HELIOS EtherShare 2.6 User manual


9 The EtherShare File Server
9.1 General remarks
This chapter is devoted to the EtherShare File Server. The function, the configuration and the operation of the file server is described. Information is included to allow the administrator to install users, groups, and volumes, create folders, and define access privileges. Finally, methods are described with which data on the file server volumes can be archived to mass storage (e.g. a tape streamer).
9.2 The File Server programs
The EtherShare File Server system is contained in the two programs "afpsrv" and "afppasswd". They are copied to the "$ESDIR" directory during installation. The server is normally configured to start "afpsrv" automatically when UNIX is booted.
afpsrv
"afpsrv" is the program that implements the AppleTalk Filing Protocol (AFP) file server functions. It waits for filing requests from the AppleTalk or TCP/IP network, which are then immediately processed. Each new logon request results in a separate "afpsrv" process being created. Accordingly, when a number of users access the file server at the same time, a number of "afpsrv" processes run on the host simultaneously.
The number of concurrent connections to the AFP server via AppleTalk is limited to 250. To establish more than 250 connections at the same time use AppleShare IP, instead. See also sessions in 9.4 "Parameters of the "afpsrv" program"
afppasswd program
"afppasswd" is used to create and amend entries in the AFP user list: "$ESDIR/conf/afppasswd" and all related UNIX files like "/etc/passwd". The program "afppasswd" is called automatically by "afpsrv" whenever you click the Change password button in the Chooser. It is necessary to separate this functionality from the "afpsrv" program, in order to give the system permission to modify the password database online.
You can call "afppasswd" from UNIX manually, to change passwords from a shell login. If you are having problems with yellow pages, for example, "afppasswd" will return error messages which you will not see in the Chooser.
9.3 Directory and file formats
The EtherShare File Server simulates the Macintosh's Hierarchical File System (HFS) on the UNIX file system (UFS); the latter is found in many UNIX variants. Due to the differences between these two systems, the same Macintosh file appears differently when it is viewed through the UNIX file system compared to when it is viewed from a Macintosh workstation.
The structure of volumes and files
Under EtherShare, each HFS volume is mapped to a specified part of the UNIX file system and mounted at a specified directory. This directory is then the root directory of the volume.
You specify the volume mount point when setting up new volumes with the EtherShare Admin.
In contrast to files under DOS and UNIX, all Macintosh files are associated with so-called "Finder info" contained in the file's directory entry, which stores among other things the file type and creator, file creation date etc.
Each file is split into two parts, the "data fork" and the "resource fork". This "split" is normally invisible to the Macintosh user; the "Finder info" in the file's directory is also invisible.
The file type and creator are used by the Finder to select the right icon to display. They are each 4 bytes long. The file creator is also used to automatically find and start the corresponding program when you double-click on the icon of a document. The icons themselves are stored in the desktop file, which exists only once for each volume. Each application is normally associated with a single file creator code (e.g. "MSWD" for Microsoft Word), but can as well have several file type codes (e.g. "WDBN" for normal Word documents, "WHLP" for Word help files, "DCT5" for the Word dictionary etc.). See Icon data in chapter 10.2 "The Desktop Server Program" for more information.
Under EtherShare, the file's data fork is stored with the chosen file name in the UNIX directory corresponding to the folder.
The file's resource fork is combined with the Finder info and stored in a separate "resource file" of the same name in the so-called "resource" directory, which is the ".rsrc" subdirectory of the folder's directory.
The first 512 bytes of the resource file are used for the Finder info (bytes 0-511), and the files resource data start at byte 512. Files created by UNIX applications have no resource fork, and the EtherShare resource file (if present) may then be shorter than 512 bytes, this is normal. A description of the resource file structure is available on the HELIOS Web site www.helios.de.
Macintosh file names which are invalid for UNIX are converted according to a specified algorithm.
When you create a folder under EtherShare, which you do with the Finder in the normal way, a UNIX directory is created with the same name as the folder. Folders, too, have Finder info, which stores among other things the folder's window position and size and the viewing style. The Finder info for a folder is stored in the parent's folder "resource" directory, which is created automatically when the folder is created. See Creating new folders under UNIX in chapter 9.7 "Access privileges" for related information.
Suppose you have a file "Test" in folder "Demo" which is in "dave's" home volume. Under UNIX you will have:
/home/dave/Demo/Test file's data fork
/home/dave/Demo/.rsrc/Test file's resource fork
/home/dave/.rsrc/Demo folder's Finder info

Furthermore, if for example the volume mount point is "/home/apps", the volume desktop is contained in the UNIX file "/home/apps/.Desktop". The "Network Trash Folder" for the volume is contained in the UNIX directory "/home/apps/Network Trash Folder" and the file "/home/apps/.rsrc/Network Trash Folder". Finder info for the root of the volume (viewing style, layout info etc.) is contained in "/home/apps/.rsrc/::volrsrc". See chapter 10 "The Desktop Server" for related information.
The file names ".Desktop", ".Desksrv", and the ".rsrc" folder are protected by EtherShare, and cannot be copied or accessed from a Macintosh client.
Inside an EtherShare volume, ".rsrc" directories can only be missing if folders were created manually from UNIX or if ".rsrc" folders were removed manually from UNIX. "afpsrv" automatically creates missing ".rsrc" directories for every folder opened from the Macintosh in case a ".rsrc" directory is available in the volume root directory of the EtherShare volume. This applies to files as well; if ".rsrc" folders are available, resources inside the ".rsrc" folder will be created automatically.
UTF-8 encoded file names
Provided the utf8 flag is set in the "afpvolumes" list, special characters such as "" can be used on different platforms (Macintosh and PC clients) since under "Unicode/ UTF-8" they are 8-bit encoded. Exceptions are the "/"-character, which is translated into a particular sequence which consists of caret (^) and two following characters representing the hexadecimal value of the character (^2F), and all control characters (hexadecimal code < 20).
Non-UTF-8 encoded file names
On a non-UTF-8 volume (utf8 flag not set; compare UTF-8 encoded file names above), Macintosh special characters are automatically translated by the EtherShare File Server into a three-character escape sequence, but in this case led by a leading colon (:) instead of the caret (^). For instance, the special character "" is translated into ":8a".
However, accented characters (Umlauts) are not recommended for user names and passwords (otherwise you will need to remember different passwords for Macintosh and UNIX logins). Your UNIX host name must never include a slash character (for example "my_rs/6000"). See hostname, uname, arp in appendix A 5: "Standard UNIX utility programs" for related information.
Generic icons
Finder infos for UNIX files (which do not have and do not need resource files) are simulated automatically as "generic icons" by EtherShare. EtherShare automatically recognizes about 20 UNIX file types (e.g. shell script, socket etc.), and simulates the Macintosh file type and creator even if the folder has no resource directory. If the resource directory is already present, EtherShare will create a suitable resource file, too, when the corresponding folder is first opened. The resource file will be ignored by UNIX applications, but allows EtherShare to recognize the file type immediately the next time the folder is opened. EtherShare also recognizes TIFF and EPSF files, but it cannot automatically create the PICT resource for EPSF files. The following special UNIX file types are recognized directly (the type and creator codes are shown in parentheses):
With normal UNIX data files, the file server tries to determine the file type by examining the first 512 bytes of the file, in order to place it into one of the following groups:
If the UNIX file does not correspond to any of these types, a differentiation is solely made between either text or binary data files. A binary data file is defined as a file where at least 30% of the characters are not contained in the 7-Bit ASCII code. All other files, including empty files, are classified as type TEXT. Accordingly, the following two file types should be added to the above list:
If the user does not have sufficient access privileges to read a particular file, the file is classified as type NOPE:
If a file cannot be read by a particular user because a physical read error has occurred, the file is classified as type unreadable:
After determining the type, each UNIX file is assigned one of about 20 different icons by EtherShare (see figure 149). This allows Macintosh users to easily differentiate between files created under UNIX (all icons include the name "UNIX") and normal Macintosh files.
You can also create or modify the file type or creator manually, with a program such as the shareware program FileTyper, or you can use the MakeAuto Typer tool to create an "Auto Typer" document (System 7 only). The latter converts type/creator information according to a specified scheme automatically. See Automatic extension mapping in 9.6 "Public and private volumes" for related information.

Note: If a file type is assigned the code "UNKN/UNIX" (using e.g. the MakeAuto Typer tool), the File Server automatically enforces a file type conversion.

