nspassov · April 12, 2020 12:24
diff --git a/afpd.conf b/afpd.conf
 #
 # CONFIGURATION FOR AFPD
 #
 # Each single line defines a virtual server that should be available.
 # Though, using "\" character, newline escaping is supported.
 # Empty lines and lines beginning with `#' are ignored.
 # Options in this file will override both compiled-in defaults
 # and command line options.
 #


 #
 # Format:
 #  - [options]               to specify options for the default server
 #  "Server name" [options]   to specify an additional server
 #


 #
 # The following options are available:
 #   Transport Protocols:
 #     -[no]tcp       Make "AFP over TCP" [not] available
 #     -[no]ddp       Make "AFP over AppleTalk" [not] available.
 #                    If you have -proxy specified, specify -uamlist "" to 
 #                    prevent ddp connections from working.
 #
 #     -transall      Make both available
 #
 #   Transport Options:
 #     -ipaddr <ipaddress> Specifies the IP address that the server should
 #                         advertise and listens to. The default is advertise
 #                         the first IP address of the system, but to listen
 #                         for any incoming request. The network address may
 #                         be specified either in dotted-decimal format for
 #                         IPv4 or in hexadecimal format for IPv6.
 #                         This option also allows to use one machine to
 #                         advertise the AFP-over-TCP/IP settings of another
 #                         machine via NBP when used together with the -proxy
 #                         option.
 #     -server_quantum <number> 
 #                         Specifies the DSI server quantum. The minimum
 #                         value is 1MB. The max value is 0xFFFFFFFF. If you 
 #                         specify a value that is out of range, you'll get 
 #                         the default value (currently the minimum).
 #     -admingroup <groupname>
 #                         Specifies the group of administrators who should
 #                         all be seen as the superuser when they log in.
 #                         Default is disabled.
 #     -ddpaddr x.y        Specifies the DDP address of the server.
 #                         the  default is to auto-assign an address (0.0).
 #                         this is only useful if you're running on
 #                         a multihomed host.
 #     -port <number>      Specifies the TCP port the server should respond
 #                         to (default is 548)
 #     -fqdn <name:port>   specify a fully-qualified domain name (+optional
 #                         port). this gets discarded if the server can't
 #                         resolve it. this is not honored by appleshare
 #                         clients <= 3.8.3 (default: none)
 #     -hostname <name>    Use this instead of the result from calling
 #                         hostname for dertermening which IP address to
 #                         advertise, therfore the hostname is resolved to
 #                         an IP which is the advertised. This is NOT used for
 #                         listening and it is also overwritten by -ipaddr.
 #     -proxy              Run an AppleTalk proxy server for specified
 #                         AFP/TCP server (if address/port aren't given,
 #                         then first IP address of the system/548 will
 #                         be used).
 #                         if you don't want the proxy server to act as
 #                         a ddp server as well, set -uamlist to an empty
 #                         string.
 #     -slp                Register this server with the Service Location
 #                         Protocol (if SLP support was compiled in).
 #     -nozeroconf         Don't register this server with the Multicats
 #                         DNS Protocol.
 #     -advertise_ssh      Allows Mac OS X clients (10.3.3-10.4) to
 #                         automagically establish a tunneled AFP connection
 #                         through SSH. This option is not so significant
 #                         for the recent Mac OS X. See the Netatalk Manual
 #                         in detail.
 #
 #
 #   Authentication Methods:
 #     -uampath <path>  Use this path to look for User Authentication Modules.
 #                      (default: /usr/local/libexec/netatalk-uams)
 #     -uamlist <a,b,c> Comma-separated list of UAMs.
 #                      (default: uams_dhx.so,uams_dhx2.so)
 #
 #                      some commonly available UAMs:
 #                      uams_guest.so: Allow guest logins
 #
 #                      uams_clrtxt.so: (uams_pam.so or uams_passwd.so)
 #                                     Allow logins with passwords
 #                                     transmitted in the clear. 
 #
 #                      uams_randnum.so: Allow Random Number and Two-Way
 #                                      Random Number exchange for
 #                                      authentication.
 #
 #                      uams_dhx.so: (uams_dhx_pam.so or uams_dhx_passwd.so)
 #                                  Allow Diffie-Hellman eXchange
 #                                  (DHX) for authentication.
 #
 #                      uams_dhx2.so: (uams_dhx2_pam.so or uams_dhx2_passwd.so)
 #                                   Allow Diffie-Hellman eXchange 2
 #                                   (DHX2) for authentication.
 #
 #   Password Options:
 #     -[no]savepassword   [Don't] Allow clients to save password locally
 #     -passwdfile <path>  Use this path to store Randnum passwords.
 #                         (Default: /usr/local/etc/afppasswd. The only other
 #                         useful value is ~/.passwd. See 'man afppasswd'
 #                         for details.)
 #     -passwdminlen <#>   minimum password length. may be ignored.
 #     -[no]setpassword    [Don't] Allow clients to change their passwords.
 #     -loginmaxfail <#>   maximum number of failed logins. this may be
 #                         ignored if the uam can't handle it.
 #
 #   AppleVolumes files:
 #     -defaultvol <path>  Specifies path to AppleVolumes.default file
 #                         (default /usr/local/etc/AppleVolumes.default,
 #                         same as -f on command line)
 #     -systemvol <path>   Specifies path to AppleVolumes.system file
 #                         (default /usr/local/etc/AppleVolumes.system,
 #                         same as -s on command line)
 #     -[no]uservolfirst   [Don't] read the user's ~/AppleVolumes or
 #                         ~/.AppleVolumes before reading
 #                         /usr/local/etc/AppleVolumes.default
 #                         (same as -u on command line)
 #     -[no]uservol        [Don't] Read the user's volume file
 #     -closevol           Immediately unmount volumes removed from
 #                         AppleVolumes files on SIGHUP sent to the afp
 #                         master process.
 #
 #   Miscellaneous:
 #     -authprintdir <path> Specifies the path to be used (per server) to 
 #                          store the files required to do CAP-style
 #                          print authentication which papd will examine
 #                          to determine if a print job should be allowed.
 #                          These files are created at login and if they
 #                          are to be properly removed, this directory
 #                          probably needs to be umode 1777
 #     -guestname "user"   Specifies the user name for the guest login
 #                         (default "nobody", same as -g on command line)
 #     -loginmesg "Message"  Client will display "Message" upon logging in
 #                         (no default, same as -l "Message" on commandline)
 #     -nodebug            Switch off debugging
 #     -client_polling     With this switch enabled, afpd won't advertise
 #                         that it is capable of server notifications, so that
 #                         connected clients poll the server every 10 seconds
 #                         to detect changes in opened server windows.
 #                         Note: Depending on the number of simultaneously
 #                         connected clients and the network's speed, this can
 #                         lead to a significant higher load on your network!
 #     -sleep   <number>   AFP 3.x wait number hours before disconnecting
 #                         clients in sleep mode. Default 10 hours
 #     -tickleval <number> Specify the tickle timeout interval (in seconds).
 #                         Note, this defaults to 30 seconds, and really 
 #                         shouldn't be changed.  If you want to control
 #                         the server idle timeout, use the -timeout option.
 #     -timeout <number>   Specify the number of tickles to send before
 #                         timing out a connection.
 #                         The default is 4, therefore a connection will
 #                         timeout in 2 minutes.
 #     -[no]icon           [Don't] Use the platform-specific icon. Recent
 #                         Mac OS don't display it any longer.
 #     -volnamelen <number>
 #                         Max length of UTF8-MAC volume name for Mac OS X.
 #                         Note that Hangul is especially sensitive to this.
 #                           255: limit of spec
 #                           80:  limit of generic Mac OS X (default)
 #                           73:  limit of Mac OS X 10.1, if >= 74
 #                                Finder crashed and restart repeatedly.
 #                         Mac OS 9 and earlier is not influenced by this,
 #                         Maccharset volume names are always limitted to 27.
 #     -[un]setuplog "<logtype> <loglevel> [<filename>]"
 #                         Specify that any message of a loglevel up to the
 #                         given loglevel should be logged to the given file.
 #                         If the filename is ommited the loglevel applies to
 #                         messages passed to syslog.
 #
 #                         By default (no explicit -setuplog and no buildtime
 #                         configure flag --with-logfile) afpd logs to syslog
 #                         with a default logging setup equivalent to
 #                         "-setuplog default log_info".
 #
 #                         If build with --with-logfile[=somefile]
 #                         (default logfile /var/log/netatalk.log) afpd
 #                         defaults to a setup that is equivalent to
 #                         "-setuplog default log_info [netatalk.log|somefile]"
 #
 #                         logtypes:  Default, AFPDaemon, Logger, UAMSDaemon
 #                         loglevels: LOG_SEVERE, LOG_ERROR, LOG_WARN,
 #                                    LOG_NOTE, LOG_INFO, LOG_DEBUG,
 #                                    LOG_DEBUG6, LOG_DEBUG7, LOG_DEBUG8,
 #                                    LOG_DEBUG9, LOG_MAXDEBUG
 #
 #                Example: Useful default config
 #                         -setuplog "default log_info /var/log/afpd.log"
 #
 #                         Debugging config
 #                         -setuplog "default log_maxdebug /var/log/afpd.log"
 #
 #     -signature { user:<text> | auto }
 #                         Specify a server signature. This option is useful
 #                         while running multiple independent instances of
 #                         afpd on one machine (eg. in clustered environments,
 #                         to provide fault isolation etc.).
 #                         Default is "auto".
 #                         "auto" signature type allows afpd generating
 #                         signature and saving it to afp_signature.conf
 #                         automatically (based on random number).
 #                         "host" signature type switches back to "auto"
 #                         because it is obsoleted.
 #                         "user" signature type allows administrator to
 #                         set up a signature string manually.
 #                         Examples: three servers running on one machine:
 #                               first   -signature user:USERS
 #                               second  -signature user:USERS
 #                               third   -signature user:ADMINS
 #                         First two servers will act as one logical AFP
 #                         service. If user logs in to first one and then
 #                         connects to second one, session will be
 #                         automatically redirected to the first one. But if
 #                         client connects to first and then to third, 
 #                         will be asked for password twice and will see
 #                         resources of both servers.
 #                         Traditional method of signature generation causes
 #                         two independent afpd instances to have the same
 #                         signature and thus cause clients to be redirected
 #                         automatically to server (s)he logged in first.
 #     -k5keytab <path>
 #     -k5service <service>
 #     -k5realm <realm>
 #                         These are required if the server supports
 #                         Kerberos 5 authentication
 #     -ntdomain
 #     -ntseparator
 #                         Use for eg. winbind authentication, prepends
 #                         both strings before the username from login and
 #                         then tries to authenticate with the result
 #                         through the availabel and active UAM authentication
 #                         modules.
 #
 #   Codepage Options:
 #     -unixcodepage <CODEPAGE>  Specifies the servers unix codepage,
 #                               e.g. "ISO-8859-15" or "UTF8".
 #                               This is used to convert strings to/from
 #                               the systems locale, e.g. for authenthication.
 #                               Defaults to LOCALE if your system supports it,
 #                               otherwise ASCII will be used.
 #
 #     -maccodepage <CODEPAGE>   Specifies the legacy clients (<= Mac OS 9)
 #                               codepage, e.g. "MAC_ROMAN".
 #                               This is used to convert strings to the
 #                               systems locale, e.g. for authenthication
 #                               and SIGUSR2 messaging. This will also be
 #                               the default for volumes maccharset.
 #
 #   CNID related options:
 #     -cnidserver <ipaddress:port>
 #                               Specifies the IP address and port of a
 #                               cnid_metad server, required for CNID dbd
 #                               backend. Defaults to localhost:4700.
 #                               The network address may be specified either
 #                               in dotted-decimal format for IPv4 or in
 #                               hexadecimal format for IPv6.
 #
 #   Avahi (Bonjour) related options:
 #     -mimicmodel <model>
 #                               Specifies the icon model that appears on
 #                               clients. Defaults to off. Examples: RackMac
 #                               (same as Xserve), PowerBook, PowerMac, Macmini,
 #                               iMac, MacBook, MacBookPro, MacBookAir, MacPro,
 #                               AppleTV1,1, AirPort
 #


