CENTOS7 & JSS File distribution Share

@MST Since AFP is officially deprecated you might really consider using SAMBA for SMB access from Jamf Admin. I'd definitely disable SMB for DP functionality for client machines however.

If you must , have you checked out netatalk. Worked fin for me back in the day

thank you for responses, I think I will use netatalk - afp for local clients, and smb for Jamf admin. I don't fully understand "I'd definitely disable SMB for DP functionality for client machines however" - I guess I have to disable smb for end clients so smb will be stop / disabled. But for Jamf Admin I have to enable - start manually - correct?

Also I have one HTTP file distribution with AFP and second HTTPS with AFP - can I use them both in some way of balancing? Or rather this is not a good idea and just use newer HTTPS with AFP (netatalk) for simplicity?

Why not use only HTTPS for the clients? I don't reall understand why you insist on AFP. We use two file servers with HTTPS. The clients pick one at random, and switch to the other one in case the first they tried has a problem.

@MST Once you enable "Use HTTP downloads" for your File Share Distribution Points your managed Macs should not try and use SMB or AFP for downloads, so you don't have to specifically disallow them. What you will want to do is make sure the ports required to use them aren't open to the outside world if you have a DP in your DMZ (not that most network security teams would allow them in the first place). If you're going to use Jamf Admin to manage the contents of your DPs you will need the SMB (or AFP) ports open to your internal network so Jamf Admin can connect to them.

I understand now. Thank you for all help here.

Seems like all is working fine. Only what bothers me I can access over HTTPS which is exposed to outside all the scripts:

//CasperShare/Scripts/

and I can access //CasperShare/ which include Scripts, Packages, Casper Data. Somebody can download and open scripts.

Any idea?

@MST You should be configuring your https settings to require an account name and password to access the files

ok I am confused, I have fallowed this article:

https://hugonaut.blog/configuring-rhel-7-x-server-as-a-jamf-https-distribution-point/ which at least points tep by step and for SAMBA and even AFP - all works fine where:

casperadmin - ReadUser
casperinstall - WriteUser

useradd -d /home/casperadmin ReadUser -s /bin/false -N
useradd -d /home/casperinstall WriteUser -s /bin/false -N

But for HTTPS (SSL) not sure. If I access https://my fileshare//CasperShare/Scripts/ should that be any user and password asking for access like in SAMBA or AFP? Now anybody can access that share without any user name and password.

@MSP It looks like @Hugonaut's instructions call for the creation of a ReadUser for httpd but never cover setting ssl.conf to only allow access to the file share directory for known accounts. Looking further, the example ssl.conf in Step 21 of those instructions seems like they're not quite right since they define an authenticated directory for /var/www/html/ instead of the file share directory from Step 4. I'll defer to Hugonaut to chime in on that.

Thank you for response. Can you provide example for user casperinstall and password if I want to use that user for accessing files when use with HTTPS?

@MST I was hoping @Hugonaut could provide an update to his instructions, but essentially what you need to do in ssl.conf is provide a Directory block like the following

<Directory "/var/www/html/NameOfShare">
AuthType Basic
AuthName "Username and Password Required"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>

and have a symlink in that location to where your SMB share is located.

BTW, I think you have your ReadUser and WriteUser mappings to casperadmin and casperinstall are backwards. The casperadmin account is probably what you want to have write access. And you don't need a WriteUser for https since Jamf Admin doesn't use https to update a DP.

Whoooo after I added:

<Directory "/var/www/html/NameOfShare">
AuthType Basic
AuthName "Username and Password Required"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory> Based on my AuthUserFile /etc/httpd/.htpasswd I do have casperinstall in .htpasswd The provided password should work; however

Now when I try to open site it ask me for user name and password, but provided casperadmin or casperinstall does not work.

seems like I provided casperinstal instead of casperinstall but also I added to my httpd.conf AllowOverride AuthConfig - I am not sure if that does the trick, but now it works as expected.

Thank you so much for your help here !!!!!!!!!!