If necessary, the generic icons feature can be disabled (see the "afpsrv" switch nobinonly). In that case all UNIX files are classified as binary data files (DATA/UNIX).
Fig. 149: Generic icons for UNIX files under EtherShare

You can also assign suitable icons to non-Macintosh files by using the Extension Mappings feature in the EtherShare Admin. This option is particularly useful if you are also using MS-DOS networking software, such as HELIOS PCShare, on your server, since under MS-DOS the file name extension is typically used to indicate the file type.
UNIX file types such as: Mailbox, Text, and Shell Script can be edited using e.g. TeachText (Macintosh).
The File Server will recognize EPSF files and will apply the type "EPSF" and creator "UNIX" to these files (for more information regarding the recognition of PC-created "*.eps" files, see 5.13.7 "Extension Mappings"). The icon is the same as used for plain PostScript files. In older EtherShare versions, these files were recognized as PostScript only and were classified type "TEXT" with creator "UXPS". Since these resources were already created, the creator/type combination will not be changed for existing files. This applies only to files stored on the server by UNIX or DOS applications, Macintosh files supply their own type and creator.
An automatic recognition feature for Adobe Acrobat PDF files allows easy access to HELIOS documentation provided in PDF format, e.g. on the HELIOS distribution CDs. You can mount our distribution CD on a UNIX server, on a Macintosh, or on a DOS/Windows PC, and open the contained PDF files with Acrobat Reader/Acrobat Exchange on any of these platforms.
File and record locking
The EtherShare File Server supports file and record locking between Macintosh workstations. Likewise, PCShare - a TCP/IP-based Windows networking product developed by HELIOS - supports file and record locking between Windows workstations. Locks of both file servers are shared by accessing the same "locktable" file which resides in the directories "$ESDIR" and "$PCDIR", respectively.
The "UNIX Sharing" option has to be switched on, however, if you want to share an EtherShare volume with UNIX applications.
"afpsrv" supports UNIX (advisory) locking in addition to the built-in Apple AFP-compatible (mandatory) locking.
Check with your supplier of UNIX applications whether these do also support and use advisory locking before you use Macintosh/PC-based applications accessing files concurrently with UNIX based applications.
If you use NFS-imported file systems for EtherShare or PCShare volumes the "lockd" and "statd" daemons must be configured and running. See your NFS documentation for further details.
In the following, there is an example of "$ESDIR/conf/ afpvolumes" where the shared volume "ES-PS shared volume" resides in "/data/shared/images", is writable, with option unixlocks activated and accessible by group "dtp" only. Below that, you see the default parameter settings for a volume "EtherShare":
$ cat $ESDIR/conf/afpvolumes
/data/shared/images:ES-PS shared volume::fixed: readwrite,unixlocks:dtp
/usr/ethershare:EtherShare::fixed:readwrite

This option is only active after the Macintosh client unmounted and remounted all volumes from an EtherShare Server.
Symbolic links
Please note that symbolic links pointing to directories in- or outside the current volume would confuse the File Server, and are therefore not displayed. For example two directories in one volume might have the same directory ID.
A double-click on one of the folders then could open the other. If you need links, use the Macintosh Make Alias function instead.
9.4 Parameters of the "afpsrv" program
When it starts, the File Server program "afpsrv" first accesses the main configuration file "atalk.conf" to determine its configuration. The associated program "afppasswd" does not require an entry in the configuration file. The "install" program automatically sets up "atalk.conf" with initial values. The values can be changed if necessary by using an editor such as vi. See also chapter 5.14 "Editing "atalk.conf" (and other configuration files) manually".
The parameters described below can be defined for "afpsrv" in "atalk.conf" (note that the program name "afpsrv" precedes the parameter list):
name
name=netname
netname
is the AppleTalk (NVE) name of the File Server. This is the name with which it is known to the network. It is the name you see in the workstation's Chooser under "AppleShare".
The default for netname is the name of the UNIX server.

Important: It is not possible to run more than one EtherShare File Server on the same UNIX server.

zone
zone=zonename
zonename
is the name of the AppleTalk zone to which the file server should be allocated. This parameter determines the zone in which the file server can be seen in the Chooser. The chosen zone must be one of the local zones that the server is connected to. You can test this with the "zones -l" command (see chapter 4.5 "Verifying the UNIX installation").
The default for zonename is "*", i.e. the zone of the first interface entry in "atalk.conf".
"afpsrv" will accept multiple zone= and name= specifications. It is possible to have the file server services being displayed in all local zones.
The following example will display the EtherShare Server "FileServer" in the two zones "EtherTalk 1" and "EtherTalk 2", but not in the TokenTalk or FDDITalk zones.
atalkd: if="et0:30-35:140:EtherTalk 1",
if="et1:36-40:140:EtherTalk 2",
if="tr0:41-44:140:TokenTalk 1",
if="fi0:45-49:140:FDDITalk 1"
afpsrv: name="FileServer",
zone="EtherTalk 1",zone="EtherTalk 2"

The following example will display the EtherShare Servers with the two names "FileServer-1" and "FileServer-2" each in the two zones "EtherTalk 1" and "EtherTalk 2", but not in the TokenTalk or FDDITalk zones.
atalkd: if="et0:30-35:140:EtherTalk 1",
if="et1:36-40:140:EtherTalk 2",
if="tr0:41-44:140:TokenTalk 1",
if="fi0:45-49:140:FDDITalk 1"
afpsrv: name="FileServer-1",name="FileServer-2"
zone="EtherTalk 1",zone="EtherTalk 2"

EtherShare's "afpsrv" will recognize if you are already connected to the same EtherShare Server and automatically log in to the already existing connection.
localwinsize
localwinsize=maxlpackets
maxlpackets specifies the maximum number of AppleTalk data packets that are passed from "afpsrv" to workstations through the network during a transaction. The number of packets may need to be limited if the buffer size in the workstations is too small. maxlpackets can be varied to optimize the data transfer rate.
The default (and maximum) for maxlpackets is 8.
remotewinsize
remotewinsize=maxrpackets
maxrpackets specifies the maximum number of AppleTalk data packets that are passed from workstations to "afpsrv" through the network during a transaction. The number of packets may need to be limited if the buffer size in the UNIX server is too small. maxrpackets can be varied to optimize the data transfer rate.
The default (and maximum) for maxrpackets is 8.
dsiblocksize
dsiblocksize=maxbytes
maxbites
specifies the maximum size of AppleShare/IP data packets that are passed via TCP/IP from "afpsrv" to workstations through the network during a transaction.
The default for maxbytes is 131 072 (128 blocks x 1024).
dsitickletime
dsitickletime=timeinterval
timeinterval
specifies the time interval in seconds after which "afpsrv" sends a tickle packet to signal that the server is still running.
The default for timeinterval is 30.
volstatinterval
volstatinterval=timevolstat
timevolstat
specifies the time interval in seconds how often "afpsrv" checks the amount of free space on the server.
The default for timevolstat is 10.
volcheckinterval
volcheckinterval=timevolcheck
timevolcheck
specifies how often volstatinterval is communicated to the Macintosh client.
The default for timevolcheck is 10.
ipaddress
ipaddress=numberstring
numberstring
specifies the IP-address the "afpsrv" program offers to the Macintosh clients for logging in via IP-protocol.
The default for numberstring is the number of all configured IP-addresses of all network cards installed in the server.
ipaddresses
ipaddresses (see ipaddress) is applied for handling more than one IP-address, and is given out in a string in which the addresses appear comma-separated.
ip
[no]ip
Switches the AppleShare IP on or off, depending on the setting.
The default (if this switch is omitted) is ip.
nosortdirs
[no]sortdirs
This parameter sorts the directories coming from the server to the Macintosh clients by name.
The default (if this switch is omitted) is nosortdirs.
connectlimit
connectlimit=connecttime
connecttime
specifies the time in seconds a Macintosh client is allowed to stay logged-on to "afpsrv".
The default for connecttime is 0 (i.e. ).
afpport
afpport=portnumb
portnumb
specifies the port number for the AppleShare IP.
Apple's default for portnumb is 548.
ipaccess
ipaccess=ipaccessname
ipaccessname
is the name of the file containing the access list with the IP-addresses which are permitted to log on to "afpsrv".
The ipaccessname default is "$ESDIR/conf/afpipaccess".
logdenied
[no]logdenied
This parameter lets "afpsrv" append a record to the system messages if, due to the IP-access list, access to one or more users has been denied.
The default (if the switch is omitted) is logdenied.
xferlog
xferlog=xferlogname
If xferlogname is specified, the file names of all edited (written, read, saved, etc.) files on the server are recorded and stored sequentially in an "xferlog" file. Use this option with care since it considerably causes load on the server.

