Administration Guide : Managing User Access/Connections : Managing User Connections with Xinet AFP Service

Managing User Connections with Xinet AFP Service
Modern Mac clients connect to file servers via Apple's implementation of the SMB protocol (SMB2/SMBX) by default. Xinet 19 has added support for SMB connections, from both Mac clients as well as PC clients on all of its supported server platforms. For information, see Managing User Connections with SMB Protocol (SMB2/SMBX).
AFP connections are still possible and also supported by Xinet. However an “afp://” protocol prefix must be added to the server address. This chapter provides details.
The Xinet AppleTalk Filing Protocol (AFP/Access tab provides information about users who are connected to the Xinet server using AFP. It shows who is connected, the files they have open, and also provides mechanisms for sending messages to these users and restarting AppleShare services.
The following topics are provided in this section
Connected users
Once you have established users with appropriate privileges for direct access via AppleShare, the Connected Users subtab provides information about them which might help when troubleshooting.
The Disconnect this session icon allows you to disconnect a given user from his or her session. It may take several minutes, however, for the session to end after you click the icon.
The Send Message icon in the right most column allows you to display a message on the connected users display. When you do so, you can send the message to the particular user associated with the icon or to all users who have mounted the shared volume. The Send Message subtab also allows you to send messages; but not to individual users.
Open files
The Open Files subtab presents information that may be useful when troubleshooting. It allows you to see which files AFP users have opened and/or locked (opened does not imply locked). Keep in mind, however, that many applications, such as Photoshop, do not keep files opened and locked while a user is editing them, so in some cases when a user has a file open, it will not show here. The following shows an example with two open files.
The window provides information about files that are open, including:
Full path to all files opened via AppleShare
Clicking on the path opens the file’s Image Info panel.
User account information for each user who has a file open
Remote address information tells the location from which the user has logged in.
Session ID provides the internal session reference number for clients’ connections via the ksd(1M) process.
ksd PID provides the process ID for the ksd(1M) process serving the client that has a particular file open.
RSRC? tells whether or not the client has the Resource Fork open.
Restart: shutting down and restarting AppleShare services
The Restart page allows you to suspend AppleShare services on the server. This is necessary, for example, before changes you’ve made to AppleShare configuration in the Server Options page will take effect.
To shutdown services:
You may want to set the Delay shutdown or restart value first (in minutes) and then have your message reflect the time remaining before system disruption. The message will be sent to all users currently logged into the system over AppleShare.
Click on the Shutdown AppleShare button.
To restart AppleShare services, click on the Start AppleShare button in the window.
Setting global AppleShare server options
The Server Options subtab the Service Options page where you can change Xinet server behavior from its default installation assumptions. See ksd(1) for more information about options.
To change server behavior:
Click on the Server Options tab. On Unix systems a Service Options page will display some variation depending on the actual operating system of your server.
If you wish, you can change the name of the server. (This is the name that appears when the clients mount a volume.) On Unix systems, the GUI will use the shell command hostname(1), by default, to assign the current host’s name if you don’t type anything.
Whatever operating system your server uses, you may enter any name you want in the AppleShare service name box. Do not enclose a name within back quotes (). Surrounding back quotes are reserved to designate shell commands.
[optional] You can also choose the zone(s) in which you want the Xinet server to appear or let ksd(8) choose the local network’s default. Use the Register in AppleTalk Zone(s) pop-up list to add additional zones.
If you want to remove a zone, click on the tinted icon next to it.
Use the Add Zone... pop-up list if you don’t see the zone you want.
Don’t provide a guest login (default setting = off)
Turning on this option will disable “guest” access to the server. You might want to do this for more security. On Unix systems, when this option is off, Xinet will use the accounts ksdguest, ksd_guest, guest or nobody, depending on which is a valid account on the server for AppleShare’s “Guest” access method.
Unix only
Follow symbolic links (may crash some Macintoshes) (default setting = off)
Normally, the AppleShare daemon doesn't follow symbolic links, because of the danger of cycles. Macintoshes don’t understand symbolic links and can easily crash if a file shows up in two separate folders. If your mounted file system contains symbolic links, you might want to turn on this option, but this is very dangerous.
Serve each session with a separate process (default setting = on) [Unix only]