 #
 # Some examples:
 #
 #       The simplest case is to not have an afpd.conf.
 #
 #       4 servers w/ names server1-3 and one w/ the hostname. servers
 #       1-3 get routed to different ports with server 3 being bound 
 #       specifically to address 192.168.1.3
 #
 #           -
 #           server1 -port 12000
 #           server2 -port 12001
 #           server3 -port 12002 -ipaddr 192.168.1.3
 #
 #       a dedicated guest server, a user server, and a special
 #       AppleTalk-only server:
 #
 #           "Guest Server" -uamlist uams_guest.so \
 #                   -loginmesg "Welcome guest! I'm a public server."
 #           "User Server" -uamlist uams_dhx2.so -port 12000
 #           "special" -ddp -notcp -defaultvol <path> -systemvol <path>
 #


 "Time Machine" -uamlist uams_dhx2.so
 "Public Share" -uamlist uams_guest.so,uams_dhx2.so

 # default:
 # - -tcp -noddp -uamlist uams_dhx.so,uams_dhx2.so -nosavepassword
 - -tcp -noddp -setuplog "default log_maxdebug /var/log/afpd.log"
diff --git a/AppleVolumes.default b/AppleVolumes.default
 # This file looks empty when viewed with "vi".  In fact, there is one
 # '~', so users with no AppleVolumes file in their home directory get
 # their home directory by default.

 #
 # volume format:
 # :DEFAULT: [all of the default options except volume name]
 # path [name] [casefold:x] [options:z,l,j] \
 #   [allow:a,@b,c,d] [deny:a,@b,c,d] [dbpath:path] [password:p] \
 #   [rwlist:a,@b,c,d] [rolist:a,@b,c,d] [limitsize:value in bytes] \
 #   [preexec:cmd] [root_preexec:cmd] [postexec:cmd]  [root_postexec:cmd] \
 #   [allowed_hosts:IPv4 address[/IPv4 netmask bits]] \
 #   [denied_hosts:IPv4 address[/IPv4 netmask bits]] \
 #   ... more, see below ...
 #   
 # name:      volume name. it can't include the ':' character
 #

 #
 # variable substitutions:
 # you can use variables for both <path> and <name> now. here are the
 # rules:
 #     1) if you specify an unknown variable, it will not get converted. 
 #     2) if you specify a known variable, but that variable doesn't have
 #        a value, it will get ignored.
 #
 # the variables:
 # $b   -> basename of path
 # $c   -> client's ip or appletalk address
 # $d   -> volume pathname on server    
 # $f   -> full name (whatever's in the gecos field)
 # $g   -> group
 # $h   -> hostname 
 # $i   -> client ip without tcp port or appletalk network   
 # $s   -> server name (can be the hostname)
 # $u   -> username (if guest, it's whatever user guest is running as)
 # $v   -> volume name (either ADEID_NAME or basename of path)
 # $z   -> zone (may not exist)
 # $$   -> $
 #

 #
 # casefold options [syntax: casefold:option]:
 # tolower    -> lowercases names in both directions
 # toupper    -> uppercases names in both directions
 # xlatelower -> client sees lowercase, server sees uppercase
 # xlateupper -> client sees uppercase, server sees lowercase
 #
 # allow/deny/rwlist/rolist format [syntax: allow:user1,@group]:
 # user1,@group,user2  -> allows/denies access from listed users/groups
 #                        rwlist/rolist control whether or not the
 #                        volume is ro for those users.
 # allowed_hosts       -> Only listed hosts and networks are allowed,
 #                        all others are rejected. Example:
 #                        allowed_hosts:10.1.0.0/16,10.2.1.100
 # denied_hosts        -> Listed hosts and nets are rejected,
 #                        all others are allowed. Example:
 #                        denied_hosts: 192.168.100/24,10.1.1.1
 # preexec             -> command to be run when the volume is mounted,
 #                        ignore for user defined volumes
 # root_preexec        -> command to be run as root when the volume is mounted,
 #                        ignore for user defined volumes
 # postexec            -> command to be run when the volume is closed,
 #                        ignore for user defined volumes
 # root_postexec       -> command to be run as root when the volume is closed,
 #                        ignore for user defined volumes
 # veto                -> hide files and directories,where the path matches
 #                        one of the "/" delimited vetoed names. Matches are
 #                        partial, e.g. path is /abc/def/file and veto:/abc/
 #                        will hide the file.
 # adouble             -> specify the format of the metadata files.
 #                        default is "v2". netatalk 1.x used "v1".
 #                        "osx" cannot be treated normally any longer.
 # volsizelimit        -> size in MiB.  Useful for TimeMachine: limits the
 #                         reported volume size, thus preventing TM from using
 #                         the whole real disk space for backup.
 #                         Example: "volsizelimit:1000" would limit the
 #                         reported disk space to 1 GB.


