Currently own Centos6 with AFP and HTTP file distribution. We have decided to setup another one with Centos7 due to Centos6 EOL.
I was able successfully setup HTTPS for File distribution under Centos7.
Now I am trying to figure out the steps for AFP. I have this instructions for Centos7:
I dont want to use SAMBA so AFP is the only option here. From what I see AFP is used for Admin Console and HTTPS is used for end clients internally and externally.
Anybody here with instructions for RHEL7 and AFP for JSS?
thank you for responses, I think I will use netatalk - afp for local clients, and smb for Jamf admin. I don't fully understand "I'd definitely disable SMB for DP functionality for client machines however" - I guess I have to disable smb for end clients so smb will be stop / disabled. But for Jamf Admin I have to enable - start manually - correct?
Also I have one HTTP file distribution with AFP and second HTTPS with AFP - can I use them both in some way of balancing? Or rather this is not a good idea and just use newer HTTPS with AFP (netatalk) for simplicity?
Why not use only HTTPS for the clients? I don't reall understand why you insist on AFP. We use two file servers with HTTPS. The clients pick one at random, and switch to the other one in case the first they tried has a problem.
@MST Once you enable "Use HTTP downloads" for your File Share Distribution Points your managed Macs should not try and use SMB or AFP for downloads, so you don't have to specifically disallow them. What you will want to do is make sure the ports required to use them aren't open to the outside world if you have a DP in your DMZ (not that most network security teams would allow them in the first place). If you're going to use Jamf Admin to manage the contents of your DPs you will need the SMB (or AFP) ports open to your internal network so Jamf Admin can connect to them.
Seems like all is working fine. Only what bothers me I can access over HTTPS which is exposed to outside all the scripts:
and I can access //CasperShare/ which include Scripts, Packages, Casper Data. Somebody can download and open scripts.
ok I am confused, I have fallowed this article:
https://hugonaut.blog/configuring-rhel-7-x-server-as-a-jamf-https-distribution-point/ which at least points tep by step and for SAMBA and even AFP - all works fine where:
casperadmin - ReadUser
casperinstall - WriteUser
useradd -d /home/casperadmin ReadUser -s /bin/false -N
useradd -d /home/casperinstall WriteUser -s /bin/false -N
But for HTTPS (SSL) not sure. If I access https://my fileshare//CasperShare/Scripts/ should that be any user and password asking for access like in SAMBA or AFP? Now anybody can access that share without any user name and password.
@MSP It looks like @Hugonaut's instructions call for the creation of a ReadUser for httpd but never cover setting ssl.conf to only allow access to the file share directory for known accounts. Looking further, the example ssl.conf in Step 21 of those instructions seems like they're not quite right since they define an authenticated directory for /var/www/html/ instead of the file share directory from Step 4. I'll defer to Hugonaut to chime in on that.
<Directory "/var/www/html/NameOfShare"> AuthType Basic AuthName "Username and Password Required" AuthUserFile /etc/httpd/.htpasswd Require valid-user </Directory>
and have a symlink in that location to where your SMB share is located.
BTW, I think you have your ReadUser and WriteUser mappings to casperadmin and casperinstall are backwards. The casperadmin account is probably what you want to have write access. And you don't need a WriteUser for https since Jamf Admin doesn't use https to update a DP.
Whoooo after I added:
AuthName "Username and Password Required"
</Directory> Based on my AuthUserFile /etc/httpd/.htpasswd I do have casperinstall in .htpasswd The provided password should work; however
Now when I try to open site it ask me for user name and password, but provided casperadmin or casperinstall does not work.
seems like I provided casperinstal instead of casperinstall but also I added to my httpd.conf AllowOverride AuthConfig - I am not sure if that does the trick, but now it works as expected.
Thank you so much for your help here !!!!!!!!!!