Administration Guide : Command-line manual pages

KSD(8) manual page


ksd - AppleShare file server


/usr/etc/appletalk/ksd [ -oAcfiLlpsSRvVGhHx ] [ -d hexdebug ] [ -dontconvertdos ]
[ -fwdays num ] [ -fwptime day,hour ] [ -groupfile path ] [ -ipaddr #.#.#.# ] [ -ipport port ]
[ -k [principal ] ] [ -longcomment ] [ -m files_per_user ] [ -modcheck secs ] [ -n secs ] [ -nc ]
[ -no3 ] [ -noddp ] [ -nodots ] [ -nofpowarn ] [ -norovols ] [ -ns ] [ -sleepwait hours ]
[ -b blksiz ] [ -t tcpopt ] [ -translog levels ] [ -tcptranslog levels addr:port ] [ -Z zone ] server-name


Ksd is an AppleShare network file system server. It uses the TCP/IP and/or FullPress AppleTalk protocols to service file system requests from remote clients.

The FullPress server advertises its services with the Name Binding Protocol Daemon nbpd(8) using the server-name specified (unless the -noddp argument is given). The server name may contain blanks, but it must then be quoted in the shell invocation.

The boot-time invocation of the servers normally resides in the file /var/adm/appletalk/services , which is used by the atinit(8) program. Only one ksd(8) daemon can be running on a machine; however ksd will fork slave processes to distribute the system load between several processes.

The who(1) command shows users currently using the ksd(8) daemon.