Note: Make sure that an empty "xferlog" file exists at the specified location and set file permissions sufficiently so that "owner"/"group" and "others" can write to that file.

homeipaccess
homeipaccess=homeipaccessname
homeipaccessname is the name of the file which contains the IP-access list, and makes the home directory visible to the respective user.
homevolname
homevolname=homevolmacname
homevolmacname
is the Macintosh volume name for user home directories. The following "%" escapes are valid:
Make sure that the volume name length does not exceed 27 characters. The default for homevolname is "~%u".
idletime
idletime=time
time
is the time in minutes which a user has at his/her disposal, idling on the File Server before he/she gets logged-out by "afpsrv".
The default for time is 0 (i.e. ).
idlewarntime
idlewarntime=warntime
warntime
is the time in minutes after which the "afpsrv" program gives the user a warning before he/she is logged-out by the "afpsrv" idletime parameter.
The default for warntime, if no value is specified, is automatically set to half the value of time (see idletime).
sessions
sessions=maxclients
maxclients
specifies the maximum number of workstations (clients) that are permitted to work on the file server simultaneously. This value should normally be the same as the total number of Macintosh workstations that are connected to the AppleShare server. The value you choose should be less than or equal to the number of sessions allowed by your software license. The maximum tolerable number of workstations is dependent on the type of Macintosh applications you mostly use (whether they are file-intensive or client-server applications), on the configuration of your UNIX system, and on its expansion stage.
The default for maxclients is the number of sessions allowed by your software license.
locks
locks=maxlocks
maxlocks
specifies the maximum number of record locks that are permitted on the File Server simultaneously.
The default for maxlocks is maxclients multiplied by 10.
files
files=maxfiles
maxfiles
specifies the maximum number of files that can be opened by the File Server simultaneously. The achievable maximum may be limited by the maximum number of open files for the "afpsrv" process allowed by the server. This limit is normally set by "afpsrv" for itself automatically. In case of problems, refer to "limit" and "ulimit" in your UNIX documentation for details about how to increase the limit manually for your server. To conserve system resources, do not set this value higher than necessary.
The default for maxfiles is 256.
findercache
findercache=cachesize
The File Server caches Finder information in RAM memory to optimize performance. cachesize specifies the number of Finder entries to cache, and thus the amount of RAM needed that should be allocated for this purpose. Higher values require more RAM but lead to a File Server speed improvement for some Finder operations.
The default for cachesize is 2048 entries. Each entry requires about 100 bytes of RAM. The cache is used by only one single "afpsrv" (i.e. client) at a time, since it cannot be shared.
afppasswd
afppasswd=exename
exename
specifies the complete path name of the "afppasswd" program, which is used by "afpsrv" to change passwords in the AFP user list. This parameter only needs to be changed if, for administrative reasons, it is necessary to modify EtherShare's default directory system on the UNIX server.
Or, in order to protect the password against changes by unauthorized users, exename can be left blank. This would e.g. disable the "afppasswd" program.
The default for exename is "$ESDIR/afppasswd".
savepasswd
[no]savepasswd
As a time-saving feature when logging on, the AppleShare selection in the Chooser on the Macintosh lets you save your File Server user name and/or user password on the Macintosh's local hard disk.
To improve security, specify the nosavepasswd switch to disable the saving of user passwords in this way, in which case all users have to enter their password manually each time they log on to EtherShare.
Note: you can still change your File Server password in the Chooser in the normal way (with Change Password).
The default (if this switch is omitted) is savepasswd.

Note: The [no]savepasswd setting only works for Mac OS Version 7.0 and above.

minpwlen
minpwlen=length
The AppleShare selection in the Chooser on the Macintosh accepts passwords of any length from 0 byte to max. 8 bytes. Short passwords may represent a security risk. A password of zero length is equivalent to no password. Specify length as a numeric value between 0 and 8.
To improve security, a meaningful minimum value for this parameter is 5.
minuid
minuid=minuidlimit
minuidlimit
specifies the lowest number allowed for user numbers (user IDs). All users defined in "/etc/passwd" which have a lower user number than that specified by minuidlimit are not recognized as valid users of EtherShare. This parameter is provided as an additional security feature.
The default for minuidlimit is 0.
maxuid
maxuid=maxuidlimit
maxuidlimit
specifies the highest number allowed for user numbers (user IDs). All users defined in "/etc/passwd" which have a higher user number than that specified by maxuidlimit are not recognized as valid users of EtherShare. This parameter is provided as an additional security feature.
The default for maxuidlimit is infinity.
guestid
guestid=logname
logname
specifies the user name which is automatically allocated to guest users. The name is invisible to the guest users themselves, it is solely used to assign an entry for guests in the user list. If this parameter is specified, the file server automatically supports guest access to available volumes. Otherwise, guest access to available volumes is not possible.
homedir
[no]homedir
The switch nohomedir specifies that all users are prevented from seeing their home volume, which stops them from being able to store Macintosh files there. Their UNIX home directory still exists, and can still be used from the UNIX shell.
The default (if this switch is omitted) is homedir.

Note: If the home directory of user "root" is "/", it will not be displayed.

suffixes
suffixes=suffixfile
"afpsrv" normally simulates Finder info (such as file type and creator) automatically for files without Macintosh resource. The type of file is determined by inspecting the file's contents. This allows about 20 different icons to be shown for non-Macintosh files (see Generic icons in chapter 9.3 "Directory and file formats" for more information).
In the case of files created by MS-DOS applications, the file type is typically indicated by adding a suffix to the file name, the so-called the file name "extension". For example, DOS executable programs have the extension ".COM" or ".EXE" and DOS batch files have the extension ".BAT". Under EtherShare, suitable icons can be displayed for such files by specifying them in the so-called extension mapping table. This is particularly useful in the case of applications such as FrameMaker for Macintosh which are able to directly read documents created by the MS-DOS version without prior conversion. The suffixes parameter allows you to specify the location and name of the extension mapping table.
The default for suffixfile is "$ESDIR/conf/suffixes".
See Automatic extension mapping in chapter 9.6 "Public and private volumes" for an example of this file. We recommend that you specify extension mapping with the Extension Mappings option in the EtherShare Admin, and not by editing the above file manually.
nobinonly
[no]binonly
"afpsrv" normally simulates Finder info (such as file type and creator) automatically for files without Macintosh resource. The type of file is determined by inspecting the file's contents. This allows about 20 different icons to be shown for non-Macintosh files (see Generic icons in chapter 9.3 "Directory and file formats"). Specify the binonly switch if this feature is not required, in which case all non-Macintosh files will be treated as type DATA/UNIX, which means that UNIX text files will then become invisible to most Macintosh text editors.
The default (if this switch is omitted) is nobinonly.
nofiledatesync
[no]filedatesync
Whenever you modify a Macintosh file, the changes you make do not necessarily affect both the data file and resource file, and in many cases only the data file is changed. "afpsrv" only checks the modification date of the data file when it needs to display date and time information in the Finder. Accordingly, "afpsrv" is designed to always update ("touch") the modification date of the data file, even if only the resource fork has been modified.
However, "afpsrv" does not normally update the modification date of the resource file if only the data fork has been modified. The modification date of the resource file is usually not important, even to incremental backup procedures, and updating it would waste system resources and slow down the File Server somewhat.
Nonetheless, situations may exist where differences between the modification date of the data and resource files can cause difficulties. Such situations are typically those involving automatic data migration to slower external storage.
Specify the filedatesync switch to cause "afpsrv" to always synchronize the modification date of the resource and data files, even if only the data fork has been modified.
The default (if this switch is omitted) is nofiledatesync.
fakeoffspring
[no]fakeoffspring
"afpsrv" will return, by default, the number of offsprings (entries in a subdirectory) as 9999 while enumerating a directory. This option can be turned off by using the switch nofakeoffspring. Then, the AFP-call "GetFileDirParms" on a directory gives the real number of entries.
This feature is especially useful when folders containing many subfolders, which on their part may contain many files, are in use. The Macintosh Finder, or application program, will request information not only on files in the current folder, but in addition on files in subfolders, although this information is currently not used. Therefore, this option may accelerate the opening and displaying of folders with many subfolders.
There are few Macintosh applications which rely on the exact offspring count. For those, disabling of this parameter may be required.
The default (if this switch is omitted) is fakeoffspring.
nogroupwriteisowner
[no]groupwriteisowner
In the Mac OS file system only the owner of a folder or volume can permanently change the folder's layout, e.g. sorting order, icons placement and label settings. This feature has been added to allow workgroups, e.g. users who are all member of the same group, to change layout settings as labels according to the organization of their work.
For the folder or volume the checkbox "Make changes" for group must be activated. See also chapter 9.7 "Access privileges".
The default for this switch is nogroupwriteisowner.
notranslateany
[no]translateany
This option has been added to "afpsrv" in order to translate any file which is regarded as type "TEXT".
The default (if this switch is omitted) is notranslateany.
nohidedotfiles
[no]hidedotfiles
This option has been added to "afpsrv" in order to hide files starting with a dot (".").
The default (if this switch is omitted) is nohidedotfiles.
welcome
message and shutdown message
You can specify a welcome message to output on Macintosh workstations when they log on to EtherShare, and a shutdown message. There are no parameters to specify in "atalk.conf" for this feature. Instead, create two text files "login.msg" and "shutdown.msg" with a UNIX editor (or with TeachText on a Macintosh), and store them in "$ESDIR/macapps" (the root of the Macintosh volume "EtherShare Applications"). The messages will then be used automatically by the File Server during login and shutdown. Normally, only the administrator has write privileges to this directory (volume).
For example, the two messages could be: "Welcome to the Support server of HELIOS Software GmbH" and "The Support server of HELIOS Software GmbH has now been shut down".