 #
 # codepage options [syntax: options:charsetname]
 # volcharset          -> specifies the charset to be used
 #                        as the volume codepage
 #                        e.g. "UTF8", "UTF8-MAC", "ISO-8859-15"
 # maccharset          -> specifies the charset to be used
 #                        as the legacy client (<=Mac OS 9) codepage
 #                        e.g. "MAC_ROMAN", "MAC_CYRILLIC"
 #
 # perm                -> default permission value
 #                        OR with the client requested perm
 #                        Use with options:upriv
 # dperm               -> default permission value for directories
 #                        OR with the client requested perm
 #                        Use with options:upriv
 # fperm               -> default permission value for files
 #                        OR with the client requested perm
 #                        Use with options:upriv
 # umask               -> set perm mask
 #                        Use with options:upriv
 # dbpath:path         -> store the database stuff in the following path.
 # cnidserver:server[:port]
 #                     -> Query this servername or IP address
 #                        (default:localhost) and port (default: 4700)
 #                        for CNIDs. Only used with CNID backend "dbd".
 #                        This option here overrides any setting from
 #                        afpd.conf:cnidserver.
 # password:password   -> set a volume password (8 characters max)
 # cnidscheme:scheme   -> set the cnid scheme for the volume,
 #                        default is [dbd]
 #                        available schemes: [dbd last tdb]
 # ea                  -> none|auto|sys|ad
 #                        Specify how Extended Attributes are stores. default
 #                        is auto.
 #                        auto: try "sys" (by setting an EA on the shared
 #                              directory itself), fallback to "ad".  Requires
 #                              writable volume for performing the test.
 #                              Note: options:ro overwrites "auto" with "none."
 #                        sys:  Use filesystem EAs
 #                        ad:   Use files in AppleDouble directories
 #                        none: No EA support
 #

 #
 # miscellaneous options [syntax: options:option1,option2]:
 # tm                  -> enable TimeMachine support
 # prodos              -> make compatible with appleII clients.
 # crlf                -> enable crlf translation for TEXT files.
 # noadouble           -> don't create .AppleDouble unless a resource
 #                        fork needs to be created.
 # ro                  -> mount the volume as read-only.
 # mswindows           -> enforce filename restrictions imposed by MS
 #                        Windows. this will also invoke a default
 #                        codepage (iso8859-1) if one isn't already 
 #                        specified.
 # nohex               -> don't do :hex translations for anything
 #                        except dot files. specify usedots as well if
 #                        you want that turned off. note: this option
 #                         makes the / character illegal.
 # usedots             -> don't do :hex translation for dot files. note: when 
 #                        this option gets set, certain file names
 #                        become illegal. these are .Parent and
 #                        anything that starts with .Apple.
 # invisibledots       -> don't do :hex translation for dot files. note: when 
 #                        this option gets set, certain file names
 #                        become illegal. these are .Parent and
 #                        anything that starts with .Apple. also, dot
 #                        files created on the unix side are marked invisible. 
 # limitsize           -> limit disk size reporting to 2GB. this is
 #                        here for older macintoshes using newer
 #                        appleshare clients. yucko.
 # nofileid            -> don't advertise createfileid, resolveid, deleteid 
 #                        calls
 # root_preexec_close  -> a non-zero return code from root_preexec close the 
 #                        volume being mounted.
 # preexec_close       -> a non-zero return code from preexec close the 
 #                        volume being mounted.
 # nostat              -> don't stat volume path when enumerating volumes list
 # upriv               -> use unix privilege.  
 # illegalseq          -> encode illegal sequence in filename asis,
 #                        ex "\217-", which is not a valid SHIFT-JIS char,
 #                        is encoded  as U\217 -
 # nocnidcache         -> Don't store and read CNID to/from AppleDouble file.
 #                        This should not be used as it also prevents a CNID
 #                        database rebuild with `dbd`!
 # caseinsensitive     -> The underlying FS is case insensitive (only 
 #                        test with JFS in OS2 mode)
 # dropbox             -> Allows a volume to be declared as being a "dropbox."
 #                        Note that netatalk must be compiled with dropkludge
 #                        support for this to function. Warning: This option
 #                        is deprecated and might not work as expected.
 # dropkludge          -> same as "dropbox"
 # nodev               -> always use 0 for device number, helps when the
 #                        device number is not constant across a reboot,
 #                        cluster, ...
 #

 # The line below sets some DEFAULT, starting with Netatalk 2.1.
 :DEFAULT: options:upriv,usedots

 # The "~" below indicates that Home directories are visible by default.
 # If you do not wish to have people accessing their Home directories,
 # please put a pound sign in front of the tilde or delete it.
 ~

 /tank/public "Public Share" rwlist:@nasuser rolist:nobody cnidscheme:dbd options:usedots,upriv
 /tank/timemachine "Time Machine" rwlist:@nasuser cnidscheme:dbd options:usedots,upriv,tm

 # End of File
diff --git a/netatalk.conf b/netatalk.conf
 # netatalk configuration
 # For details see man netatalk.conf

 #########################################################################
 # Global configuration
 #########################################################################

 #### machine's AFPserver/AppleTalk name.
 #ATALK_NAME=machinename

 #### server (unix) and legacy client (<= Mac OS 9) charsets
 ATALK_UNIX_CHARSET='LOCALE'
 ATALK_MAC_CHARSET='MAC_ROMAN'

 #### Don't Edit. export the charsets, read form ENV by apps
 export ATALK_UNIX_CHARSET
 export ATALK_MAC_CHARSET

 #########################################################################
 # AFP specific configuration
 #########################################################################

 #### Set which daemons to run.
 #### If you use AFP file server, run both cnid_metad and afpd.
 CNID_METAD_RUN=yes
 AFPD_RUN=yes

 #### maximum number of clients that can connect:
 AFPD_MAX_CLIENTS=20

 #### UAMs (User Authentication Modules)
 #### available options: uams_dhx.so, uams_dhx2.so, uams_guest.so,
 ####                    uams_clrtxt.so(legacy), uams_randnum.so(legacy)
 AFPD_UAMLIST="-U uams_guest.so,uams_dhx2.so"

