Does the AFP Service ACL still exist in 10.9 Server.app?

Question

All I'm really trying to do is set up my wife's laptop to use my Mac Pro as a network Time Machine server. We both recently upgraded to Mavericks and I just installed Server.app.

Problem is all connection attempts from her account fail, and I can't work out why (after lots of time and effort diagnosing the problem).

One ars forum post describes a similar problem, and one of the suggestions is that the connection is being blocked by a SACL. This theory is validated by the fact that I can connect with my own (admin) account.

More searching, and it seems that the suggestion is to edit the SACL using the Server Admin app. I guess this has now been rolled into Server.app?

Can someone please enlighten me, where are Service ACLs configured?

Answer 1

You can enable individual access to services for users and groups inside of Server.app 3.0. Select the Users or Groups section from the sidebar, and then click on the user or group that you'd like to configure access for. Click on the action (gear) icon below the list of users or groups, and choose "Edit Access to Services...":

You'll be presented with a list of services that allow access to be enabled and disabled for this user/group. If the list is disabled, you may need to choose to "Manage Service Access":

The software may prompt you to confirm your choice to enable management of Service Access:

Some information on how to configure these checkboxes using dseditgroup is available. It should also be noted that users from external directories are denied access to services by default.

If you're just trying to confirm that the user is inside of the group that's allowed to access the AFP service, you can perform this command:

dscl localhost read /Local/Default/Groups/com.apple.access_afp GroupMembership

If the command reports that the record is not found (-14136), you probably don't have an ACL applied to the AFP service.