Attempts to get an AFS token by calling "/usr/afsws/bin/klog" with the user name and password. Will not open connections for users who cannot validate with AFS.
Overrides the default maximum read block size. The value blksiz is in kilobytes, and will be limited to the range 16 through 256.
Prevents users from saving their password permanently on the Macintosh.
Set the debugging level to hexdebug. The debugging levels are documented only in the source code.
Inhibits DOS filename conversions. Unless you set this flag, ksd(8) will convert all DOS filenames to lower-case characters. Invoking the flag will cause ksd(8) not to change upper-case letters to lower-case letters.
A performance option. AFP protocol requires that file space be reserved before writing data. This implies that a dummy file has to be written first. With the -f flag, file space is not reserved and the file is written only once.
Sets the number of days for FileIDs to be set aside before possible reuse (a workaround for OSX 10.3 clients' confusion over quick reuse of File IDs). By default, num is 62 (2 months).
Sets the day and time at which the purge of old FileIDs runs (it always happens once per week). The syntax is the day number (0 = Sunday, 6 = Saturday) followed by a comma and the hour (0 - 23). The default day,hour is 0,1 (Sunday, 1AM).
Show up to 4 Gigabytes for a volume size. By default, ksd limits the size it reports to 1.7Gig, which is the most a pre-7.5-Mac could handle. This is only relevent for AppleShare clients that do not make the extended volume size calls, ie AppleShare clients before AppleShare client 3.7.x (MacOS 7.5 and 7.6). Modern Appleshare clients use extended volume size calls.
-groupfile path
(Not for MSWindows servers)  By default, ksd will honor the WebNative system.grouplist file to limit group searches. This option can disable this feature (if the path is no ), or you can specify a different file to use for the group list, which must be in the old format (a single line containing `default:group1,group2, ...'). Limiting the group search can prevent timeouts during login on some systems.
Don't allow users to mount their home directories, and don't look for .KSVols files. Only public volumes (in KASPubVols) are accessable.
Do not list public volumes that the user cannot read. The default bevavior is to show the volumes, but gray them out.
Allow users who have blank passwords to login.
Forces the server to advertize the given IP address (must be specified in ``dot'' notation) as it's connection address. Without this argument, ksd uses one of the configured IP interface addresses, whichever one seems closest to the client.
Use the specified port number as the AppleShare connection port, instead of the default 548.
On systems where Kerberos is supported, this option can be used to override the default principal, or to disable Kerberos authentication. A plain -k disables Kerberos, or the principal can immediately follow the k.
Do not search for the "user's real name" in the GECOS field of password entries. This avoids a scan through every entry in the passwd(4) database at each login, but requires AppleShare users to use their exact UN*X login account name.
Do not do make any calls to the UNIX lock manager. This option is intended for users who do not have a stable lock manager. The server allows the client to set locks, but they are not really set. Unpredictable behavior may occur when using clients that depend on file locking, or when multiple users attempt to access the same file. Use of this flag is discouraged.
By default, to prevent OSX 10.4.6 clients from crashing, ksd will truncate Finder Comments to 127 bytes for AFP3 clients. This option disables that limitation, and may be necessary to get Xinet's Contextual Menu application to work on some volumes.
Set the maximum number of files that a connected user can open at one time to files_per_user. (The default is 32). This option is useful if you have users who are running ill-behaved Macintosh applications (i.e. programs that fail to close files).
A tuning parameter that sets the number of seconds to wait between scanning recently traversed directories for modifications. When ksd finds a modified directory, it notifies the client so new files will be seen on a mounted volume. Depending on what kind of clients are in use, this feature may be more of a burden on the server than it's worth, especially if the clients are all OSX 10.9 or 10.10, where the client also polls recent directories looking for changes. By default, secs is 3, and cannot be set lower than that.
Sets a timeout (in seconds) for clients with no volumes mounted. Some versions of OSX clients can keep a session open indefinitely without any open volumes, but also open another session to access volumes. Any session in this state for longer than secs seconds will be closed. Warning: values below one minute (60) will be reset to one minute since a session will be in this state (logged in, no volumes mounted) during volume selection.
Disables the ``clear text'' method of accepting passwords during login.
Turns off support for AFP Version 3 (long filenames, over 2-Gigabyte file sizes, UNIX file permissions, etc.). Forces AFP to the protocol version supported by MacOS9 and earlier clients.
Causes all files that start with `.' to be completely hidden from the client (and prevents any files starting with `.' from being created). This option may be necessary to prevent clients running MacOS 7 or earlier from crashing. This option will prevent OS X users from operating correctly and is therefore probably no longer useful.
Turns off connection via AppleTalk. This also prevents ksd from advertizing its service via NBP, effectively hiding it from choosers.
Normally when an FPO image is copied to an OPI volume the user is warned with a popup message and an entry in the at_log. This option disables both of those actions.
Changes ReadOnly volume behaviour to force all folders and files to appear to be unwritable instead of passing the ReadOnly Volume Parameter to an AFP3 client. Some OSX clients will not close Resource Forks if the volume is ReadOnly, causing files to be artificially ``in use.'' This option also avoids the possibility of the server running out of file descriptors.
Disables the ``DHX'' method of accepting passwords during login. This is useful for sites using MPW scripts that do not function with DHX authentication. Applying -nc and -ns at the same time would leave only guest access.
Fork a slave process for each user. This should only be used on systems with lots of memory. (When used on Windows servers, since they are multithread rather than multiprocess, this flag does nothing.)
Prevent users from changing their password from the Macintosh. This flag should be used if the unix server is using any non-standard password scheme.
This option gives the root user administrative privileges from AppleShare. Without this option, root behaves just like any other user. This option has no effect if root logins are disabled with -s or with the tcp security options.
Run ksd(8) in secure mode. Don't allow root logins from the client.
Do follow Symbolic links. Normally, ksd(8) doesn't follow symbolic links, because of the danger of cycles. Since the Mac doesn't understand symbolic links, the Finder and other Mac applications cannot handle these cycles in the file systems, and can easily crash the Mac. If your mounted file system is really free of cycles created by symbolic links, you might want to follow symbolic links, but this is another potentially dangerous option.
Sets the number of hours a sleeping AFP session will be allowed to remain on the server with no contact from the client. The default is 24 hours. Setting this to zero will cause sleeping clients to be disconnected.
Set the security level for connections via TCP/IP. Since TCP/IP connections can happen over the Internet, additional security is often prudent. Tcpopt can be one of the following: disable prevents TCP logins completely, localpasswd does not allow "guest", or logins without a password from clients that are not directly connected to the server (and is the default), local allows only users on networks directly connected to the server access, passwd allows users to connect from anywhere as long as they have a password and they are not "guest" or "root", none allows all TCP/IP connections, and is recommended only on isolated nets or behind a firewall.
Enables logging of filesystem transaction events to the system logger (System Events on MSWindows, syslog(3) everywhere else). See EVENT LOGGING below, for information about the log format.
Enables logging of filesystem transaction events to a specified IP address and TCP Port (with addr in I.I.I.I:P format, and a decimal port number). See EVENT LOGGING below, for information about the log format.
Make dot files visible to user. By default (and without the -nodots option), files that begin with `.' always have their "Invisible" attribute set. Turning on this option disables the special treatment for dot files.
As of Version 11, ksd no longer translates the CR/LF pairs of TEXT files by default. This option reverts to the old behavior, where TEXT files are translated. This option can be toggled without harm. The old option "-donttranslatetext" should be left in whatever state it was in the past (either on or off) to allow the proper conversion of existing files.
Log verbose messages, mostly about failed login attempts. Normally, ksd(8) does not do any error logging when a login fails. This option causes messages to be logged in /usr/adm/appletalk/at_log indicating the net and node of the machine that the login request came from (and the user name if just the password was incorrect). This option is mainly for government installations that require it.
Do not allow Guest access to AppleShare volumes. Without this flag, ksd(8) will use any of the following accounts for guest access, whichever it finds first: ksdguest, ksd_guest, guest, nobody (if none exist, it uses UID 65534 and GID 65534 for guest access, with no personal volumes).
-Z zone
Specifies the zone in which to publish this server. The default zone will be used if this option is not present. You can publish the server in multiple zones by using multiple zone options (e.g. -Z net1 -Z net2 ).