Note: If you are running a demo copy of EtherShare on your server you cannot alter the default welcome message.

A maximum of 199 characters will be displayed (excess characters are truncated). If you want to include national accented characters such as "umlauts" in your messages, use TeachText to write them: since the Umlaut codes are stored here in Macintosh binary format, it is a lot of work to enter the right codes with a UNIX editor.
notexttran
The option "notexttran" has been added to "afpsrv" in order to turn off the newline translation for all types of text files. "notexttran" will disable line end translation for all files of type `TEXT', without regard to creator.
This feature may be helpful in case Macintosh applications do write binary data into text files. For further reading on CR/LF conversion see also the paragraph Generic icons in chapter 9.3 "Directory and file formats".
This flag is set by default.
nodotafpvolumes
This option, if set, rules out the possibility of defining additional private volumes in a user's home directory.
The default (if this switch is omitted) is nodotafpvolumes.

Note: The ".afpvolumes" file is still supported, although deprecated. It is turned off by default and must be explicitly turned on using an option in "atalk.conf". This flag will disappear in the next major revision.

9.5 Users and groups
Before a user can access the File Server, it is necessary for him/her to be registered by the administrator, and be allocated a user name and password, which both are needed during the logon procedure. The user name has a maximum length of 31 characters, and the password has a maximum length of 8 characters.

Note: The AIX operating system handles user and group names only up to 8 characters.

Though users and groups can be set up by using an editor such as vi, we strongly recommend that you do this with the EtherShare Admin instead.
The "install" program optionally installs a demo user "macuser", with no password, and a demo group "macusers", by defining them in the appropriate configuration files.
In theory, the user name and password can contain any character in the Macintosh character set. However, it is recommended not to use accented characters (, , , etc.) and punctuation characters such as colon and comma, in order to avoid conflicts with the UNIX system files "/etc/passwd" and "/etc/group". Since some of the Macintosh special characters appear differently on the UNIX server, the names might be difficult to recognize.
User names and passwords for users that want to access the UNIX server in addition to the AppleTalk network must follow UNIX conventions anyway, in order to ensure acceptance by UNIX system programs such as "login".
UNIX user list
/etc/passwd
The UNIX system file "/etc/passwd" contains a list of all users known to the system. An entry line in this file specifies for each user the user name, his/her password in encrypted form, the user number (user id), the group number (group id) of the user's primary group, comments (generally the full name of the user), the user's home directory, and the program (or shell) which should be started when the user logs on to the UNIX system.
If a particular user should be prevented from directly accessing the UNIX server, it is necessary to assign him/her a starting program which permits no (or very limited) UNIX system access.
The EtherShare File Server also uses the UNIX system file "/etc/passwd" for user administration. Each user that needs to access volumes on the File Server must have an entry in this file. The entry specifies the user number and thus the assigned access privileges. The field for home directory can be left empty if the user does not require his/her own home volume.
UNIX group list
/etc/group
Users can be assigned to one or more groups, whereby assignment to at least one group - the primary group - is compulsory. The user's primary group is specified (as the group id number) in the "/etc/passwd" file.
The file "/etc/group" contains a list of all groups known to the system. The primary groups, too, must be included in this list. An entry line in this file specifies the name of the group, a group password (which is only significant when accessing directly through the UNIX system), the group id number, and a list of members (user names) that have been assigned to the group. The group id number is used as a link between the group list "/etc/group" and the user list "/etc/passwd".
AFP user list and
passwords
Each time a user logs on to the server, user name and password are requested. Although the UNIX standard password file "/etc/passwd" contains passwords in encrypted form, the password typed in by the user at the workstation is normally transmitted via the network cables to the server in unencrypted form. The UNIX login program then encrypts the password before checking it against the "/etc/passwd" file.
The passwords in the "/etc/passwd" file are stored encrypted to prevent users with direct access to the UNIX system from finding out passwords of other users.
To provide additional AFP security, EtherShare supports an optional AFP user list ("$ESDIR/conf/afppasswd"), which prevents transmission of unencrypted passwords via the network cables when logging on to EtherShare. The AFP user list contains the same passwords, but encrypted with a different method to that used by UNIX itself, as follows:
During the logon procedure, the File Server generates a random number which is sent to the Macintosh. The random number is then encrypted using the password that the user types in, and sent back to the File Server. At the same time the File Server encrypts the same random number with the password in the AFP user list before carrying out the comparison.
Even when this added security does not at first appear necessary, we still recommend it. For example, the danger exists that a particular "system" user entry in "/etc/passwd" (such as "bin") also has access privileges to the EtherShare volumes. In such cases, the parameters minuid and maxuid can be used to configure "afpsrv" to only accept users which have IDs within a specified range. This problem is avoided if an AFP user list is used, since then only those users with entries in the list are allowed access to the EtherShare volumes.
If the AFP user list is active, you will see the message
2-way Encrypted Password beneath the Password field in the Chooser; otherwise, you will see Clear Text Password.
afppasswd file
The optional EtherShare AFP user list, which specifies all UNIX users who are also EtherShare users, together with their encrypted passwords, is contained in the UNIX text file "$ESDIR/conf/afppasswd".

Important: The "$ESDIR/conf/afppasswd" file is indispensable for running PCShare 3 on the same server.

The AFP user list improves network security by preventing passwords from being sent through the network cabling in unencrypted form during the logon procedure. If the AFP user list is active, Macintosh passwords are only transmitted over the network in encrypted form.
If you want the additional security, you can create the AFP user list by calling the "$ESDIR/etc/mkafppasswd" program from UNIX. "mkafppasswd" then copies user entries for the user id 0 ("root") and all users with user numbers greater than or equal to 100 to the afppasswd file. It gets this information from the "/etc/passwd" file. Initially, all passwords are blank.

Note: On creation, the AFP user list initially contains blank passwords but for "root", you are requested by the "afppasswd" program to enter a (new) password.

