- Jamf Nation Community
- Products
- Jamf Pro
- CENTOS7 & JSS File distribution Share
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
CENTOS7 & JSS File distribution Share
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-15-2021 06:52 AM
Experts,
Currently own Centos6 with AFP and HTTP file distribution. We have decided to setup another one with Centos7 due to Centos6 EOL.
I was able successfully setup HTTPS for File distribution under Centos7.
Now I am trying to figure out the steps for AFP. I have this instructions for Centos7:
https://hugonaut.blog/configuring-rhel-7-x-server-as-a-jamf-https-distribution-point/
I dont want to use SAMBA so AFP is the only option here. From what I see AFP is used for Admin Console and HTTPS is used for end clients internally and externally.
Anybody here with instructions for RHEL7 and AFP for JSS?
Thank you,
Labels:
- Labels:
-
Configuration
-
Distribution points
-
Jamf Pro
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-15-2021 09:02 AM
@MST Since AFP is officially deprecated you might really consider using SAMBA for SMB access from Jamf Admin. I'd definitely disable SMB for DP functionality for client machines however.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-15-2021 11:51 AM
If you must , have you checked out netatalk. Worked fin for me back in the day
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2021 06:22 AM
thank you for responses, I think I will use netatalk - afp for local clients, and smb for Jamf admin. I don't fully understand "I'd definitely disable SMB for DP functionality for client machines however" - I guess I have to disable smb for end clients so smb will be stop / disabled. But for Jamf Admin I have to enable - start manually - correct?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2021 08:07 AM
Also I have one HTTP file distribution with AFP and second HTTPS with AFP - can I use them both in some way of balancing? Or rather this is not a good idea and just use newer HTTPS with AFP (netatalk) for simplicity?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2021 08:18 AM
Why not use only HTTPS for the clients? I don't reall understand why you insist on AFP. We use two file servers with HTTPS. The clients pick one at random, and switch to the other one in case the first they tried has a problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2021 08:29 AM
@MST Once you enable "Use HTTP downloads" for your File Share Distribution Points your managed Macs should not try and use SMB or AFP for downloads, so you don't have to specifically disallow them. What you will want to do is make sure the ports required to use them aren't open to the outside world if you have a DP in your DMZ (not that most network security teams would allow them in the first place). If you're going to use Jamf Admin to manage the contents of your DPs you will need the SMB (or AFP) ports open to your internal network so Jamf Admin can connect to them.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2021 04:59 AM
I understand now. Thank you for all help here.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-04-2021 06:40 AM
Seems like all is working fine. Only what bothers me I can access over HTTPS which is exposed to outside all the scripts:
//CasperShare/Scripts/
and I can access //CasperShare/ which include Scripts, Packages, Casper Data. Somebody can download and open scripts.
Any idea?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-04-2021 07:55 AM
@MST You should be configuring your https settings to require an account name and password to access the files
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-05-2021 04:49 AM
ok I am confused, I have fallowed this article:
https://hugonaut.blog/configuring-rhel-7-x-server-as-a-jamf-https-distribution-point/ which at least points tep by step and for SAMBA and even AFP - all works fine where:
casperadmin - ReadUser
casperinstall - WriteUser
useradd -d /home/casperadmin ReadUser -s /bin/false -N
useradd -d /home/casperinstall WriteUser -s /bin/false -N
But for HTTPS (SSL) not sure. If I access https://my fileshare//CasperShare/Scripts/ should that be any user and password asking for access like in SAMBA or AFP? Now anybody can access that share without any user name and password.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-05-2021 08:40 AM
@MSP It looks like @Hugonaut's instructions call for the creation of a ReadUser for httpd but never cover setting ssl.conf to only allow access to the file share directory for known accounts. Looking further, the example ssl.conf in Step 21 of those instructions seems like they're not quite right since they define an authenticated directory for /var/www/html/ instead of the file share directory from Step 4. I'll defer to Hugonaut to chime in on that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2021 08:40 AM
Thank you for response. Can you provide example for user casperinstall and password if I want to use that user for accessing files when use with HTTPS?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2021 09:37 AM
@MST I was hoping @Hugonaut could provide an update to his instructions, but essentially what you need to do in ssl.conf is provide a Directory block like the following
<Directory "/var/www/html/NameOfShare">
AuthType Basic
AuthName "Username and Password Required"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>and have a symlink in that location to where your SMB share is located.
BTW, I think you have your ReadUser and WriteUser mappings to casperadmin and casperinstall are backwards. The casperadmin account is probably what you want to have write access. And you don't need a WriteUser for https since Jamf Admin doesn't use https to update a DP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-10-2021 06:03 AM
Whoooo after I added:
<Directory "/var/www/html/NameOfShare">
AuthType Basic
AuthName "Username and Password Required"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
Based on my AuthUserFile /etc/httpd/.htpasswd I do have casperinstall in .htpasswd
The provided password should work; however
Now when I try to open site it ask me for user name and password, but provided casperadmin or casperinstall does not work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-10-2021 06:25 AM
seems like I provided casperinstal instead of casperinstall but also I added to my httpd.conf AllowOverride AuthConfig - I am not sure if that does the trick, but now it works as expected.
Thank you so much for your help here !!!!!!!!!!
