'\" t .\" Title: afp_acls .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 .\" Date: 20 Oct 2010 .\" Manual: Netatalk 2.1 .\" Source: Netatalk 2.1 .\" Language: English .\" .TH "AFP_ACLS" "8" "20 Oct 2010" "Netatalk 2.1" "Netatalk 2.1" .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" afp_acls \- Setup and Usage Howto for ACLs with Netatalk .SH "DESCRIPTION" .PP ACL support for AFP is implemented with NFSv4 ACLs\&. Few filesystems and fewer OSes support these\&. At the time of implementation its only provided with ZFS on Solaris, Opensolaris and derived distributions\&. .SH "CONFIGURATION" .PP In order to be able to support ACLs, the following things have to be configured: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} ZFS Volumes .sp You MUST configure one ACL parameter for any volume you want to use with Netatalk: .sp .if n \{\ .RS 4 .\} .nf aclinherit = passthrough .fi .if n \{\ .RE .\} .sp For an explanation of what this parameter means and how to apply it see, your hosts ZFS documentation (e\&.g\&. man zfs)\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} Authentication Domain .sp Your server and the clients must be part of a security association where identity data is coming from a common source\&. ACLs in Darwin are based on UUIDs and so is the ACL specification in AFP 3\&.2\&. Therefor your source of identity data has to provide an attribute for every user and group where a UUID is stored as a ASCII string\&. .sp In other words: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} you need an Open Directory Server or an LDAP server where you store UUIDs in some attribute .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} your clients must be configured to use this server .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} your server should be configured to use this server via nsswitch and PAM\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} configure Netatalk via afp_ldap\&.conf so that Netatalk is able to retrieve the UUID for users and groups via LDAP search queries .RE .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} Netatalk Volumes .sp Finally you can add \fBoptions:acls\fR to your volume defintion to add ACL support\&. In case your volume basedir doesn\'t grant read permissions via mode (like: \fB0700 root:adm\fR) but only via ACLs, you MUST add the \fBnostat\fR option to the volume defintion\&. .RE .SH "SEE ALSO" .PP \fBafp_ldap.conf\fR(5), \fBAppleVolumes.default\fR(5)