Tải bản đầy đủ - 0 (trang)
Chapter 15.  Apple Filing Protocol

Chapter 15.  Apple Filing Protocol

Tải bản đầy đủ - 0trang

15.1.AFPManagement:ServerAdmin

AFP,likemostotherMacOSXServerServices,canbe

graphicallyconfiguredwiththeServerAdminapplication,under

theAFPmoduleoftheserverthatisbeingmanaged.Alsovery

similartootheravailableservicesaretheoptionsfoundinthis

interface:Overview,Logs,Connections,Graphs,andSettings.

Theoverviewpane(seeninFigure15-1)suppliesbasic

informationaboutthestateoftheservicecurrentthroughput,

thestatusofguestaccess,thenumberofcurrentconnections,

andtheservice'sstarttime.Thisinformationisalsoavailable

usingtheserveradmincommand.



Figure15-1.MostofthedataavailableinAFP's

Overviewtabcanbeobtainedwiththe

serveradmincommand'sfullstatusandstatus

directives.



TheLogspane(seeninFigure15-2)grantsaccesstotheAFP

service'slogs,whichareactuallylocatedin

/Library/Logs/AppleFileService.Theerrorandaccesslogs

(AppleFileServiceError.logandAppleFileServiceAccess.log,

respectively)arerolled(archived)periodicallyaccordingto

settingslocatedintheservice'sSettingstab,discussedlaterin

thechapter.Thegraphicalinterfacedoesnotofferanykindof

filtering,makingitnecessarysometimestoaccessthelogs

directlyusingthesshandtailcommandsthelogsgrowtoofast

forthegraphicalinterfacetokeepup.Keepinmindthatnotall

undesirablebehaviorisconsideredanerror.Incorrectlyset

permissions,forinstance,willnotshowupintheerrorlog,as

theirenforcementdoesnotconstituteanerroronthepartof

theservice.Thismeansitisimportanttomonitorbothsetsof

logscarefully..



Figure15-2.TheLogspaneoffersaccesstothe

AFPAccessandErrorlogs.



TheAFPServer'sloggingisparticularlypoor.Althoughfileaccess

loggingisrelativelycomplete,thingslikepreferenceprocessing,startup

directives,andgranularauthenticationoperationanalysisarenot

availableanywhereintheServerlogs



IllustratedinFigure15-3,theConnectionspanedisplaysall

currentAFPconnections,sortablebyusername,type(TCPor



AppleTalk),IPaddress,connectiontime,oridletime.

AdministratorsmaydisconnectusersusingorsendanAFPpopupmessageusingtheDisconnectandSendMessagebuttons,

respectively.TheStopbuttonstopstheAFPService,

disconnectingallusersafteraspecifiedamountoftime.



Figure15-3.TheConnectionsinterfaceyieldsa

lotofdataaboutcurrentAFPconnections.A

certainamountofservicemanagementisalso

available,asusersmaybemanually

disconnected.



Theserveradmincommandcanalsobeusedtodisconnect



users,althoughthesyntaxiscumbersome,tosaytheleast.

First,toobtainalistofconnectedusers,usethe

getConnectedUserscommanddirective,asshowninExample

15-1.



Example15-1.Usingserveradmintolist

connectedusers.Thisoutputcanbequite

verbose,becauseanarray(groupofsettings)is

returnedforeachconnecteduser.



[ace2:~]nadmin%sudoserveradmincommandafp:command=getConnec

Password:

afp:command="getConnectedUsers"

afp:state="RUNNING"

afp:timeStamp="2004-10-1611:54:33-0600"

afp:usersArray:_array_index:0:lastUseElapsedTime=69

afp:usersArray:_array_index:0:disconnectID=0

afp:usersArray:_array_index:0:sessionID=3

afp:usersArray:_array_index:0:minsToDisconnect=0

afp:usersArray:_array_index:0:flags=0

afp:usersArray:_array_index:0:state=1

afp:usersArray:_array_index:0:loginElapsedTime=79

afp:usersArray:_array_index:0:name="ghydle"

afp:usersArray:_array_index:0:serviceType="afp"

afp:usersArray:_array_index:0:ipAddress="192.168.1.144"

afp:usersArray:_array_index:0:sessionType="tcp"



