Originally Web posted Friday, 30 November 2012.
Content last modified Saturday, 9 January 2021 .
External links last verified Friday, 30 November 2012.
In pre-Time Capsule days, i frequently shared files with some of my Mac friends via Personal File Sharing over the Internet. I’d put the files in my OS X user account’s Public folder, arrange a particular day or part of a day where my Mac would be running and they’d connect to pick up the files, then provide them with my then-current public IP address. A bit of a hassle at my end to set up and at their end to learn how to do, yet less of a hassle for me than dealing with a service such as Dropbox and less expensive than putting the files on my web server.
Recently when attempting to follow this usual procedure with our relatively new Time Capsule, i found that port 548 (Personal File Sharing) was already in use. I had been ignoring an arguably superior way to achieve this same file sharing goal, using the Time Capsule’s internal hard drive as the share point. This article discusses setting up public Internet Personal File Sharing (Mac style) on a Time Capsule, including some important yet poorly-documented information which i found essential to keep our existing Time Machine backups functioning.
As most technology companies do, Apple changes its hardware and software from time to time. This article covers the following configuration:
The Time Capsule (which i may abbreviate as TC) is running as a home network router and WLAN base station in a more-or-less typical configuration, connected to a cable Internet modem.
At the time of my research and the creation of this article, AirPort Utility 6.1 is the most current version. Due to the lack of some of the functionality of the older versions, i have chosen to use the older versions for screenshots and settings descriptions. Once the new 6.x version is able to do everything the 5.x versions can do, it should be a nice, easier-to-use improvement. At the moment as i type, it is sorely lacking in some ways.
It is possible to attach an external hard drive to a Time Capsule and it is probably possible to use it for file sharing. This article does not cover this option: it only covers using the internal TC hard drive.
Advantages of sharing files via the Time Capsule hard drive versus using Personal File Sharing on a network-attached Mac:
Anything out of the ordinary (as seen by Apple) requires “”. In AirPort Utility 5.6.x, after entering , select from the top icon row then the tab.
Initially, file sharing will probably be off. You’ll need to. The default option for (as best i remember) was “ ”: the device password set under the icon category and tab. In other words, the same password used by AirPort Utility to access the Time Capsule for settings changes and the like.
One of the other options foris “ ”. Selecting this option allows entering a separate (different than TC unit) password, which will be used by all users wishing to access files via file sharing on the TC. I did not test this option and thus this article does not cover it beyond the following screenshot.
The final and in my opinion most useful (and least documented) option foris “ ”. Initial selection of this option causes AirPort Utility to warn about potential loss of access to files—that is in large part what this web page covers: how to avoid problems accessing files in this security mode. The remainder of this page covers this mode only.
The user accounts set up on your Time Capsule bear no relation to OS X user accounts on your Mac(s), though if you wish you could make them the same. The accounts exist entirely within the TC. One account should be set up for each remote user you wish to have separate, independent access to your TC.
Clicking thebutton immediately beneath the pop-up list box does exactly the same thing as clicking on the tab to the right of the tab. Click the button to add an account. In addition to selecting the user name and password, you will be able to select separately for this account whether it has read and write, read only, or no access to shared disks. Note that by “shared disks” Apple means all share points, both the user’s own personal directory location and the communal shared directory (folder) used by guests. In other words, selecting Sharing Access: Not allowed is nonsensical.
I testedand whether i attempted to access the shared guest folder or this user’s folder, i got the following error, followed by a disconnect and reversion to a guest connection:
I wholly do not understand why theoption exists: if one wanted the account to not have any shared file access to anything, one would simply delete the account. Now, if Apple implemented two separate pop-up lists as follows:
that would make sense. For my purposes, i want my remote users to have full read/write access to their TC account folder. As a side-effect of the current Apple all-or-nothing arrangement, they also have read/write access to the shared Guest folder:
If everyone (local and remote) who needs to access files on the TC is doing so within their own TC account folder, there may be no need to enable Guest access. On the other hand, if everyone is to freely share one set of files, it may make more sense to ignore setting up accounts and simply enable. If this is being done for local users only (“ ” unchecked—disabled), it should be safe to choose “ ” or “ ” depending upon your needs. If you want both Internet and local users to be able to access the Guest shared folder, i strongly recommend selecting “ ”. Otherwise, nefarious outsiders who come across your TC would be able to use it as a handy file repository of their own, possibly with very large and/or illegal file content.
In my case, i want some files to be accessible to anyone—local plus on the Internet—with the least amount of hassle (e.g. no need to log into an account on the TC). Therefore i haveset to and checked (enabled):
In AirPort Utility 5.6.x, you may notice the intriguing option “i’d love to learn more (and maybe revise this section).”. I have found almost no documentation on this feature. AirPort Utility will not allow updating the configuration when this box is checked unless there are valid server settings over in . A quick search on "Use dynamic global hostname" reveals only payware/hassleware (DynDNS) solutions and confusion. Lacking any other information on this function, i’m calling it useless (at the time this article was written) and leaving it unchecked. If you have solid information to the contrary (in other words, you know how to make this work in a useful way by using, for example, one’s own already existing Internet domain,
If you wish to set up, Best Wishes to you… you won’t find information on that here (i have no need and don’t want to deal with any security issues for which Windows File Sharing is historically famous).