 #### Set the id of the guest user when using uams_guest.so
 AFPD_GUEST=nobody

 #### config for cnid_metad. Default log config:
 #CNID_CONFIG="-l log_note"

 #########################################################################
 # AppleTalk specific configuration (legacy)
 #########################################################################

 #### Set which legacy daemons to run.
 #### If you need AppleTalk, run atalkd.
 #### papd, timelord and a2boot are dependent upon atalkd.
 #ATALKD_RUN=no
 #PAPD_RUN=no
 #TIMELORD_RUN=no
 #A2BOOT_RUN=no

 #### Control whether the daemons are started in the background.
 #### If it is dissatisfied that legacy atalkd starts slowly, set "yes".
 #### In case using systemd/systemctl, this is not so significant.
 #ATALK_BGROUND=no

 #### Set the AppleTalk Zone name.
 #### NOTE: if your zone has spaces in it, you're better off specifying
 ####       it in atalkd.conf
 #ATALK_ZONE=@zone
	#
	# CONFIGURATION FOR AFPD
	#
	# Each single line defines a virtual server that should be available.
	# Though, using "\" character, newline escaping is supported.
	# Empty lines and lines beginning with `#' are ignored.
	# Options in this file will override both compiled-in defaults
	# and command line options.
	#


	#
	# Format:
	# - [options] to specify options for the default server
	# "Server name" [options] to specify an additional server
	#