Theuser(s)isdisconnectedwiththedisconnectUserscommand

directive.Thiscommandrequiresanarrayforinput,meaning

youhavetousetheserveradmincommandsomewhat

interactively,asshowninExample15-2.Eachlineendswitha

carriagereturn.Don'tforgettopressControl-Dwhenyou're

finished,becausethat'saveryMac-likethingtodo.Inreality



I'veneveractuallyusedthiscapabilityinthewild;it'sjusttoo

muchtypingforsuchasimpletask,anditdoesn'talwayswork.



Example15-2.Usingserveradmintodisconnect

oneormoreconnectedAFPusersrequires

cumbersomesyntax.

[ace2:~]nadmin%sudoserveradmincommand

afp:command=disconnectUsers

afp:message=youareterminated

afp:minutes=0

afp:sessionIDsArray:_array_index:0=sessionID3



Disconnectingauserresultsinsomefairlyverboseoutput:

afp:command="disconnectUsers"

afp:messageSent="youareterminated"

afp:timeStamp="2004-10-1612:08:31-0600"

afp:timerID=2

afp:usersArray:_array_index:0:lastUseElapsedTime=907

afp:usersArray:_array_index:0:disconnectID=0

afp:usersArray:_array_index:0:sessionID=3

afp:usersArray:_array_index:0:minsToDisconnect=0

afp:usersArray:_array_index:0:flags=0

afp:usersArray:_array_index:0:state=1

afp:usersArray:_array_index:0:loginElapsedTime=917

afp:usersArray:_array_index:0:name="mbartosh"

afp:usersArray:_array_index:0:serviceType="afp"

afp:usersArray:_array_index:0:ipAddress="192.168.1.144"

afp:usersArray:_array_index:0:sessionType="tcp"

afp:usersArray:_array_index:1:lastUseElapsedTime=867

afp:usersArray:_array_index:1:disconnectID=0

afp:usersArray:_array_index:1:sessionID=4

afp:usersArray:_array_index:1:minsToDisconnect=0



afp:usersArray:_array_index:1:flags=0

afp:usersArray:_array_index:1:state=1

afp:usersArray:_array_index:1:loginElapsedTime=868

afp:usersArray:_array_index:1:name="ghydle"

afp:usersArray:_array_index:1:serviceType="afp"

afp:usersArray:_array_index:1:ipAddress="24.8.7.222"

afp:usersArray:_array_index:1:sessionType="tcp"

afp:status=0



TheGraphspane,usefulfortrendanalysis,iscapableof

showinggraphicallyeithertheaveragenumberofconnected

usersortheaveragedatathroughputforaspecifiedperiodof

time,from1hourto7daysintheimmediatepast.Itcanbe

seeninFigure15-4.Thiscommandisespeciallyusefulfor

locatingspecificperiodsoftimethatmightbeworthpursuingin

theservicelogs(forinstance,aspikeinfile-sharingactivity,or

anunexpecteddrop-offinthenumberofconnectedusers).



Figure15-4.TheGraphsportionofServer

Admin'sAFPmanagementinterface.



ServerAdmin'sAFPSettingstabrevealstheprimaryinterface

forchangingtheconfigurationoftheAFPServer,separatedinto

General,Access,Logging,andIdleUserspanes.TheGeneral

tab(illustratedinFigure15-5)isreallyasomewhatrandom

groupingofoptions,whereAppleTalkandRendezvousservice

registration(allowingtheservertobebrowsedusingenabled

protocols)areconfiguredandwherealogongreetingmaybe

set.RememberthatenablingAppleTalkbrowsingherehasno

effectiftheAppleTalkprotocolisnotenabledononeofthe

Server'snetworkinterfaces.



