This article originally appeared in TidBITS on 2014-06-23 at 2:35 p.m.
The permanent URL for this article is:
Include images: Off

Take Control of OS X Server, Chapter 6: File Sharing

by Charles Edge

This article is a pre-release chapter in the upcoming “Take Control of OS X Server,” by Charles Edge, scheduled for public release later in 2014. Apart from Chapter 1: Introducing OS X Server [1], and Chapter 2: Choosing Server Hardware [2], these chapters are available only to TidBITS members [3]; see “Take Control of OS X Server” Streaming in TidBITS [4] for details.

File Sharing

Despite the popularity of file sharing services like Dropbox, the most common server used on internal networks today remains the file server, a central repository that stores files for a workgroup. These stalwarts have been connecting users to their files seemingly since before time began. Whether in a home, school, or business, the impetus for for setting up a server is often a need for file sharing.

A number of protocols built into OS X Server’s File Sharing service are dedicated to serving files, including AFP, SMB, and WebDAV (the sidebar just ahead explains these File Sharing Protocols [5]).

By default:

  • File Sharing has some built-in shared folders, but not all environments require them. I recommend you remove the built-in shared folders and add your own.
  • Each shared folder can make its files available via AFP, SMB, and WebDAV, or any combination thereof.
  • Each shared folder has permissions that Apple provides. These permissions will work in some cases , but you may need to modify them to meet your particular needs.

The basic steps to setting up a file server are to Remove Default Shared Folders [6], Create a New Shared Folder [7], Configure Permissions [8] for each shared folder, and finally Enable File Sharing [9]. Because file sharing is the most mature service in OS X Server, it’s also one of the easiest to manage. When you’re done setting it up, you’ll want close the loop on file sharing by having your clients Connect to Shared Folders.

Note: If you haven’t already created the necessary local network users and groups that will need access to shared folders, flip back to Directory Services [10] and turn on Directory Services if you haven’t yet done so, and then Work with Users [11] and Work with Groups [12] in that chapter as needed.

File Sharing Protocols

OS X Server’s File Sharing service offers three different file sharing protocols, each focused on a different environment.

  • AFP: Apple Filing Protocol, as the name suggests, is an Apple-created file sharing protocol. Traditionally, if you’re sharing files to Mac clients, you’ll want to enable AFP for your shared folders.
  • SMB: Sometimes called Samba after the underlying Unix server software, SMB (Server Message Block) is the predominant file sharing protocol in the Windows world. If you have Windows clients on your network, you’ll want to enable SMB for your shared folders. Macs can access SMB shared folders perfectly well too.
  • WebDAV: Created with the goal of making the Web read/write instead of just read-only, WebDAV (Web Distributed Authoring and Versioning) is a more modern file sharing protocol that is most used by iOS apps. The main reason to enable WebDAV is for specific iOS apps that require it. The OS X Finder does support WebDAV, but it’s a clunky way to access shared folders.

You can enable multiple protocols for each shared folder. For example, you could have iOS devices and Windows computers accessing the same shared folder, through WebDAV and SMB respectively.

Remove Default Shared Folders

Exactly which default shared folders will have been created for you depends on what you’ve done previously. For instance, the Groups shared folder appears if you selected the “Give this group a shared folder” checkbox in Add a Group [13]. You might also see a Public folder and one called Backups, if you’ve enabled Time Machine Server.

The default file sharing configuration won’t work for everyone, because you don’t get to say where the default shared folders actually live on your server’s drive. Therefore, before we do anything else, let’s remove the unnecessary default shared folders, after which you can create new ones that do exactly what you want. If the Backups shared folder appears, do not remove it, since Time Machine Server relies on it!

In the Server app, select File Sharing from the Services category in the left sidebar. The File Sharing pane appears at the right, showing a list of available shared folders as in Figure 1.

[image link]

Figure 1: To get started with File Sharing, first remove unnecssary default shared folders.

In our example configuration, we’re going to remove the built-in Groups shared folder, if present. To do so, in the Shared Folders list, select Groups and click the minus [image link] button. A confirmation dialog appears (Figure 2). Click Remove.

[image link]

Figure 2: Server asks for confirmation if you try to disable a built-in shared folder.

Disabling Protocols Instead of Deleting Shared Folders

If you’re uncomfortable with deleting these default shared folders, you can instead disable them by removing access to all the file sharing protocols. To do so, for example, double-click Public and then, in the Settings area, make sure all the checkboxes are deselected, as shown in Figure 3.