If you want to disable the added security feature again, simply delete the file "$ESDIR/conf/afppasswd". No other changes are necessary. EtherShare will then fall back to using the UNIX system file "/etc/passwd" only, and Macintosh passwords will be passed unencrypted over the network when logging on.
If you have any "real" UNIX users with ID numbers below 100, as distinct from "system" users such as "bin", you must manually add a corresponding entry with blank password to the AFP user list, as follows:
username:
You should then set up initial passwords immediately. Please note that on creation, the AFP user list initially contains blank passwords. The "afppasswd" program then asks for the "root" password. Other EtherShare users can set up their own passwords (which here even could be blanks -though this is not recommended), or the system administrator can allocate initial passwords for them. Change passwords by calling the password program "$ESDIR/afppasswd" from UNIX, or with the Change password button in the Chooser.
For the following reasons, it is better to set up passwords with the Chooser (or with the "$ESDIR/afppasswd" program) rather than with the "/usr/bin/passwd" program:
The EtherShare Admin offers a convenient way of adding new users, including UNIX host users, with the advantage that "Yellow Pages" entries (if used) are also maintained automatically.
Creating users
As discussed, each new user needs an entry in the system file "/etc/passwd". The user must be assigned a name that is not yet known to the system. Following this, a unique user number must be specified, and the user's primary group must be chosen. If the user requires access to private volumes, the user's home directory must also be specified. Specification of the "start program" depends on whether the user should also be granted direct access to the UNIX system, or not. If the user should solely have access to EtherShare, the starting program should automatically reject the user with a corresponding message if he/she attempts to log on directly to the UNIX system. For example, you can write a shell script called "nologin" for this purpose. Such a shell script can automatically write a history report of logon attempts with user name, date and time to a file, to allow the administrator to see which non-authorized users have tried to obtain direct access to the UNIX server.
The following shows a typical entry for "/etc/passwd":
David::152:16:David Smith:/usr/home/David:/bin/sh
In this example, the username is "David" and the user number is 152. His password has not yet been allocated. His primary group is group number 16 (the group must already exist in the file "/etc/group"). The comment to this entry is "David Smith", the user's full name. The user's home directory is "/usr/home/David", which is automatically allocated to him as a private volume. The starting program is "/bin/sh", which is the standard UNIX Bourne shell - in this example the user is permitted direct access to the UNIX server. The empty field following the user name ("::") will later contain the encrypted user password. On inserting the above line into "/etc/passwd" with an editor program, the administrator should initially leave this password field empty. The password is allocated with the system program "/bin/passwd" or with the Chooser on the workstation, whereupon the password will be inserted in encrypted form at this position automatically. To avoid a temporary security risk, the administrator should use the Chooser to assign an initial password to each user, which the user can change afterwards by himself.
A typical entry for a user who only has access to public volumes (i.e. a user who does not need private volumes), and should not be permitted direct access to the UNIX system, is as follows:
Rita::201:18:Rita Lovely::/bin/date
Note that the field for private volumes has been left empty, and that the starting program is the program "/bin/date", which displays the date but does not allow UNIX server access.
If the administrator decides to use the AFP user list
("$ESDIR/conf/afppasswd"), it must also contain an entry for each user. For the above example, the AFP user list should initially contain the following two entries:
David:
Rita:
The encrypted passwords will be added later automatically by the File Server, when you select Change password in the Chooser or use the "$ESDIR/afppasswd" program.
Creating groups
Groups are listed centrally in the UNIX system file "/etc/group". A group entry includes the group name, group password (obsolete), the group number (group id) and a list of group members (specified as user names, not user numbers!).
As already mentioned, each user must be a member of at least one group, his/her so-called primary group.
The use of a password for groups is only meaningful if users are allowed to access the UNIX server directly since, in this case, the user may be permitted to dynamically change groups after logging on, and/or add a new group to the list of assigned groups. These features are not available for the EtherShare File Server, since AFP does not currently allow such dynamic group changes: A user is only a member of those groups which were assigned in the file "/etc/group" when he/she last logged-in.
As an example, a team of users who jointly work in a project group could have the following entry in "/etc/group":
Projects:*:21:David,Tim,Rita
The entry line specifies the group name "Projects" and assigns the group number 21. The asterisk ("*") in the password field specifies that it is not possible to switch to this group dynamically after logging on. The group number is followed by a list of the group members. One of the members is already known to us: David. Note that, since David's entry in "/etc/passwd" specified a primary group for him with the number 16, group 16 also needs to be included in "/etc/group", as follows:
Projects:*:21:David,Tim,Rita
MacUsers:*:16:
The user name "David" does not need specifying here, since the group has already been clearly assigned to him in "/etc/passwd".
Guest access
Users that are not registered in the system but still need access to the network from time to time can log on to the File Server as a guest. The administrator can configure EtherShare to either accept or reject guest access.
During logging on, guests are not required to enter either user name or password. Guests only have access to public volumes, and do not have a private volume. If necessary, guests can be denied access to specific public volumes by suitably configuring the access privileges of the volumes.
Although guest users do not need to enter a user name, guest access must still be allocated a dummy user name in "/etc/passwd" and declared in the main configuration file "atalk.conf" (under "guestid=..."), in order to allow guests to be members of groups.
In order to ensure that guests do not have access to protected applications or documents of other users, the administrator should assign the guest a primary group which has no other users or members. Folders and files are protected against access by guests as long as access for the user category "Everyone" has been explicitly disabled.
Since user volumes are only available for registered users, a home directory entry for guests in "/etc/passwd" is ignored by the File Server.
Deleting users
A user is removed from the system by deleting the corresponding entry line in "/etc/passwd". The administrator should also check whether files in the user's home directory should be deleted or archived at this stage.
If the AFP user list is being used, users that have been removed from the "/etc/passwd" file should also be removed from the AFP user list. This is done automatically if you use the EtherShare Admin to delete users.
If it is only required to prevent access of a particular user to the system for a short period, or if removal is being considered but not yet decided, the user can be disabled temporarily by inserting an asterisk (or any other character) to the beginning of the encrypted password in "/etc/passwd" (or in "$ESDIR/conf/afppasswd"). This causes password validation to fail, preventing the user from logging in. Note that direct UNIX access is still possible if only "$ESDIR/conf/afppasswd" has been corrupted in this way - the UNIX logon procedure only checks the "/etc/passwd" file. On deleting the additional character, the user is enabled again.
Deleting groups
Groups are deleted by removing the corresponding entry line from "/etc/group". Before deleting the group, make sure that no users have been assigned this group as their primary group. Otherwise it will no longer be possible for them to log on to the system, since the primary group is no longer available. Also, make sure that the group is not used for the Volume groups list of any of the volumes.
9.6 Public and private volumes
A volume (a Macintosh file system) can be stored both on a floppy disk or on a hard disk. A hard disk can also be subdivided into several volumes, i.e. several separate file systems. The file system used by Macintosh computers is called HFS (Hierarchical File System) or HFS+, respectively.
The UNIX File System (UFS) is able to use storage capacity which is available through the network remotely in another computer (NFS-mounted volume = Network File System). Such remote storage can also be used by EtherShare. This allows any computer which supports UFS (e.g. many computers running a UNIX variant) to store volumes for an AppleTalk network.
Under EtherShare, the UNIX file system can be treated like an Apple hard disk: one or more volumes containing folders and files can be mounted at a particular UNIX directory and made available to a group of users.
Volumes can be set up by using an editor such as vi, but we strongly recommend that you do this with the EtherShare Admin instead.

Note: Please see Creating volumes in chapter 5.8 "Volumes list" for related information, especially if you are using file systems mounted remotely through NFS.

Public
volumes
When a volume is created, it can be optionally made available to all users/groups. Such volumes are called public volumes (even if not all users/groups have the right to access them). Public volumes can be optionally protected with a password.
Volume list
Public AFP volumes are set up by including them in the public volume list, which is the UNIX text file "$ESDIR/conf/afpvolumes".
The "install" program automatically installs a public volume "EtherShare" (by default located in the UNIX directory with the most free space) by specifying it in the volume list. The "install" program also creates a volume "EtherShare Applications" in "$ESDIR/macapps". It is used for Macintosh programs such as Helios Terminal, Helios Mail and EtherShare Admin. A sample "afpvolumes" file is shown in the appendix on page A-5 afpvolumes.
If you only want access to user volumes, and not public volumes, just delete the public volume list. No other configuration changes are necessary.
An entry in the volume list has the following structure:
directory:volname:[passwd]:flags1:flags2:
[volume_groups]

directory is the directory in the UNIX file system (specifying the full path) which is the root directory of the volume; it is usually called the volume "mount point".