Figure15-5.TheGeneraltabishometoseveral

AFPServiceoptionsthatdonotappeartobelong



anywhereelse.Logongreetingsaregenerally

consideredannoyingbyusers,andcomplicate

deploymentofnetworkhomedirectories.



AppleTalkcanbeenabledononlyoneinterfaceatatime.PersonallyI

donotliketheseadhoc,broadcast,ormulticast-basedbrowsing

technologies,andpreferamorestructured,directory-basedapproach

tomakingresourceseasilyavailable.



Finally,Encodingspecifiesatextencodingforolderclientsthat

arenotabletomakeuseofAFP'sUnicodesupporttypicallypreMacOSX.

TheAccesstab,picturedinFigure15-6,appropriatelyenough,

controlsvariousaspectsofaccesstotheserver'sAFPservice.

AuthenticationmaybeoneofStandard(typicallyaDiffie-



Hellmanexchange,knownasDHX),Kerberos,orAnyMethod,

inwhichcasetheservershouldtrytonegotiatethemostsecure

optionthattheclientsupports.Itisgenerallysafetochoose

AnyMethod,thedefaultselection.However,especiallywhere

clientsfromseveralunrelatedKerberosrealmsinterface,it

mightbeappropriatetospecifyStandard.TheAFPclientinMac

OSXwillattempttonegotiateKerberosauthenticationifthe

serverclaimstosupportit,eveniftheclientandserverarein

differentrealmsthatarenotconfiguredtoworktogether.This

isn'tabadthingnecessarily;it'sjustthewayKerberosworks.

Thereisnowaytoknowwhetherthedomainstrustoneanother

(sharecross-realmprincipals)untilauthenticationisattempted.

Iftheydon't,though,theuserwillbepromptedtwiceoncefor

Kerberosauthentication,andthenagainforstandardregardless

ofwhethertheKerberosauthenticationwassuccessful.



Figure15-6.TheAccesspaneofServerAdmin's

AFPsettingscontrolsvariouscharacteristicsof

theAFPservicerelatingtoaccess.Themaximum

numberofsimultaneousconnectionsmayalsobe

configuredhere.



Thissoundsalarmingbutactuallymakesquiteabitofsense.The

KerberosdialogattemptstoauthenticateusertotheKerberosrealm,

afterwhich,presumably,theKerberos-enabledservercouldbe

accessedusingsinglesign-on.Sincetheserverandclientarein

unrelatedrealms,however,KerberosauthenticationtotheAFPserver

fails,evenifauthenticationtothedomainhassucceeded.Since"Any

Method"ischosen,theAFPserverthenfallsbacktostandard

(generallysecure)authenticationmethods.



The"guestaccess"checkboxallowsforanonymousconnections

totheAFPservice.Thisisn'tasbadasitsoundsguestaccess

canbeoverriddenatthesharelevel.Enablingitheresimply

givesyoutheoptionoflaterenablingitonaper-sharebasis.



15.1.1.SecureConnections

AnotheroptionintheAccesspaneofServerAdmin'sAFP

settingsinterfaceisthe"Enablesecureconnections"checkbox.

AFPhassupportedrelativelysecureauthenticationmethodsfor

severalyearsnow;however,untilJaguar,therestofthe

connectiontheactualdatasentoverthewirecouldnotbeeasily

encryptedorprotectedinanyway.TheSecureConnections

optionenablestheAFPconnectionfromJaguarornewerclients

tobetunneledovertheSSHprotocol,sothatmaliciousparties

cannotsuccessfullyinterceptit.Allowingsecureconnections

meansthatiftheclientrequestssuchatunnel,itmaybeused.



Thereiscurrentlynowaytorequirethatallconnectionsmustbe

secure.Enterprisingmindswillsuggestdisallowingincoming

connectionsonport548,sonon-tunneledconnectionsarenot

successful.Unfortunately,though,initialcontactonport548isrequired

inordertonegotiateuseofSSH.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 15.  Apple Filing Protocol

Tải bản đầy đủ ngay(0 tr)

×