Man Linux: Main Page and Category List


       afpd.conf - Configuration file used by afpd(8) to determine the setup
       of its file sharing services


       /etc/netatalk/afpd.conf is the configuration file used by afpd to
       determine the behavior and configuration of the different virtual file
       servers that it provides.

       Any line not prefixed with # is interpreted. The configuration lines
       are composed like: server name [ options ] If a - is used instead of a
       server name, the default server is specified. Server names must be
       quoted if they contain spaces. They must not contain ":" or "@". The
       path name must be a fully qualified path name, or a path name using
       either the ~ shell shorthand or any of the substitution variables,
       which are listed below.

           Each server has to be configured on a single line. Though newline
           escaping is supported.
       The possible options and their meanings are:


       -defaultvol [path]
           Specifies path to AppleVolumes.default file (default is

       -systemvol [path]
           Specifies path to AppleVolumes.system file (default is

           Enables or disables reading of the users´ individual volumes file

           Enables or disables reading of the users´ individual volumes file
           before processing the global AppleVolumes.default file.


       -uamlist [uams list]
           Comma separated list of UAMs. (The default is

           The most commonly used UAMs are:

               allows guest logins

               ( or Allow logins with passwords
               transmitted in the clear.

               allows Random Number and Two-Way Random Number Exchange for
               authentication (requires a separate file containing the
               passwords, either /etc/netatalk/afppasswd file or the one
               specified via -passwdfile. See afppasswd(1) for details

               ( or Allow Diffie-Hellman
               eXchange (DHX) for authentication.

               ( or Allow Diffie-Hellman
               eXchange 2 (DHX2) for authentication.

               Allow Kerberos V for authentication (optional)

       -uampath [path]
           Sets the default path for UAMs for this server (default is

       -k5keytab [path], -k5service [service], -k5realm [realm]
           These are required if the server supports the Kerberos 5
           authentication UAM.

       -ntdomain, -ntseparator
           Use for eg. winbind authentication, prepends both strings before
           the username from login and then tries to authenticate with the
           result through the availabel and active UAM authentication modules.


       With OS X Apple introduced the AFP3 protocol. One of the big changes
       was, that AFP3 uses Unicode names encoded as Decomposed UTF-8
       (UTF8-MAC). Previous AFP/OS versions used codepages like MacRoman,
       MacCentralEurope, etc.

       To be able to serve AFP3 and older clients at the same time, afpd needs
       to be able to convert between UTF-8 and Mac codepages. Even OS X
       clients partly still rely on codepages. As there´s no way, afpd can
       detect the codepage a pre AFP3 client uses, you have to specify it
       using the -maccodepage option. The default is MacRoman, which should be
       fine for most western users.

       As afpd needs to interact with unix operating system as well, it need´s
       to be able to convert from UTF8-MAC/MacCodepage to the unix codepage.
       By default afpd uses the systems LOCALE, or ASCII if your system
       doesn´t support locales. You can set the unix codepage using the
       -unixcodepage option. If you´re using extended characters in the
       configuration files for afpd, make sure your terminal matches the

       -unixcodepage [CODEPAGE]
           Specifies the servers unix codepage, e.g. "ISO-8859-15" or "UTF8".
           This is used to convert strings to/from the systems locale, e.g.
           for authenthication, server messages and volume names. Defaults to
           LOCALE if your system supports it, otherwise ASCII will be used.

       -maccodepage [CODEPAGE]
           Specifies the mac clients codepage, e.g. "MAC_ROMAN". This is used
           to convert strings and filenames to the clients codepage for OS9
           and Classic, i.e. for authentication and AFP messages (SIGUSR2
           messaging). This will also be the default for the volumes
           maccharset. Defaults to MAC_ROMAN.


       -loginmaxfail [number]
           Sets the maximum number of failed logins, if supported by the UAM
           (currently none)

       -passwdfile [path]
           Sets the path to the Randnum UAM passwd file for this server
           (default is /etc/netatalk/afppasswd).

