CENTOS7 & JSS File distribution Share

MST
Contributor

Experts,

Currently own Centos6 with AFP and HTTP file distribution. We have decided to setup another one with Centos7 due to Centos6 EOL. I was able successfully setup HTTPS for File distribution under Centos7.
Now I am trying to figure out the steps for AFP. I have this instructions for Centos7:
https://hugonaut.blog/configuring-rhel-7-x-server-as-a-jamf-https-distribution-point/

I dont want to use SAMBA so AFP is the only option here. From what I see AFP is used for Admin Console and HTTPS is used for end clients internally and externally.

Anybody here with instructions for RHEL7 and AFP for JSS?

Thank you,

15 REPLIES 15

sdagley
Esteemed Contributor II

@MST Since AFP is officially deprecated you might really consider using SAMBA for SMB access from Jamf Admin. I'd definitely disable SMB for DP functionality for client machines however.

efil4xiN
Contributor II

If you must , have you checked out netatalk. Worked fin for me back in the day

MST
Contributor

thank you for responses, I think I will use netatalk - afp for local clients, and smb for Jamf admin. I don't fully understand "I'd definitely disable SMB for DP functionality for client machines however" - I guess I have to disable smb for end clients so smb will be stop / disabled. But for Jamf Admin I have to enable - start manually - correct?

MST
Contributor

Also I have one HTTP file distribution with AFP and second HTTPS with AFP - can I use them both in some way of balancing? Or rather this is not a good idea and just use newer HTTPS with AFP (netatalk) for simplicity?

mschroder
Valued Contributor

Why not use only HTTPS for the clients? I don't reall understand why you insist on AFP. We use two file servers with HTTPS. The clients pick one at random, and switch to the other one in case the first they tried has a problem.

sdagley
Esteemed Contributor II

@MST Once you enable "Use HTTP downloads" for your File Share Distribution Points your managed Macs should not try and use SMB or AFP for downloads, so you don't have to specifically disallow them. What you will want to do is make sure the ports required to use them aren't open to the outside world if you have a DP in your DMZ (not that most network security teams would allow them in the first place). If you're going to use Jamf Admin to manage the contents of your DPs you will need the SMB (or AFP) ports open to your internal network so Jamf Admin can connect to them.

MST
Contributor

I understand now. Thank you for all help here.

MST
Contributor

Seems like all is working fine. Only what bothers me I can access over HTTPS which is exposed to outside all the scripts:

//CasperShare/Scripts/

and I can access //CasperShare/ which include Scripts, Packages, Casper Data. Somebody can download and open scripts.

Any idea?

sdagley
Esteemed Contributor II

@MST You should be configuring your https settings to require an account name and password to access the files

MST
Contributor

ok I am confused, I have fallowed this article:

https://hugonaut.blog/configuring-rhel-7-x-server-as-a-jamf-https-distribution-point/ which at least points tep by step and for SAMBA and even AFP - all works fine where:

casperadmin - ReadUser
casperinstall - WriteUser

useradd -d /home/casperadmin ReadUser -s /bin/false -N
useradd -d /home/casperinstall WriteUser -s /bin/false -N

But for HTTPS (SSL) not sure. If I access https://my fileshare//CasperShare/Scripts/ should that be any user and password asking for access like in SAMBA or AFP? Now anybody can access that share without any user name and password.

sdagley
Esteemed Contributor II

@MSP It looks like @Hugonaut's instructions call for the creation of a ReadUser for httpd but never cover setting ssl.conf to only allow access to the file share directory for known accounts. Looking further, the example ssl.conf in Step 21 of those instructions seems like they're not quite right since they define an authenticated directory for /var/www/html/ instead of the file share directory from Step 4. I'll defer to Hugonaut to chime in on that.

MST
Contributor

Thank you for response. Can you provide example for user casperinstall and password if I want to use that user for accessing files when use with HTTPS?

sdagley
Esteemed Contributor II

@MST I was hoping @Hugonaut could provide an update to his instructions, but essentially what you need to do in ssl.conf is provide a Directory block like the following

<Directory "/var/www/html/NameOfShare">
AuthType Basic
AuthName "Username and Password Required"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>

and have a symlink in that location to where your SMB share is located.

BTW, I think you have your ReadUser and WriteUser mappings to casperadmin and casperinstall are backwards. The casperadmin account is probably what you want to have write access. And you don't need a WriteUser for https since Jamf Admin doesn't use https to update a DP.

MST
Contributor

Whoooo after I added:

<Directory "/var/www/html/NameOfShare">
AuthType Basic
AuthName "Username and Password Required"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory> Based on my AuthUserFile /etc/httpd/.htpasswd I do have casperinstall in .htpasswd The provided password should work; however

Now when I try to open site it ask me for user name and password, but provided casperadmin or casperinstall does not work.

MST
Contributor

seems like I provided casperinstal instead of casperinstall but also I added to my httpd.conf AllowOverride AuthConfig - I am not sure if that does the trick, but now it works as expected.

Thank you so much for your help here !!!!!!!!!!