Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

SOLVED How to restrict users for AFP homes?

Status
Not open for further replies.

Peppo

Neophyte
Joined
Jun 20, 2017
Messages
4
Hello

I would like to restrict the home directories which I export through AFP to specific groups.
For normal AFP shares you can configure this in "Allow List". But for the home directories, which you configure in "Services -> AFP" there's only an option to set "global auxiliary parameters", "volume parameters" are not configurable.
Adding the configuration by hand in /etc/local/afp.conf works perfectly fine, e.g.

Code:
[Homes]
   basedir regex = /mnt/raid0/home
   time machine = yes
   valid users = @my-group


But setting this by hand is not an option, since every time you add or change a share, you loose that change.

Is anybody aware of how you can restrict the homes to certain groups?

Thanks -- Peppo
 

Peppo

Neophyte
Joined
Jun 20, 2017
Messages
4
I just realized that Homes go with a volume that you have to share separately. So restrictions can go there and are configurable through the web interface, e.g.

Code:
[Homes]
   basedir regex = /mnt/raid0/home
   time machine = yes

[home]
   path = /mnt/raid0/home
   valid users = @my-group
   time machine = yes
   cnid dev = no
   file perm = 600
   directory perm = 700
   umask = 000
   veto files = .windows/.mac/


Sorry for the hassle -- Peppo
 

Peppo

Neophyte
Joined
Jun 20, 2017
Messages
4
And then again, this does not work as expected. Access information for [Homes] is not inherited from the underlying volume.

Given the example above, somebody connecting to afp://my-nas/home must be in group my-group, but if you connect to afp://my-nas/, then any user has access to its (auto-generated) home directoy.

It seems as if the option 'valid users' of section [home] is not taken into account for section [Homes]. Or do I miss something?

Cheers -- Peppo
 

Peppo

Neophyte
Joined
Jun 20, 2017
Messages
4
Hi again

I got along the problem with a quick and dirty solution: A cron script that sets or updates "valid users" in the [Homes] section of /etc/local/afp.conf. The script is available here.

Cheers -- Peppo
 
Last edited:
Status
Not open for further replies.
Top