       -passwdminlen [number]
           Sets the minimum password length, if supported by the UAM

           Enables or disables the ability of clients to save passwords

           Enables or disables the ability of clients to change their
           passwords via chooser or the "connect to server" dialog


           Enables or disables AFP-over-Appletalk. If -proxy is specified, you
           must instead use -uamlist "" to prevent DDP connections from
           working. (default is -noddp)

           Enables or disables AFP-over-TCP (default is -tcp)

           Make both available


           Allows Mac OS X clients (10.3.3-10.4) to automagically establish a
           tunneled AFP connection through SSH. If this option is set, the
           server´s answers to client´s FPGetSrvrInfo requests contain an
           additional entry. It depends on both client´s settings and a
           correctly configured and running sshd(8) on the server to let
           things work.

               Setting this option is not recommended since globally
               encrypting AFP connections via SSH will increase the server´s
               load significantly. On the other hand, Apple´s client side
               implementation of this feature in MacOS X versions prior to
               10.3.4 contained a security flaw.

       -ddpaddr [ddp address]
           Specifies the DDP address of the server. The default is to
           auto-assign an address (0.0). This is only useful if you are
           running AppleTalk on more than one interface.

       -fqdn [name:port]
           Specifies a fully-qualified domain name, with an optional port.
           This is discarded if the server cannot resolve it. This option is
           not honored by AppleShare clients <= 3.8.3. This option is disabled
           by default. Use with caution as this will involve a second name
           resolution step on the client side. Also note that afpd will
           advertise this name:port combination but not automatically listen
           to it.

       -hostname [name]
           Use this instead of the result from calling hostname for
           dertermening which IP address to advertise, therfore the hostname
           is resolved to an IP which is the advertised. This is NOT used for
           listening and it is also overwritten by -ipaddr.

       -ipaddr [ip address]
           Specifies the IP address that the server should advertise and
           listens to. The default is advertise the first IP address of the
           system, but to listen for any incoming request. The network address
           may be specified either in dotted-decimal format for IPv4 or in
           hexadecimal format for IPv6. This option also allows to use one
           machine to advertise the AFP-over-TCP/IP settings of another
           machine via NBP when used together with the -proxy option.

           allbox tab(:); l l l.  T{ (UTF8) Server name: fluxxus T} T{
           Listening and advertised network address:
                      T} T{ Advertised network address:

       -port [port number]
           Allows a different TCP port to be used for AFP-over-TCP. The
           default is 548.

           Runs an AppleTalk proxy server for the specified AFP-over-TCP
           server. If the address and port aren´t given, then the first IP
           address of the system and port 548 will be used. If you don´t want
           the proxy server to act as a DDP server as well, set -uamlist "".

       -server_quantum [number]
           This specifies the DSI server quantum. The default value is 303840.
           The maximum value is 0xFFFFFFFFF, the minimum is 32000. If you
           specify a value that is out of range, the default value will be
           set. Do not change this value unless you´re absolutely sure, what
           you´re doing

           Register this server using the Service Location Protocol (if SLP
           support was compiled in).


       -admingroup [group]
           Allows users of a certain group to be seen as the superuser when
           they log in. This option is disabled by default.

       -authprintdir [path]
           Specifies the path to be used (per server) to store the files
           required to do CAP-style print authentication which papd will
           examine to determine if a print job should be allowed. These files
           are created at login and if they are to be properly removed, this
           directory probably needs to be umode 1777.

               -authprintdir will only work for clients connecting via DDP.
               Almost all modern Clients will use TCP.

           With this switch enabled, afpd won´t advertise that it is capable
           of server notifications, so that connected clients poll the server
           every 10 seconds to detect changes in opened server windows.  Note:
           Depending on the number of simultaneously connected clients and the
           network´s speed, this can lead to a significant higher load on your

               Do not use this option any longer as Netatalk 2.x correctly
               supports server notifications, allowing connected clients to
               update folder listings in case another client changed the

           Immediately unmount volumes removed from AppleVolumes files on
           SIGHUP sent to the afp master process.

       -cnidserver [ipaddress:port]
           Specifies the IP address and port of a cnid_metad server, required
           for CNID dbd backend. Defaults to localhost:4700. The network
           address may be specified either in dotted-decimal format for IPv4
           or in hexadecimal format for IPv6.

       -guestname [name]
           Specifies the user that guests should use (default is "nobody").
           The name should be quoted.