[image link]

Figure 3: You can disable a folder’s sharing capability by unchecking all of its Settings checkboxes.

When you’ve deselected all the checkboxes, click the OK button to save your changes.

More generally, it’s a good security practice is to share files only over the protocols you need for accessing them. You can always enable other protocols at a later date by simply checking a box here.

Create a New Shared Folder

Now that you’ve cleaned up the default shared folders, it’s time to create one or more new shared folders. As an example, let’s assume that you have a large external hard drive sharing files for members of your household, or perhaps for a small department at work.

To create the shared folder:

  1. In the Finder, on the server computer, make a folder for the shared folder—perhaps call it Shared Items. You may also want to create sub-folders within it to pre-populate the hierarchy.

    It doesn’t matter where you create the shared folder in the Finder, but make sure the location is on a drive with plenty of room for future files and is backed up regularly. If you followed my recommendation in Storage [14] and used a relatively small partition or drive to hold OS X and applications, then you’d want your shared folder to be on a larger drive or volume.

    Tip: It’s totally fine to specify the shared folder as the top level of a hard drive, if you want to share the entire volume.

  2. In the Server app, from the File Sharing pane, click the plus [image link] button.
  3. In the file dialog that appears, browse to the location of your shared folder, as in Figure 4, and then click the Choose button.
    [image link]

    Figure 4: Find the shared folder and then click Choose.

  4. Back in the File Sharing pane, double-click the new shared folder (Family in this example).
  5. In the configuration screen for the shared folder (Figure 5), the text that appears in the Name field is the name of the folder you just selected, but you can edit it to adjust how it appears to users, if you like.
    [image link]

    Figure 5: Specify how the new shared folder will work.

  6. In the Settings checkboxes, enable just those file sharing protocols that your users need, as explained earlier in File Sharing Protocols [15].
  7. If you enable guest access, then anyone who doesn’t otherwise have registered user access can log in without authenticating.

    Note: If you select “Make available for home directories over” and choose the appropriate protocol from the pop-up menu, the shared folder becomes available as a network home folder directory location for those using portable home directories. As noted back in Home Folder Choices [16], portable home folders are beyond the scope of this book.

  8. When you’re done, click OK to save your changes.

Server creates your new shared folder. Your next step is to either set up custom permissions for the shared folder, if needed, or to turn on File Sharing. I cover each option just ahead.

Create a WebDAV Share for iOS Users

Another common use for shared folders is to provide a central repository where iPhone and iPad users can store files on your server. For that, you’d want to follow the steps above, but when it comes time to selecting protocols, make sure to select Share over WebDAV. Obviously, this is helpful only if the iOS apps your users rely on support WebDAV, but that’s more common than support for AFP or SMB.

Configure Permissions

The specific permissions that are assigned to a shared folder vary based on where in the filesystem the folder was created, so it’s always important to look at the permissions and make sure the correct users and groups have the appropriate access to the folder. You may also wish to restrict access to particular sub-folders within the shared folder.

Here are some examples of how you can use permissions:

  • Home: A parent might allow children read-only access to a shared folder containing media. That way, nothing can be deleted accidentally by a child. Or, parents might store legal and financial documents in a shared folder where children don’t even have accounts.
  • School: Each student might need read/write access to a private folder, but only write access to a folder where homework is handed in.
  • Business: The human resources department might want a shared folder that most employees can’t view at all, while the marketing department might have read-write access to a shared folder that holds logos, brochures, and product descriptions. That same marketing shared folder might be available on a read-only basis to the rest of the company so that employees can distribute marketing materials.

To specify permissions:

  1. In Server, open the File Sharing pane and double-click the shared folder’s entry in the Shared Folders list.
  2. Examine the left column in the Access panel to verify that the correct users and groups have access. If you need to add a user or group, click the plus [image link] button and start typing the name to either enter it or choose Browse from the menu that pops up (Figure 6). Or, to delete a user or group, select it and click the minus [image link] button.
    [image link]

    Figure 6: Click the plus button to activate a new entry in the Access panel.

  3. Work with the pop-up menus on the right side of the Access panel to set what each user or group may do when accessing the shared folder: Read & Write, Read Only, Write Only.
  4. Click OK to save your changes.

Understanding the Access Entries

The bottom three entries in the Access list correspond to the folder’s Unix owner, group, and world classes, and as such, can’t be deleted. However, if you want to remove access, they each have a None option in the permissions pop-up menu.