	#
	# The following options are available:
	# Transport Protocols:
	# -[no]tcp Make "AFP over TCP" [not] available
	# -[no]ddp Make "AFP over AppleTalk" [not] available.
	# If you have -proxy specified, specify -uamlist "" to
	# prevent ddp connections from working.
	#
	# -transall Make both available
	#
	# Transport Options:
	# -ipaddr <ipaddress> Specifies the IP address that the server should
	# advertise and listens to. The default is advertise
	# the first IP address of the system, but to listen
	# for any incoming request. The network address may
	# be specified either in dotted-decimal format for
	# IPv4 or in hexadecimal format for IPv6.
	# This option also allows to use one machine to
	# advertise the AFP-over-TCP/IP settings of another
	# machine via NBP when used together with the -proxy
	# option.
	# -server_quantum <number>
	# Specifies the DSI server quantum. The minimum
	# value is 1MB. The max value is 0xFFFFFFFF. If you
	# specify a value that is out of range, you'll get
	# the default value (currently the minimum).
	# -admingroup <groupname>
	# Specifies the group of administrators who should
	# all be seen as the superuser when they log in.
	# Default is disabled.
	# -ddpaddr x.y Specifies the DDP address of the server.
	# the default is to auto-assign an address (0.0).
	# this is only useful if you're running on
	# a multihomed host.
	# -port <number> Specifies the TCP port the server should respond
	# to (default is 548)
	# -fqdn <name:port> specify a fully-qualified domain name (+optional
	# port). this gets discarded if the server can't
	# resolve it. this is not honored by appleshare
	# clients <= 3.8.3 (default: none)
	# -hostname <name> Use this instead of the result from calling
	# hostname for dertermening which IP address to
	# advertise, therfore the hostname is resolved to
	# an IP which is the advertised. This is NOT used for
	# listening and it is also overwritten by -ipaddr.
	# -proxy Run an AppleTalk proxy server for specified
	# AFP/TCP server (if address/port aren't given,
	# then first IP address of the system/548 will
	# be used).
	# if you don't want the proxy server to act as
	# a ddp server as well, set -uamlist to an empty
	# string.
	# -slp Register this server with the Service Location
	# Protocol (if SLP support was compiled in).
	# -nozeroconf Don't register this server with the Multicats
	# DNS Protocol.
	# -advertise_ssh Allows Mac OS X clients (10.3.3-10.4) to
	# automagically establish a tunneled AFP connection
	# through SSH. This option is not so significant
	# for the recent Mac OS X. See the Netatalk Manual
	# in detail.
	#
	#
	# Authentication Methods:
	# -uampath <path> Use this path to look for User Authentication Modules.
	# (default: /usr/local/libexec/netatalk-uams)
	# -uamlist <a,b,c> Comma-separated list of UAMs.
	# (default: uams_dhx.so,uams_dhx2.so)
	#
	# some commonly available UAMs:
	# uams_guest.so: Allow guest logins
	#
	# uams_clrtxt.so: (uams_pam.so or uams_passwd.so)
	# Allow logins with passwords
	# transmitted in the clear.
	#
	# uams_randnum.so: Allow Random Number and Two-Way
	# Random Number exchange for
	# authentication.
	#
	# uams_dhx.so: (uams_dhx_pam.so or uams_dhx_passwd.so)
	# Allow Diffie-Hellman eXchange
	# (DHX) for authentication.
	#
	# uams_dhx2.so: (uams_dhx2_pam.so or uams_dhx2_passwd.so)
	# Allow Diffie-Hellman eXchange 2
	# (DHX2) for authentication.
	#
	# Password Options:
	# -[no]savepassword [Don't] Allow clients to save password locally
	# -passwdfile <path> Use this path to store Randnum passwords.
	# (Default: /usr/local/etc/afppasswd. The only other
	# useful value is ~/.passwd. See 'man afppasswd'
	# for details.)
	# -passwdminlen <#> minimum password length. may be ignored.
	# -[no]setpassword [Don't] Allow clients to change their passwords.
	# -loginmaxfail <#> maximum number of failed logins. this may be
	# ignored if the uam can't handle it.
	#
	# AppleVolumes files:
	# -defaultvol <path> Specifies path to AppleVolumes.default file
	# (default /usr/local/etc/AppleVolumes.default,
	# same as -f on command line)
	# -systemvol <path> Specifies path to AppleVolumes.system file
	# (default /usr/local/etc/AppleVolumes.system,
	# same as -s on command line)
	# -[no]uservolfirst [Don't] read the user's ~/AppleVolumes or
	# ~/.AppleVolumes before reading
	# /usr/local/etc/AppleVolumes.default
	# (same as -u on command line)
	# -[no]uservol [Don't] Read the user's volume file
	# -closevol Immediately unmount volumes removed from
	# AppleVolumes files on SIGHUP sent to the afp
	# master process.
	#
	# Miscellaneous:
	# -authprintdir <path> Specifies the path to be used (per server) to
	# store the files required to do CAP-style
	# print authentication which papd will examine
	# to determine if a print job should be allowed.
	# These files are created at login and if they
	# are to be properly removed, this directory
	# probably needs to be umode 1777
	# -guestname "user" Specifies the user name for the guest login
	# (default "nobody", same as -g on command line)
	# -loginmesg "Message" Client will display "Message" upon logging in
	# (no default, same as -l "Message" on commandline)
	# -nodebug Switch off debugging
	# -client_polling With this switch enabled, afpd won't advertise
	# that it is capable of server notifications, so that
	# connected clients poll the server every 10 seconds
	# to detect changes in opened server windows.
	# Note: Depending on the number of simultaneously
	# connected clients and the network's speed, this can
	# lead to a significant higher load on your network!
	# -sleep <number> AFP 3.x wait number hours before disconnecting
	# clients in sleep mode. Default 10 hours
	# -tickleval <number> Specify the tickle timeout interval (in seconds).
	# Note, this defaults to 30 seconds, and really
	# shouldn't be changed. If you want to control
	# the server idle timeout, use the -timeout option.
	# -timeout <number> Specify the number of tickles to send before
	# timing out a connection.
	# The default is 4, therefore a connection will
	# timeout in 2 minutes.
	# -[no]icon [Don't] Use the platform-specific icon. Recent
	# Mac OS don't display it any longer.
	# -volnamelen <number>
	# Max length of UTF8-MAC volume name for Mac OS X.
	# Note that Hangul is especially sensitive to this.
	# 255: limit of spec
	# 80: limit of generic Mac OS X (default)
	# 73: limit of Mac OS X 10.1, if >= 74
	# Finder crashed and restart repeatedly.
	# Mac OS 9 and earlier is not influenced by this,
	# Maccharset volume names are always limitted to 27.
	# -[un]setuplog "<logtype> <loglevel> [<filename>]"
	# Specify that any message of a loglevel up to the
	# given loglevel should be logged to the given file.
	# If the filename is ommited the loglevel applies to
	# messages passed to syslog.
	#
	# By default (no explicit -setuplog and no buildtime
	# configure flag --with-logfile) afpd logs to syslog
	# with a default logging setup equivalent to
	# "-setuplog default log_info".
	#
	# If build with --with-logfile[=somefile]
	# (default logfile /var/log/netatalk.log) afpd
	# defaults to a setup that is equivalent to
	# "-setuplog default log_info [netatalk.log\|somefile]"
	#
	# logtypes: Default, AFPDaemon, Logger, UAMSDaemon
	# loglevels: LOG_SEVERE, LOG_ERROR, LOG_WARN,
	# LOG_NOTE, LOG_INFO, LOG_DEBUG,
	# LOG_DEBUG6, LOG_DEBUG7, LOG_DEBUG8,
	# LOG_DEBUG9, LOG_MAXDEBUG
	#
	# Example: Useful default config
	# -setuplog "default log_info /var/log/afpd.log"
	#
	# Debugging config
	# -setuplog "default log_maxdebug /var/log/afpd.log"
	#
	# -signature { user:<text> \| auto }
	# Specify a server signature. This option is useful
	# while running multiple independent instances of
	# afpd on one machine (eg. in clustered environments,
	# to provide fault isolation etc.).
	# Default is "auto".
	# "auto" signature type allows afpd generating
	# signature and saving it to afp_signature.conf
	# automatically (based on random number).
	# "host" signature type switches back to "auto"
	# because it is obsoleted.
	# "user" signature type allows administrator to
	# set up a signature string manually.
	# Examples: three servers running on one machine:
	# first -signature user:USERS
	# second -signature user:USERS
	# third -signature user:ADMINS
	# First two servers will act as one logical AFP
	# service. If user logs in to first one and then
	# connects to second one, session will be
	# automatically redirected to the first one. But if
	# client connects to first and then to third,
	# will be asked for password twice and will see
	# resources of both servers.
	# Traditional method of signature generation causes
	# two independent afpd instances to have the same
	# signature and thus cause clients to be redirected
	# automatically to server (s)he logged in first.
	# -k5keytab <path>
	# -k5service <service>
	# -k5realm <realm>
	# These are required if the server supports
	# Kerberos 5 authentication
	# -ntdomain
	# -ntseparator
	# Use for eg. winbind authentication, prepends
	# both strings before the username from login and
	# then tries to authenticate with the result
	# through the availabel and active UAM authentication
	# modules.
	#
	# Codepage Options:
	# -unixcodepage <CODEPAGE> Specifies the servers unix codepage,
	# e.g. "ISO-8859-15" or "UTF8".
	# This is used to convert strings to/from
	# the systems locale, e.g. for authenthication.
	# Defaults to LOCALE if your system supports it,
	# otherwise ASCII will be used.
	#
	# -maccodepage <CODEPAGE> Specifies the legacy clients (<= Mac OS 9)
	# codepage, e.g. "MAC_ROMAN".
	# This is used to convert strings to the
	# systems locale, e.g. for authenthication
	# and SIGUSR2 messaging. This will also be
	# the default for volumes maccharset.
	#
	# CNID related options:
	# -cnidserver <ipaddress:port>
	# Specifies the IP address and port of a
	# cnid_metad server, required for CNID dbd
	# backend. Defaults to localhost:4700.
	# The network address may be specified either
	# in dotted-decimal format for IPv4 or in
	# hexadecimal format for IPv6.
	#
	# Avahi (Bonjour) related options:
	# -mimicmodel <model>
	# Specifies the icon model that appears on
	# clients. Defaults to off. Examples: RackMac
	# (same as Xserve), PowerBook, PowerMac, Macmini,
	# iMac, MacBook, MacBookPro, MacBookAir, MacPro,
	# AppleTV1,1, AirPort
	#