Event Logging

Certain AFP transactions may be logged either to the standard system event log facility, or to a TCP port (see Options above). When using syslog(3) , all events are logged to the LOCAL4 facility, at the INFO level. You may select which transactions to log with the levels argument, which is a hex-encoded bitfield that independently enables fileserver events. The bits are defined as:

BitEvent it enables
0001Login (only the first 5 fields below are valid)
0002Logout (only the first 5 fields below are valid)
0004File Creation
0008File Deletion
0020Reads (one event at file close)
0040Writes (also once at close of file)
0080File Copy
0100Folder Creation
0200Folder Deletion
0400Finder-Comment Change
0800Desktop info (Type/Creator, Finder info) change
Note that currently, there is only one event bitmask, which is set from the last levels argument on the command line.

Each event produces one line in the logging facility, as a series of space-separated fields. The fields, in order, are:

The string ``XTLOG:'' 
The number ``1'' (signifying the transaction came from AFP) 
Event number (decimal, same order as the above table, starting 
with 1, e.g., Folder Creation is number 9) 
IP (or Appletalk) address of the client, in ``Dot'' notation. 
Time of the event (value returned by time(2) , i.e. seconds past 1970).
User (account name) that the client is logged in as 
   (NOTE: if the User field is a number, it's a Venture User ID) 
Size, in decimal bytes, of the data passed in the transaction. 
Amount of data transmitted for the transaction 
(compression may make this different than the data size) 
Full server pathname of the file affected 
Full path of the destination file for Copies and Renames 


Icon database
List of FullPress public volumes
Log of AppleTalk errors, etc.
Message sent to users when they first connect to FullPress
Message sent to each user when ksd receives a SIGUSR1, or sent as a shutdown warning when ksd receives a SIGUSR2
Directory for storing the resource fork of files
File for additional file information needed by Mac
User's personal volume specification files

See Also

FullPress Administrator's Guide
who(1) , ksd_restart(8) , ksd_msg(8) , kats(1) , kunarc(1) , katype(1) ,