Any entries above the bottom three comprise an access control list (ACL) and lack a None option because you should delete them if you want to remove access. The permissions pop-up menu for each of these ACL entries has the commands Read and Write instead of Read Only and Write Only; however, the terms mean the same thing.

You can also limit who has access to folders within the shared folder, as you might do with a folder that contains sensitive or private items like accounting or grades. If these more granular permissions are required, follow these steps, which take place in a different part of Server’s interface:

  1. Click the name of the server in the left-hand sidebar and then click the Storage button.
  2. Using the expansion triangles or column browser (switch with the View [image link] buttons), browse to and select a sub-folder, click the gear [image link] pop-up menu, and choose Edit Permissions.
  3. In the dialog that appears (Figure 7), use the plus [image link] and minus [image link] buttons to add or remove users or groups from this folder, and choose your desired permissions from the pop-up menus at the right.
    [image link]

    Figure 7: Manage permissions for a sub-folder within a shared folder.

  4. When you’re done, click OK.
  5. If you need to specify permissions for additional sub-folders, repeat the appropriate steps above.

Enable File Sharing

Although it’s okay to come back later and modify your File Sharing setup, before you turn on file sharing, run through this list to be sure you aren’t inadvertently exposing anything sensitive:

  • You’ve deleted or removed permissions from any default shared folders that you don’t need.
  • You’ve created any new shared folders that you need.
  • For each shared folder, you’ve ensured that it’s using only the necessary file sharing protocols (i.e. AFP, SMB, WebDAV).
  • For each shared folder, you’ve configured the appropriate permissions.

With all of the above taken care of, select File Sharing in the left-hand sidebar and click the ON button (at the upper right) to start the File Sharing service.

Connect to Shared Folders

Now that you’ve turned on File Sharing, it’s time to help users connect to shared folders.

To connect to a shared folder from the Mac Finder:

  1. Choose Go > Connect to Server (Command-K).
  2. In the Connect to Server dialog, users can type the name or IP address of your server, but they may prefer to click Browse to view servers available on the network in a Finder window, or to select a server from the Favorite Servers list or the Recent [image link] pop-up menu.

    If your shared folder is accessible via multiple file sharing protocols, specify which should be used by prefixing the IP address in the Server Address field with afp://, smb://, or webdav:// as Figure 8 shows with AFP.

    [image link]

    Figure 8: You can connect to a shared folder by IP address or by clicking the Browse button to locate it in a Finder window.

  3. Click Connect.
  4. If the Mac asks for authentication information (Figure 9), which it will unless the credentials have already been stored in the user’s keychain, leave the Registered User radio button selected and enter the username and password that you set up for that user in directory services (see Work with Users [17]).

    Tip: If guest access has been enabled for the shared folder, a Guest radio button appears in the login dialog show in Figure 9. To log in as a guest, select it—no username or password is necessary.

    After the user enters a username and password, if he selects the checkbox “Remember this password in my keychain,” the next time he connects, he won’t be asked to authenticate. (Needless to say, remembering the password generally makes things easier.) Click Connect.

    [image link]

    Figure 9: Enter the user’s credentials when prompted.

  5. If you have created multiple shared folders, a list of available shared folders appears in a dialog. Select one or more, by Command- or Shift-clicking, and click OK to mount them (Figure 10).
[image link]

Figure 10: Select one or more shared folders to mount.

The shared folder (or folders) can now be accessed through the Shared category in the sidebar of any Finder window, the hidden /Volumes directory, and in Open and Save dialogs. Plus, the shared folder, and any folders inside it, work just like any other local folders when it comes to making aliases or adding it to the Finder window’s sidebar or toolbar.

Tip: If a user would like a shared folder to mount on startup, all she has to do is open the Users & Groups pane of System Preferences, click Login Items, and drag the icon for the shared folder from the Finder into the list of login items. Exactly when the shared folder mounts during startup isn’t entirely predictable, so it’s best not to have other login items rely on the presence of the shared folder.

Read More: About [18] | Chapter 1 [19] | Chapter 2 [20] | Chapter 3 [21] | Chapter 4 [22] | Chapter 5 [23] | Chapter 6 [24] | Chapter 7 [25] | Chapter 8 [26] | Chapter 9 [27] | Chapter 10 [28] | Chapter 11 [29] | Chapter 12 | Chapter 13 [30] | Chapter 14 [31]