	#
	# Some examples:
	#
	# The simplest case is to not have an afpd.conf.
	#
	# 4 servers w/ names server1-3 and one w/ the hostname. servers
	# 1-3 get routed to different ports with server 3 being bound
	# specifically to address 192.168.1.3
	#
	# -
	# server1 -port 12000
	# server2 -port 12001
	# server3 -port 12002 -ipaddr 192.168.1.3
	#
	# a dedicated guest server, a user server, and a special
	# AppleTalk-only server:
	#
	# "Guest Server" -uamlist uams_guest.so \
	# -loginmesg "Welcome guest! I'm a public server."
	# "User Server" -uamlist uams_dhx2.so -port 12000
	# "special" -ddp -notcp -defaultvol <path> -systemvol <path>
	#


	"Time Machine" -uamlist uams_dhx2.so
	"Public Share" -uamlist uams_guest.so,uams_dhx2.so

	# default:
	# - -tcp -noddp -uamlist uams_dhx.so,uams_dhx2.so -nosavepassword
	- -tcp -noddp -setuplog "default log_maxdebug /var/log/afpd.log"
	# This file looks empty when viewed with "vi". In fact, there is one
	# '~', so users with no AppleVolumes file in their home directory get
	# their home directory by default.

	#
	# volume format:
	# :DEFAULT: [all of the default options except volume name]
	# path [name] [casefold:x] [options:z,l,j] \
	# [allow:a,@b,c,d] [deny:a,@b,c,d] [dbpath:path] [password:p] \
	# [rwlist:a,@b,c,d] [rolist:a,@b,c,d] [limitsize:value in bytes] \
	# [preexec:cmd] [root_preexec:cmd] [postexec:cmd] [root_postexec:cmd] \
	# [allowed_hosts:IPv4 address[/IPv4 netmask bits]] \
	# [denied_hosts:IPv4 address[/IPv4 netmask bits]] \
	# ... more, see below ...
	#
	# name: volume name. it can't include the ':' character
	#

	#
	# variable substitutions:
	# you can use variables for both <path> and <name> now. here are the
	# rules:
	# 1) if you specify an unknown variable, it will not get converted.
	# 2) if you specify a known variable, but that variable doesn't have
	# a value, it will get ignored.
	#
	# the variables:
	# $b -> basename of path
	# $c -> client's ip or appletalk address
	# $d -> volume pathname on server
	# $f -> full name (whatever's in the gecos field)
	# $g -> group
	# $h -> hostname
	# $i -> client ip without tcp port or appletalk network
	# $s -> server name (can be the hostname)
	# $u -> username (if guest, it's whatever user guest is running as)
	# $v -> volume name (either ADEID_NAME or basename of path)
	# $z -> zone (may not exist)
	# $$ -> $
	#

	#
	# casefold options [syntax: casefold:option]:
	# tolower -> lowercases names in both directions
	# toupper -> uppercases names in both directions
	# xlatelower -> client sees lowercase, server sees uppercase
	# xlateupper -> client sees uppercase, server sees lowercase
	#
	# allow/deny/rwlist/rolist format [syntax: allow:user1,@group]:
	# user1,@group,user2 -> allows/denies access from listed users/groups
	# rwlist/rolist control whether or not the
	# volume is ro for those users.
	# allowed_hosts -> Only listed hosts and networks are allowed,
	# all others are rejected. Example:
	# allowed_hosts:10.1.0.0/16,10.2.1.100
	# denied_hosts -> Listed hosts and nets are rejected,
	# all others are allowed. Example:
	# denied_hosts: 192.168.100/24,10.1.1.1
	# preexec -> command to be run when the volume is mounted,
	# ignore for user defined volumes
	# root_preexec -> command to be run as root when the volume is mounted,
	# ignore for user defined volumes
	# postexec -> command to be run when the volume is closed,
	# ignore for user defined volumes
	# root_postexec -> command to be run as root when the volume is closed,
	# ignore for user defined volumes
	# veto -> hide files and directories,where the path matches
	# one of the "/" delimited vetoed names. Matches are
	# partial, e.g. path is /abc/def/file and veto:/abc/
	# will hide the file.
	# adouble -> specify the format of the metadata files.
	# default is "v2". netatalk 1.x used "v1".
	# "osx" cannot be treated normally any longer.
	# volsizelimit -> size in MiB. Useful for TimeMachine: limits the
	# reported volume size, thus preventing TM from using
	# the whole real disk space for backup.
	# Example: "volsizelimit:1000" would limit the
	# reported disk space to 1 GB.