Important: The "mount point" name must not be the UNIX directory name "/".

volname is the name of the volume, and passwd contains an optional password. If a password is specified, all users attempting to access the volume are required to enter the password before access is allowed. Passwords are useful for public volumes if guest access is enabled. flags1 and flags2 are either fixed (fixed media) or changeable (removable media like magneto-optical drives).
Entries in flags could be: noguest,unixlocks,unixshare,nopublish,readwrite,utf8,charset=MacRoman,ipaccess,and readonly.
noguest
If you select the noguest flag, the volume is invisible for guest login.
unixlocks
Specify unixlocks if you want to use UNIX record locking in addition to the standard mandatory record locking used between EtherShare clients, to allow file and record locking between Macintosh applications and UNIX applications.
unixshare
Compare to unixlocks above. Specify unixshare if you want to use UNIX file locking.
nopublish
With nopublish set, the volume is invisible for all users.
readwrite
This flag determines that you have both read and write access to the respective volume.
readonly
This flag must be set when the underlying physical media is write protected (e.g. CD-ROM). Then, there is - for all users - only read access to the specific volume. A small "padlock" is displayed in the Finder then.

Note: Do not use the readonly flag for administering access privileges to a volume since this could prevent the "desksrv" from locking the volume correctly.
For such purposes use Sharing... from the Finder's File menu instead.

ipaccess=...
states the name of the file containing the access list with the IP-addresses which are permitted to log on to a specific volume.
utf8
If utf8 is specified, the Unicode character set is used on the volume.
charset=MacRoman
If utf8 is active, the charset=MacRoman flag is used to translate and encode file names to MacRoman.
volume_groups
volume_groups is, like flags, a comma-delimited list of groups. See Volume Groups list in chapter 5.8 "Volumes list" for details.
The volume list can also contain comments by starting an entry line with the "# " character. This can be used to add more information, e.g. the installation date of the volume. A volume can thus be temporarily disabled by placing the "# " character at the beginning of the corresponding entry.
Private
volumes
Under UNIX, each user must be assigned a home directory to be able to log in. This is not mandatory for EtherShare users - if you use EtherShare Admin to create a user you can leave the home directory field empty, in which case only EtherShare access, and not UNIX access, is possible. Each time you log on to EtherShare, if a home directory has been specified, you are automatically assigned a private "home" volume by the File Server. The name of the home volume is shown abbreviated on the Macintosh workstation by using the tilde character ("~") together with the user name (e.g. "~david"). It can be used to store the user's private files; with the exception of the administrator no other user has access to someone else's home volume.
If a particular user should only be allowed access to public EtherShare volumes, and not be assigned a home volume, when creating the user you can leave the home directory field empty in the EtherShare Admin (which is equivalent to omitting the home directory entry in the system file "/etc/passwd"). This may - depending on the UNIX system - disable the login to the UNIX shell, but is not the same as specifying nohomedir in "atalk.conf" (under "afpsrv..."), which simply makes the home volume invisible to (all) Macintosh users.
"afpsrv" checks very extensively for overlapping EtherShare volumes during each mount request. If an already mounted volume does include (or is included inside) a volume to be mounted, this will be grayed out in the Chooser volume list and an appropriate system error message, which contains the names of the overlapping directories, will be logged from "desksrv".
Please make sure that no single public or private EtherShare volume overlaps any other EtherShare volume. We suggest to establish a set of EtherShare volumes which serve your workflow well and are administered by the EtherShare or UNIX system administrator.
If in doubt, please consult your HELIOS dealer to implement a safe volume configuration.
Duplicate
volume names
Volume names must be unique. If the user or administrator defines the same volume name more than once, the entry encountered last during user logon is ignored, since no two volumes on the File Server can have the same name. Otherwise, it would not be possible for workstations to uniquely access a particular volume. The new volume must be given another name.
If the administrator installs a new public volume and a user has already installed a private volume of the same name, the latter is no longer available in the Chooser when the user logs on to the File Server the next time. In such cases, the private volume must be renamed before it can be used again.
The administrator should be particularly careful not to create a volume with the same name as a user's home volume (e.g. "~rita"), because the user will then no longer be able to access his/her home volume any more.
Maximum number
of volumes
The maximum number of network volumes that can be opened by Macintosh users on the File Server simultaneously is normally 128. Each open volume is only counted once, even if it has been opened by more than one user. See maxdesktop in chapter 10.4 "Parameters of the "desksrv" program".

Note: The Macintosh System 7.1 (and earlier) cannot handle more than 20 volumes simultaneously, including local volumes (although the Finder allows you to mount much more).

Volume size limits
The maximum (network) volume size displayable in the Macintosh Finder depends on the EtherShare settings, the EtherShare update level, the AppleShare client version, and the used Mac OS (see fig.150).

Note: Up to AppleShare client 3.8, Macintosh workstations set allocation blocksize values dependent on the server's network volume size.
As of AppleShare client version 3.8, however, Macintosh workstations recognize the server's allocation blocksize value so that the "used" value in the Finder's Get Info states a more precise actual used space.

Mac OS 7.5 (or later) supports network file system sizes of up to 4.0 Gigabytes and EtherShare will do clipping at 4.0 GB instead of 2.0 GB for volume free/used space values. Independent of the chosen clipping value, there will be no difference in the amount of data that can be stored on that EtherShare volume (see fig150).
The older Mac OS 7.0/7.1 only supports network file system sizes of up to 2.0 Gigabytes (the exact Mac OS 7.0/7.1 file system limit is 2,080,373,760 bytes).
If Macintosh clients with these older versions are still in use, you have to adjust the "afpsrv" program's behavior with the option "clip2g" ("noclip2g" is default!). As long as no EtherShare volume with more than 2.0 GB is defined, the only penalty may be a wrong display for values of the free/used disk space. In case that EtherShare volumes larger than 2.0 GB are defined, these Mac OS clients may not be able to mount any of the EtherShare server volumes any more.

Important: The "noclip2g" option (default!) should only be set for sites with all Macintosh clients running Mac OS 7.5. Otherwise, Macintosh clients running Mac OS 7.0/7.1 will display wrong values for free/used space, or may have problems mounting volumes at all.

Fig. 150: Volume size clipping
clipping
AppleShare client version
Mac OS 7.1
2 GB
3.5
Mac OS 7.5
4 GB
3.6
Mac OS 7.6+
unlimited
3.7/3.8

EtherShare limits the number of concurrently used public and private volumes to at most 450. By default, 128 are accessible. Please see chapter 10.4 "Parameters of the "desksrv" program" for more details.
Starting with Mac OS 7.5, local file systems can be larger than 2 GB, up to 1 TB (Terabyte). Since the AppleTalk Filing Protocol 2.1 is still limited to 32-bit values for volume sizes, AppleShare volumes are still limited to approx. 4 GB.
With AFP version 2.2 and AppleShare client 3.8 (or later), network file systems are displayed with their proper size.

Note: Generally, we recommend to use current AppleShare clients as released from Apple.

For Mac OS < 7.6 Apple suggests using AppleShare client 3.6.5
For Mac OS 7.6 Apple suggests using AppleShare client 3.8.x
Automatic
extension mapping
The File Server supports automatic mapping of file name extensions. This works in a similar way to the extension mapping feature provided in products like DOS Mounter, Access PC or Apple's PC Exchange.
It simplifies sharing files between EtherShare, UNIX and UNIX-DOS networking products such as PCShare from HELIOS, by simulating an appropriate Macintosh type and creator, allowing Macintosh users to open files created under MS-DOS or UNIX with a double-click.

Note: This feature allows you to allocate specified file name extensions to icons of applications or documents which already reside on the File Server, but it does not allow you to create new icons.

The required mapping is specified in the file "$ESDIR/conf/suffixes", which has the following structure:
#type creator suffix
'TEXT' 'KAHL' .c
'TEXT' 'KAHL' .h
'TEXT' 'MSWD' .txt
'TEXT' 'MSWD' .doc
'TEXT' 'XCEL' .wks
'TEXT' 'XCEL' .wk1
'TEXT' 'XCEL' .wk3
'TEXT' 'XCEL' .xls
We recommend that you specify extension mapping with the Extension Mappings option of the EtherShare Admin, and not by editing the above file manually. See the suffixes parameter in chapter 9.4 "Parameters of the "afpsrv" program" for related information.
"afpsrv" does not translate the line endings in files of type TEXT and creator UXPS. This creator/type combination could only be generated for files stored on the server by UNIX or DOS applications. Macintosh applications supply their own type and creator.
Now EtherShare also recognizes EPSF files and will generate type "EPSF" and creator "UNIX" although the icon will be the same as for UXPS/TEXT files. CR/LF conversion is not provided for UNIX/EPSF files.
Newline conversion
The Metrowerks CodeWarrior software will - by default - apply newline conversions to the following type `TEXT' files:
Type
Creator
TEXT
CWIE
TEXT
MMCC
TEXT
MPCC
TEXT
MPS_
TEXT
UXMB
TEXT
UXSC

