd.conf file is outside the new range of values, AFP server will adjust it to the nearest valid value and update the afptcpd.conf file.

In OES 11 SP2, iManager 2.7.7 user interface has been modified to reflect the change in thread range. If an OES 11 SP2 AFP server is accessed with an older version of iManager, then it will not show the new thread range.

6.3.3 Version and Logging

These parameters help you define the logging capabilities of the AFP server.

AFP makes use of syslog daemon for logging. This daemon keeps track of the log file that it writes to if the log file is renamed or the location is changed.

Setting

Description

AFP Version

Indicates the AFP versions that the AFP server can support.

If you select All, AFP versions 2.2, 3.0, and 3.1 are supported.

The default value is All.

Enable Log

Select this option to turn the logging feature on and add an entry to the log file.

When logging is activated, AFP error messages are written to the /var/log/afptcpd/afptcp.log file.

Enable Status

Select this option if you want status messages to be recorded in the /var/log/afptcpd/afptcp.log file.

Enable Debug

Select this option if you want debug messages to be recorded in the /var/log/afptcpd/afptcp.log file.

Enable Error

Select this option if you want error messages to be recorded in the /var/log/afptcpd/afptcp.log file.

Auditing

Select this option to check the authentication process and any changes that occur to the configuration parameters of the AFP server.

Details of any changes that occur are recorded in the /var/log/audit/audit.log file

6.3.4 Other

These parameters let you define the search boundaries and determine if all volumes need to be exported. Novell AFP supports only Novell Storage Services (NSS) volumes.

Setting

Description

Export All Volumes

When this option is selected, all the NSS volumes on the server are exported. When this option is deselected, only the volumes listed in the afpvols.conf file are exported.

NOTE:When the Export All Volumes option is turned off, specifying the alternate name is not mandatory.

The volume name is displayed for export. However, if the alternate name is specified, the alternate name of the volume is displayed for export.

Subtree Search

If the subtree search option is enabled, AFP searches for the user in the base context as well as in the subtree under the contexts specified in the /etc/opt/novell/afptcpd/afpdircxt.conf file. By default, this feature is disabled.

IMPORTANT:The following options have been removed from OES 2 SP2 and later:

  • CROSS_PROTOCOL_LOCKS

  • NO_UNLOAD_TIME_CHECK

  • NO_COUNT_ON_OFFSPRING

If you use an OES 2 SP1 AFP iManager plug- in to manage an OES 2 SP2 or later AFP server, these configuration settings cannot be managed.

The GUEST_USER and EXPORT_ALL_VOLUMES options was added in OES 2 SP2 and the Subtree Search option was added in OES 11 SP1. If you use an OES 2 SP1 iManager plug-in, these options are not available.

6.3.5 Subtree Search

A subtree search enables AFP to search for a user in the base contexts defined in the /etc/opt/novell/afptcpd/afpdircxt.conf file as well as in all the sub-contexts (subtrees) underlying those base contexts. If a subtree search is enabled, all the users existing in any subcontexts in the afpdircxt.conf file can authenticate to the AFP server if the users have sufficient rights on volumes or folders.

NOTE:It might take longer to authenticate with subtree search enabled, depending on the tree structure. Having local replicas for all AFP users can improve the authentication performance.

Prerequisites

To use the subtree search feature, the AFP proxy user should have read rights over all the search contexts and their subcontexts mentioned in afpdircxt.conf file. These rights are assigned automatically either during AFP installation or through iManager when the context is added from AFP iManager plug-in.

Enabling Subtree Search

Subtree search is disabled, by default. To enable subtree search, go to iManager > File Protocols > AFP > select the server > General tab > select the Subtree Search check box > OK > click Reload.

Disabling Subtree Search

To disable subtree search, go to iManager > File Protocols > AFP > select the server > General tab > clear the Subtree Search check box > OK > click Reload.

Subtree Search in a Cluster Setup

Subtree search can be configured only at a physical server or node level. In a cluster setup, subtree search should be enabled on all nodes and all nodes should be configured with same contexts in the afpdircxt.conf file.

6.3.6 Rights to a File or Folder

Rights to a file or a folder on the AFP server are controlled through the rights configuration parameter.

There are three options: All, Default, and No. If you do not want to use the All parameter option, set the option to Default or No. The following table lists the details of the configuration parameters:

Parameter

Description

No

If you set the Rights parameter to No, rights returned by the AFP server are set to returning the owner ID for files or folders.

The AFP server does not calculate group and other rights for files and folders when Rights is set to No. In this case, the AFP server returns the default server ID 0, which is mapped to the user name Root for group and other rights

Default

If you set the Rights parameter to Default, the AFP server turns off rights calculations for all the rights.

The AFP server returns the AFP server ID, which is set to 0 for owner, group, and other rights. This is because, after setting the Rights configuration option to Default, no rights calculations are performed for files and folders.

Setting this option results in improved performance (compared to when Rights option is set to All) when files and folders have a large number of trustees, which requires more processing for calculating group rights.

All

If you set the Rights parameter to All, the AFP server returns the correct owner ID that is set on a file or folder. For other IDs, the AFP server finds the group or user trustee that has maximum rights on the file/folder.This group or user is then returned to the other ID parameter when the Rights option is set to All. For finding a group or user name with maximum rights, the AFP server scans all the trustees assigned to a file or folder.

This calculation takes more time when a large number of trustees are assigned to a file or folder.