           [Dont´t] Use the platform-specific icon. Recent Mac OS don´t
           display it any longer.

       -loginmesg [message]
           Sets a message to be displayed when clients logon to the server.
           The message should be in unixcodepage and should be quoted.
           Extended characters are allowed.

           Disables debugging.

       -sleep [number]
           AFP 3.x waits number hours before disconnecting clients in sleep
           mode. Default is 10 hours.

       -signature { user:<text> | auto }
           Specify a server signature. This option is useful while running
           multiple independent instances of afpd on one machine (eg. in
           clustered environments, to provide fault isolation etc.). Default
           is "auto". "auto" signature type allows afpd generating signature
           and saving it to /etc/netatalk/afp_signature.conf automatically
           (based on random number). "host" signature type switches back to
           "auto" because it is obsoleted. "user" signature type allows
           administrator to set up a signature string manually. The maximum
           length is 16 characters.

           Example. Three server definitions using 2 different server

               first -signature user:USERS
               second -signature user:USERS
               third -signature user:ADMINS

           First two servers will appear as one logical AFP service to the
           clients - if user logs in to first one and then connects to second
           one, session will be automatically redirected to the first one. But
           if client connects to first and then to third, will be asked for
           password twice and will see resources of both servers. Traditional
           method of signature generation causes two independent afpd
           instances to have the same signature and thus cause clients to be
           redirected automatically to server (s)he logged in first.

       -volnamelen [number]
           Max length of UTF8-MAC volume name for Mac OS X. Note that Hangul
           is especially sensitive to this.

               73:  limit of Mac OS X 10.1
               80:  limit for Mac OS X 10.4/10.5 (default)
               123: limit for Mac OS X 10.6
               255: limit of spec

           Mac OS 9 and earlier are not influenced by this, because Maccharset
           volume name is always limitted to 27 bytes.


       -setuplog "<logtype> <loglevel> [<filename>]"
           Specify that any message of a loglevel up to the given loglevel
           should be logged to the given file. If the filename is ommited the
           loglevel applies to messages passed to syslog.

           By default (no explicit -setuplog and no buildtime configure flag
           --with-logfile) afpd logs to syslog with a default logging setup
           equivalent to "-setuplog default log_info".

           If build with --with-logfile (default logfile
           /var/log/netatalk.log) or --with-logfile=somefile afpd defaults to
           a setup that is equivalent to "-setuplog default log_info

           logtypes: Default, AFPDaemon, Logger, UAMSDaemon


               The config is case-ignoring

           Example. Useful default config

               -setuplog "default log_info /var/log/afpd.log"

           Example. Debugging config

               -setuplog "default log_maxdebug /var/log/afpd.log"

           Example. afpd logging to different files

               -setuplog "default log_info /var/log/afpd.log"
               -setuplog "UAMSDaemon log_maxdebug /var/log/uams.log"

       -unsetuplog "<logtype> [<filename>]"
           Note that for unsetuplog specifying any string as filename is
           sufficient for the config parser to distinguish between requests to
           disable syslog logging or file-logging.

           Example. Disable afpd logging set at build-time from configure

               -unsetuplog "default -"


       These options are useful for debugging only.

       -tickleval [number]
           Sets the tickle timeout interval (in seconds). Defaults to 30.

       -timeout [number]
           Specify the number of tickles to send before timing out a
           connection. The default is 4, therefore a connection will timeout
           after 2 minutes.


       Example. afpd.conf default configuration

           - -transall -uamlist,

       Example. afpd.conf MacCyrillic setup / UTF8 unix locale

           - -transall -maccodepage mac_cyrillic -unixcodepage utf8

       Example. afpd.conf setup for Kerberos V auth with newline escaping

           - -transall -uamlist,,, \
           -k5service afpserver -k5keytab /path/to/afpserver.keytab \
           -k5realm YOUR.REALM -fqdn your.fqdn.namel:548

       Example. afpd.conf letting afpd appear as three servers on the net

           "Guest Server" -uamlist -loginmesg "Welcome guest!"
           "User Server" -uamlist -port 12000
           "special" -notcp -defaultvol <path> -systemvol <path>


       afpd(8), afppasswd(1), AppleVolumes.default(5), afp_signature.conf(5)