For more detailed information on newline conversions to "TEXT" files see notexttran in chapter 9.4 "Parameters of the "afpsrv" program".
9.7 Access privileges
Access privileges - called "permissions" under UNIX - define which users are allowed to work with which folders and files. Access privileges are assigned by the administrator or the owner of a folder, and always relate to the whole folder or volume: if a user has privileges to read from and write to a particular folder, the same privileges are available for all files contained in the folder.
Under Apple's Hierarchical File System (HFS), no access limitation mechanisms are available for individual files, since the concept of user authorization is not known. A file can solely be "locked" (write-protected) to prevent unintended writing/deleting operations. This attribute, however, can be disabled by any user at will. Furthermore, write-protection is not available for folders.
In a file server environment, considerably more sophisticated access privileges mechanisms are necessary. Apple's AFP specification for sharing files differentiates between four different types of privileges:
"Read only" specifies whether a particular folder is visible to the user. If a particular file is visible, it can also be read. The attribute "Read & Write" additionally allows modifications applied to the files in the folder. "Write only" allows only files being "dropped" into a specific folder. "None" means that any form of access to that folder is denied, i.e. neither reading the contained files, nor applying changes to them is possible. See fig. 151.
In contrast to UNIX, since under AFP the access privileges are assigned to a particular folder, it is not possible to specify different rights for individual files in the same folder. If it is necessary to be able to change a particular file, but not to change another file, the two files should normally be stored in separate folders. If this is not possible, your only choice is to use the UNIX "dt chmod" command to change the privileges for one file only.
The four types of privileges are separately defined for four categories of AFP users: the owner of the folder ("Owner:"), group members ("User/Group:"), all other users of the system ("Everyone", equivalent to "Other" under UNIX), and the administrator. This allows access privileges to be individually tailored. With the exception of the administrator, the owner of a folder is the only one who is allowed to change the privileges of the folder (if necessary, you can set "Owner:" to "<Any User>" by just leaving the field blank).
Read & Write
The folder is visible and all files can be read, changed and deleted. New files and folders can be created.
Read only
The folder is visible and all files can be read. Amendment or deleting of files is not allowed. New files and folders cannot be created.
Write only
The directory contents is not visible and files in the folder cannot be read, amended or deleted. However, new files and folders can still be created since the folder acts as a drop folder (Drop Box).
None
Access to the files and folders is not possible. New files and folders cannot be created and the folder cannot be deleted.
Correlation to UNIX access privileges
The following table shows the four combinations of access privileges for the EtherShare File Server, and the corresponding rights in the UNIX file system. Remember that the files which are stored in the folders have always the same access privileges as the folders themselves.
EtherShare File Server UNIX file system
Read & Write (rwx) read write execute
Read only (r-x) read execute
Write only (Drop Box) (-wx) write
None (---)

Note: The System V UNIX semantics use "x" on directories, whereas "s" provides an additional bit in BSD UNIX for setting group IDs. For more detailed information see also Creating new volumes under UNIX in 9.7 "Access privileges" and the respective UNIX documentation.

The Finder's Sharing... program (in the File menu) can be used to display and edit the access privileges. Figure 151 shows the privileges for a folder named "contracts", and figure152 displays the corresponding directory listing for this folder, made with the UNIX program "ls".
Fig. 151: Folder access privileges in the "Sharing" window
Fig. 152: Folder access privileges as seen from UNIX

$ ls -ld contracts contracts/.rsrc
drwxrwsrwx 2 root wheel 1024 contracts
drwxrws--- 3 market_a marketing 1024 contracts
drwxrws--- 3 market_a marketing 1024 contracts


Only the folder's owner or the system administrator ("root") can change the access privileges of the folder. The corresponding fields and checkboxes are grayed out when another user asks for privileges information (see figure153)
Fig. 153: Access privileges for user "dave"

Extreme care should be taken when changing access privileges of AFP files from the UNIX server directly (e.g. never forget the resource part) or, in order to avoid such problems, use the UNIX "dt" program. Incompatible combinations of privileges could lead to EtherShare access problems. For example, it may not be possible to read from or write to a file anymore, or it may no longer be possible to use a folder.
Creating new folders under UNIX
As discussed earlier, a folder in a volume is represented as a directory in the UNIX file system, which is also associated with a (normally invisible) resource directory. The EtherShare File Server uses the resource directory to store the Macintosh's resource fork and the Finder info for the files.
If it is required to create a folder directly from UNIX use the "dt mkdir" program, so both the main and the resource directory will be created. The "dt chown" and "dt chgrp" commands are used to set the owner and group of the folder. Use the "dt chmod" command to set the appropriate access privileges. Figure 154 shows how this could be done, figure 155 shows the resulting directory entries.
Fig. 154: Creating a folder from UNIX
$ dt mkdir FolderName
Fig. 155: Resulting directory entries (UNIX program "ls")

$ ls -ld FolderName FolderName/.rsrc
drwxrws--- 3 market_a marketing 1024 contracts


Please refer to the UNIX system documentation for more details of the "mkdir", "chown", "chgrp", "chmod", and "ls" commands.
Also refer to the "dt mkdir", "dt chown", "dt chgrp",
"dt chmod", and "dt ls" commands in chapter A 9.5 "Command descriptions", respectively.
We recommend that network folders are always created by using the Finder on the Macintosh, in the same way as local folders, since this guarantees that all of the above considerations are handled automatically. The administrator should only use UNIX system programs for this purpose in an emergency. The exception is when you need to change the privileges for a single file within a folder - the Macintosh's "Permissions" program (called "Sharing" on System 7.x) can only set privileges at the folder level (compare Correlation to UNIX access privileges in this chapter).
Deleting
folders
A folder can be deleted in an analogous way, by using the UNIX command "dt rm -r", provided that the user has sufficient privileges. If the folder contains further folders and/or files, these are also deleted.
Creating new volumes under UNIX
IBM and Sun operating systems set or clear the "setgid" bit on directories to indicate whether files created in that directory should follow BSD semantics or System V semantics, respectively. The "setgid" bit is then automatically propagated to nested directories. AppleShare users expect the BSD style, thus the EtherShare Admin ensures that the "setgid" bit is set if it creates a directory for a new volume or a new user.
The "dt" utility will automatically make sure that the "setgid" bit is set.
9.8 Data backup
As with all computer systems, it is highly advisable to make regular backups of network volumes to tape or disk. Although UNIX provides comprehensive safety mechanisms in case of system faults, it is never possible to fully exclude loss of data. For this reason, the administrator should regularly archive all volumes of the file server to mass storage.
Two methods are available for archiving volumes. Data backup can be carried out either from one of the workstations with a Macintosh archiving program, or directly from the UNIX server by using one of UNIX's system backup programs.
Archiving programs on a Macintosh workstation will back up HFS volumes to disk or tape. The disadvantages of this method are that all the files must first be transferred over the network before they can be stored on the backup medium, and that each volume must be separately archived; the latter can represent a considerable effort on a large file server with a large number of public and private volumes.
For this reason, workstation backup programs are generally only suitable for archiving single volumes (and not for the main system backup). Users should be encouraged to regularly archive their own private volumes and folders, in order to be able to access older versions of files at a later stage if required.
By accessing the UNIX server directly, the administrator can archive all volumes in a single process, and at the same time benefit from the high data transfer rates available through UNIX, since the files do not first need to be transferred via the network (provided that the hard disks and tape systems are directly linked to the server, and not connected at another point in the network). Since UNIX computers are usually provided with some kind of built-in tape streamer, this method also has the advantage that no additional hardware needs to be purchased.
Various UNIX system programs allow convenient backup of directories and files; the most common programs used for this purpose are the programs "ufsdump", "cpio" and "tar".