	#
	# codepage options [syntax: options:charsetname]
	# volcharset -> specifies the charset to be used
	# as the volume codepage
	# e.g. "UTF8", "UTF8-MAC", "ISO-8859-15"
	# maccharset -> specifies the charset to be used
	# as the legacy client (<=Mac OS 9) codepage
	# e.g. "MAC_ROMAN", "MAC_CYRILLIC"
	#
	# perm -> default permission value
	# OR with the client requested perm
	# Use with options:upriv
	# dperm -> default permission value for directories
	# OR with the client requested perm
	# Use with options:upriv
	# fperm -> default permission value for files
	# OR with the client requested perm
	# Use with options:upriv
	# umask -> set perm mask
	# Use with options:upriv
	# dbpath:path -> store the database stuff in the following path.
	# cnidserver:server[:port]
	# -> Query this servername or IP address
	# (default:localhost) and port (default: 4700)
	# for CNIDs. Only used with CNID backend "dbd".
	# This option here overrides any setting from
	# afpd.conf:cnidserver.
	# password:password -> set a volume password (8 characters max)
	# cnidscheme:scheme -> set the cnid scheme for the volume,
	# default is [dbd]
	# available schemes: [dbd last tdb]
	# ea -> none\|auto\|sys\|ad
	# Specify how Extended Attributes are stores. default
	# is auto.
	# auto: try "sys" (by setting an EA on the shared
	# directory itself), fallback to "ad". Requires
	# writable volume for performing the test.
	# Note: options:ro overwrites "auto" with "none."
	# sys: Use filesystem EAs
	# ad: Use files in AppleDouble directories
	# none: No EA support
	#

	#
	# miscellaneous options [syntax: options:option1,option2]:
	# tm -> enable TimeMachine support
	# prodos -> make compatible with appleII clients.
	# crlf -> enable crlf translation for TEXT files.
	# noadouble -> don't create .AppleDouble unless a resource
	# fork needs to be created.
	# ro -> mount the volume as read-only.
	# mswindows -> enforce filename restrictions imposed by MS
	# Windows. this will also invoke a default
	# codepage (iso8859-1) if one isn't already
	# specified.
	# nohex -> don't do :hex translations for anything
	# except dot files. specify usedots as well if
	# you want that turned off. note: this option
	# makes the / character illegal.
	# usedots -> don't do :hex translation for dot files. note: when
	# this option gets set, certain file names
	# become illegal. these are .Parent and
	# anything that starts with .Apple.
	# invisibledots -> don't do :hex translation for dot files. note: when
	# this option gets set, certain file names
	# become illegal. these are .Parent and
	# anything that starts with .Apple. also, dot
	# files created on the unix side are marked invisible.
	# limitsize -> limit disk size reporting to 2GB. this is
	# here for older macintoshes using newer
	# appleshare clients. yucko.
	# nofileid -> don't advertise createfileid, resolveid, deleteid
	# calls
	# root_preexec_close -> a non-zero return code from root_preexec close the
	# volume being mounted.
	# preexec_close -> a non-zero return code from preexec close the
	# volume being mounted.
	# nostat -> don't stat volume path when enumerating volumes list
	# upriv -> use unix privilege.
	# illegalseq -> encode illegal sequence in filename asis,
	# ex "\217-", which is not a valid SHIFT-JIS char,
	# is encoded as U\217 -
	# nocnidcache -> Don't store and read CNID to/from AppleDouble file.
	# This should not be used as it also prevents a CNID
	# database rebuild with `dbd`!
	# caseinsensitive -> The underlying FS is case insensitive (only
	# test with JFS in OS2 mode)
	# dropbox -> Allows a volume to be declared as being a "dropbox."
	# Note that netatalk must be compiled with dropkludge
	# support for this to function. Warning: This option
	# is deprecated and might not work as expected.
	# dropkludge -> same as "dropbox"
	# nodev -> always use 0 for device number, helps when the
	# device number is not constant across a reboot,
	# cluster, ...
	#

	# The line below sets some DEFAULT, starting with Netatalk 2.1.
	:DEFAULT: options:upriv,usedots

	# The "~" below indicates that Home directories are visible by default.
	# If you do not wish to have people accessing their Home directories,
	# please put a pound sign in front of the tilde or delete it.
	~

	/tank/public "Public Share" rwlist:@nasuser rolist:nobody cnidscheme:dbd options:usedots,upriv
	/tank/timemachine "Time Machine" rwlist:@nasuser cnidscheme:dbd options:usedots,upriv,tm

	# End of File
	# netatalk configuration
	# For details see man netatalk.conf

	#########################################################################
	# Global configuration
	#########################################################################

	#### machine's AFPserver/AppleTalk name.
	#ATALK_NAME=machinename

	#### server (unix) and legacy client (<= Mac OS 9) charsets
	ATALK_UNIX_CHARSET='LOCALE'
	ATALK_MAC_CHARSET='MAC_ROMAN'

	#### Don't Edit. export the charsets, read form ENV by apps
	export ATALK_UNIX_CHARSET
	export ATALK_MAC_CHARSET

	#########################################################################
	# AFP specific configuration
	#########################################################################

	#### Set which daemons to run.
	#### If you use AFP file server, run both cnid_metad and afpd.
	CNID_METAD_RUN=yes
	AFPD_RUN=yes

	#### maximum number of clients that can connect:
	AFPD_MAX_CLIENTS=20

	#### UAMs (User Authentication Modules)
	#### available options: uams_dhx.so, uams_dhx2.so, uams_guest.so,
	#### uams_clrtxt.so(legacy), uams_randnum.so(legacy)
	AFPD_UAMLIST="-U uams_guest.so,uams_dhx2.so"

	#### Set the id of the guest user when using uams_guest.so
	AFPD_GUEST=nobody

	#### config for cnid_metad. Default log config:
	#CNID_CONFIG="-l log_note"

	#########################################################################
	# AppleTalk specific configuration (legacy)
	#########################################################################

	#### Set which legacy daemons to run.
	#### If you need AppleTalk, run atalkd.
	#### papd, timelord and a2boot are dependent upon atalkd.
	#ATALKD_RUN=no
	#PAPD_RUN=no
	#TIMELORD_RUN=no
	#A2BOOT_RUN=no

	#### Control whether the daemons are started in the background.
	#### If it is dissatisfied that legacy atalkd starts slowly, set "yes".
	#### In case using systemd/systemctl, this is not so significant.
	#ATALK_BGROUND=no

	#### Set the AppleTalk Zone name.
	#### NOTE: if your zone has spaces in it, you're better off specifying
	#### it in atalkd.conf
	#ATALK_ZONE=@zone