When on, each AppleShare login will be served by a separate Unix process. This is nice for Mac users because other users’ operations won’t delay their work. However, it requires more system resources (mainly memory) to run this way. You will not want to turn on this option if you have a large site with many users and limited system resources.
Unix only
Ignore user-specific volumes (default setting = off)
This means that only public volumes will be accessible. Other volumes will be hidden from Mac users.
Never allow clients to store passwords (default setting = off)
This prevents Macintosh users from storing their passwords permanently on their Macintoshes. When on, Mac users will have to retype their passwords at the beginning of each session.
Prevent password changes from AppleShare clients (default setting = off)
When on, this option prevents users from changing their passwords from a Macintosh. (It has to be changed on the server.) You should use the on option if your server is using any non-standard password scheme.
Give access to accounts with no password (default setting = on)
When this option is on, logins without passwords can use Xinet mounted volumes. When it is off, accounts without passwords can’t use shared volumes at all.
Don’t allow root logins (default setting = off) [Unix only]
This prevents root logins by Macintosh users and offers more security.
Unix only
Give “root” login owner privileges on all folders (default setting = off)
Turning on this option gives root administrative privileges from AppleShare. Without turning this on, root is regarded just like any other user. Of course, turning on this option has no effect if root logins have been disabled via AppleShare or AppleShare via TCP/IP.
Record failed login attempts in mail log file (default setting= off)
Normally, the daemon does not keep error logs when a login fails. Turning on this option causes messages to be logged in the Xinet log file. The messages indicate the net and node of the machine that the login request came from (and the user name if just the password was incorrect).
Send full-sized Find Comments (default setting = off)
[Only appears in Xinet GUI when off.]
Using the Xinet option to the ksd(1M) daemon, by default, full-sized comments will be sent. Uncheck the option if you want to truncate comments over 127 bytes. You don’t need to truncate comments. If you’re working from the command-line, invoke the ksd(8) -longcomments flag. See the ksd(8) man page for usage details.
The ksd(8) daemon also includes an option to clear up another OS X client/AFP3 issue, for example., the receipt of artificial “in use” messages when trying to open files. See the -norovols option in the ksd(8) man page fore details. The option does not appear in the Xinet GUI.
Select the appropriate level of AppleShare via TCP/IP security in the pop-up list at the bottom of the dialog. If your server is connected to a WAN, these options provide a server-wide setting for denying access from the Internet. You may choose several levels of security here. More detailed access control can also be set per volume via ACLs. See Security settings for details.
The page also offers the following options:
No-password logins allowed only from local nets, the default setting, only allows guest and root logins from clients directly connected to the server.
No additional security allows all TCP/IP connections. You should only use this option on isolated nets or behind a fire wall.
Don’t allow root/Administrator or guest logins without passwords allows users to connect to the server from anywhere as long as they have a password and they are not guest or root.
Only allow logins from directly connected nets only allows access to clients who are on networks directly connected to the server.
Don’t allow any TCP access at all prevents TCP logins completely.
Establish setting for Files that start with “.” handling
Some computer operating systems hide filenames which begin with a period unless the user specifically asks to see all files. The Macintosh operating systems doesn’t normally follow this convention, although you can emulate this behavior on shared volumes. Many people will want to use this option so that end-user volumes won’t be cluttered with files that are probably only important on the server. Three options exist:
Allow creation, but always mark them invisible (default)
Disable them completely (not recommended with OS X clients)
No special treatment (caution: can crash older Macs)
Once you are satisfied with the options, click on the Submit button at the bottom of the page. You will be prompted about whether or not you want to restart AppleShare services with the new parameters. You have to do this before the changes actually take effect.

Answer yes if you have modified all the options you are interested in changing at the moment and want them to take effect immediately.

Answer no if you don’t want the changes to take effect until the next time you restart AppleShare services.

Should you decide to restart AppleShare services, you will see the AppleShare Messages/Restart dialog box.
Debugging a specific user’s session
Tracing the AFP dialog to an individual user can provide useful information when you are trying to find and fix problems. Xinet TechNote 32: Running AppleShare in Debug Mode, available at provides details.
Also, information in Preview Generation logs and The Print Daemon log may help.