Important: Make sure, while performing a data backup from a UNIX system, that the volume to be stored is not currently used by Macintosh clients or "opisrv" or "dt". Otherwise, the result would be inconsistent file/.rsrc data.
The volume's ".Desktop" and ".DeskServer" files may not be backed up because at times of restoring they would be different from the volume's content.

cpio and tar
"cpio" and "tar" are not capable of storing path names longer than approximately 100 characters. This makes these programs unusable on Macintosh volumes, which support much longer path names.
ufsdump and
restore
"ufsdump" is a backup program available on many UNIX systems which is characterized by high speed and by the fact that it is able to archive all file types. Furthermore, "ufsdump" only archives blocks in the file system that actually contain real data (sparse files). "ufsdump" is the recommended backup program for the EtherShare system. Please refer to appendix A 6: "Data backup with "dump" and "restore"" for an example of using "ufsdump" and its companion "restore". See nofiledatesync in chapter 9.4 "Parameters of the "afpsrv" program" for related information. Another possibility to perform data backups preserving a high grade of security, is to save both the data and the resource file to the same destination (e.g. streamer, tape etc.) and not to split them up to different storage media.
Automated backup
The UNIX system program "cron" allows data backup to be automated. Daily backup to tape can be carried out with minimum effort if the corresponding commands have been entered in the "cron" configuration table. It is only necessary to ensure that a tape with sufficient storage capacity is loaded in the appropriate tape drive.
9.9 File Server utility programs
The following programs are created automatically in the "$ESDIR/etc" directory during EtherShare installation:
stop-afp
"stop-afp" is a shell-script which closes down the File Server after a delay of five minutes, ensuring that all active processes have been correctly terminated. All logged-on users receive a warning message on their workstations before the system is finally closed down.
If the "stop-afp" command line includes the parameter "now" ("$ESDIR/etc/stop-afp now"), the File Server is stopped immediately.

Note: Only the superuser ("root") can run "stop-afp". Before running this script, use the "swho" command (or choose Active Users in the Lists menu of EtherShare Admin) to make sure that no other users are using the File Server, or use "afpmsg" to notify other users in advance.

mkafppasswd
"mkafppasswd" is a shell script that you can call in order to copy user entries for the user id 0 ("root") and all users with user numbers greater than or equal to 100 from the "/etc/passwd" file to "$ESDIR/conf/afppasswd". The output is sent to "$ESDIR/conf/afppasswd". You will get an error message if "afppasswd" already exists. After creating this file the command asks you for a new "root" password, because all entries are initially without any password. If you have any "real" UNIX users with ID numbers below 100, as distinct from "system" users such as "bin", you must manually add a corresponding entry (initially without password) to the "afppasswd" file as follows:
username:
Then set up initial passwords with Change password in the Chooser, or from UNIX with the password program "$ESDIR/afppasswd".
afpmsg
With "afpmsg" a UNIX user can send a display message to an AFP client - with a maximum of 199 characters, or to all users if logged-in as "root", see fig. 156. For detailed parameter information type afpmsg -?.
afpmsg -f makes references to a file containing the actual message. This may be required, e.g. if you want to send a multi-line message, which is not possible with the message parameter only.
-p is the parameter for sending a message to a particular process id #.
-u is the parameter for sending a message to another user.
Examp.: afpmsg -u dave "Hi Dave, this is a test."
Fig. 156: Example of a display message

If neither -p is specified, nor -u and you are "superuser", the message reaches all users logged-on to the respective server.

Note: In order to avoid "distorted" display messages, make sure the appropriate version of AppleShare client (min. 3.8) for the respective Mac OS (starting with 7.1 and above) is installed on your Macintosh workstation.

9.10 EtherShare versus AppleShare
When compared to the original AppleShare file server from Apple, EtherShare has a few minor limitations but also offers powerful additional features which result in part from specific features of the UNIX environment on which EtherShare is based.
Case-
sensitivity
The following table compares the behavior of the different operating systems when it comes to the case of file names.
Fig. 157: Operating systems and the case-sensitivity of file names
case preserve
case ignore
Mac OS
UNIX
-
MS-DOS
-
W95/98/NT

As figure 157 shows, there is no case preserving under
MS-DOS, i.e. file names entered in lowercase will appear uppercase in the directory listing. In contrast to UNIX, the Macintosh (as well as Windows) operating system is not case-sensitive when it looks for files or creates or opens them - if your application looks for "Dave", it will also find "dave", and you cannot create a file "Dave" and a file "dave" in the same folder on a local volume. Due to its UNIX heritage, this is unfortunately not true for EtherShare volumes.
This distinction is normally not a problem - if an application has created a file called "Editor Prefs", for example, and needs to open the file again, it usually tries to open it using the same name and not under the name "EDITOR PREFS". If an application cannot find a file which it has created, and the file is visible under UNIX and in the Finder, it is likely that case-sensitivity is to blame. If you are able to determine the name of the file which the application is trying to open, you can often provide a workaround by using a Macintosh link (alias) or by renaming the file. Contact your application vendor for assistance.
ASCII "0"
You will get a file system error if you try to copy files whose names contain ASCII "0" (zero) to the server, or if application programs or tools try to create such files. This somewhat dubious technique is used by some INITs to force their name to the top of an alphabetic list of files. This restriction also applies to all AppleShare file server products (including those from Apple).
Private
volumes
Private volumes are a particularly powerful feature of the EtherShare File Server which is not available on original AppleShare file servers. By automatically allocating a private "home" volume to each user, it is possible to keep his/her data separate and protected from other users without requiring any additional measures to be carried out. The home volume feature - which is implemented with the UNIX home directory concept - underlines the high degree of integration of the UNIX file system in the EtherShare File Server.
Private volumes are used to improve structuring and ordering of private files, but it is generally better to use the Volume groups feature for this purpose, because private volumes cannot be seen in the Volumes list of the EtherShare Admin, and thus cannot be readily managed or rebuilt (see Rebuild Desktop in chapter 5.9 "Volume menu").

Note: Many private volumes may require an increase of the "maxdesktops" value in "desksrv" (EtherShare's default value is 128).

Access
privileges
Accordingly, when changing the access privileges of a folder/volume, file and folder attributes can only be set to the same value, and you will need to close and re-open the Finder's "Sharing..." window (figure 151) before you can see this. If you need to change the privileges for a single file within a folder, you have to do it with the UNIX "dt chmod" command.
Available
storage space on volumes
When determining the available free storage capacity of a volume, the AFP specification only permits interrogation of the root directory of a volume. This assumes that the entire volume is present on the same file system.
In contrast, under the UNIX file system, "volumes" can extend over several storage devices which are installed at different UNIX directories (mount points) and physically located at different points on the network. This mounted volumes feature is completely unknown to AFP - AFP does not recognize cases where a volume extends over several storage devices, with each of them having a different storage capacity.
Accordingly, in order to maintain control over the available storage capacity, it is not recommended to mount EtherShare volumes that extend over more than one file system. Otherwise, you may get problems with Macintosh applications that check the available storage capacity on the volume before writing files or documents. See also Volume size limits in chapter 9.6 "Public and private volumes" for related information.

Note: If you have more than one UNIX mount point on a Macintosh volume, do not move files or folders to the trash since this may fail.

Folders and volumes
without groups
Original AppleShare file servers allow folders to be created which are not assigned to a group. This feature is not permitted on an EtherShare File Server due to limitations inherent in UFS. If it is required to create folders which are not assigned to a specific group, it is necessary to create a new special group (pseudo-group) which does not have any members. By convention, the group "nogroup" is often used for this purpose.
The same is true for volumes. Since the access privileges of HFS volumes are always the same as those of the corresponding UFS directories, if it is required to create HFS volumes which are not assigned to a specific group, they must also be assigned to the pseudo-group "nogroup".
Users without primary group
In contrast to generic AppleShare file servers, EtherShare always requires each user to be assigned a primary group, since all files must be assigned to a specific group. A pseudo-group can be used in this case too, although the name of the pseudo-group should be different from the one used for groupless folders and volumes (e.g. "noprimary").
Preventing password changes
Original AppleShare file servers allow the "Change password" feature to be disabled for individual users. In an EtherShare File Server, the rights to change passwords can only be enabled or disabled for all users at the same time, by marking the program "$ESDIR/afppasswd" as non-executable for categories "other" and "group". In this case, passwords can only be changed by the administrator, in the "User data" window in the EtherShare Admin (see
chapter 5 "EtherShare Admin").
Search Desktop
"afpsrv" does conduct a search of file or folder names in the desktop database. Although this search is much faster than searching for file/folder names in the UNIX file system, it may fail to find files if the desktop database does not correspond to the files and folders on an EtherShare volume caused, for example, by overlapping EtherShare volumes (see Private volumes in 9.6 "Public and private volumes").

Note: Choose Rebuild Desktop... from the Volume list in the EtherShare Admin. Then, all files on that volume can be found again.
Under UNIX, type rebuild -f (in "$ESDIR").


© 2002 HELIOS Software GmbH