We’d been running our Time Capsule in the usual manner, without using TC file sharing, for months. Both the PowerBook G4 (running Leopard) and MacBook Air (running Lion so far) used the TC for their Time Machine backups. As soon as i enabled, Time Machine backups on both Macs immediately started to fail: could not connect to the Time Capsule. I had to revert to the setting to restore the ability to back up.
Researching this problem, i eventually came upon a Super User post with what seems to be (unintentionally?) Top Secret information: using the security setting in AirPort Utility creates an invisible root user account, with the following account login information:user: admin
This is probably the most important information in this entire article. Why Apple keeps this essential information a secret, i have no idea (documentation oversight?). Great Appreciation to Super User contributor Spiff for sharing this information!
Using the above information in a Macintosh Finderor window for the Time Capsule allows full read/write access to EV-REE-THING. In other words: root access to the Time Capsule hard drive.
If you’ve been using your TC for Time Machine (TM) backups without file sharing or with one of the other security settings, the existing TM backup sparse bundles will be at the root level of the TC hard drive, and will become suddenly inaccessible to Time Machine unless and until the TM login credentials are changed to the “secret” root login information above (or the sparse bundle is moved to one of the new TC user accounts, though this apparently has side-effects when using thefunction in Disk Utility [causing it to fail], and is thus not recommended).
Seems to me it ought to be possible to simply change the user name on the Keychain item for the Time Machine backup from whatever it is (which does not seem to matter with the default TC non-file sharing setup) to admin. However i had trouble getting this to work. I needed to redo theoption in Time Machine preferences. Interestingly, there is still an icon for the old way TM saw my TC (top icon in the screenshot) along with its new incarnation (selected middle item in the screenshot):
The top icon is no longer usable (and i have not found an easy way to make it go away). For the selected (middle) icon, i use admin as the user and the existing unit password for the TC itself and Ta Daaaa Time Machine backups resume working as they always have in the past. Problem solved!
Upon initial login, it appears that admin has its own account folder:
Yet attempting to open it produces an “operation can’t be completed” error:
Given that the other (default configuration: no additional USB hard drive) option is the entirety of the TC internal hard drive, this is more of a confusing anomaly than any sort of actual problem. Here’s the root view of our TC, with explanations of what’s what:
In addition to allowing Time Machine to operate normally, admin (root) Time Capsule access can be useful for moving/arranging/placing files on the TC without having to individually connect as a particular user with a user account on the TC.
Note that when WAN access is enabled, it is likely (i did not test this) possible to make a root connection to the Time Capsule via the Internet. This is one of many other great reasons to have a truly robust, long multi-character password or passphrase as the unit password for your Time Capsule.
I am not going to cover local (LAN) access, because this is well documented in Apple Help and Support files, and elsewhere. The basic idea is:
The remainder of this article focuses on remote users connecting to the Time Capsule over the public Internet. Because we’re not using a Bonjour public Internet service, in every case it will be necessary to provide remote (public Internet) users with the current public IP address assigned by our ISP. This information can be found in the initial window of AirPort Utility, by visiting certain websites such as WhatIsMyIP.com, or other methods. For the examples, i’ll pretend that the current IP address is 126.96.36.199.
You should now be looking at a Finder window with all contents on the TC available to guests. As seen from the TC admin account, this is the contents of the Shared folder.
As with Method 1, you should now be looking at a Finder window with all contents on the TC available to guests. As seen from the TC admin account, this is the contents of the Shared folder. This method saves the user the trouble of selecting Guest access.
Instead of making the user open up thewindow, you may instead include a properly formatted hyperlink in an email message or somesuch to the remote user. Simply put the identical Apple Filing Protocol (AFP) URL contents into the hyperlink. If you’re being this kind to your remote user, might as well give them the Method 2 URL so they won’t have to hassle with selecting Guest access.
The same steps are followed as for Guest access, except Registered User is selected, with the Time Capsule account Name and Password entered.
Same as for Guest access, except with an AFP URL which includes the user name (“My Account” in this example) and password (“My Pass” in this example):afp://My%20Account:My%20Pass@188.8.131.52
This isn’t an issue for Guest access. For TC user access, the user will be presented with a folder for their files and one named for the TC hard drive (as set inin AirPort Utility), which in actuality will be the Shared folder (as seen by admin), a.k.a. the same content seen as the exclusive option via Guest access.
To directly connect to a user account’s TC folder, add the folder path to the URL:afp://My%20Account:My%20Pass@184.108.40.206/My%20Account
Per my brief reading on the subject, using themethod is secure because the OS parses the URL and encrypts the TC user account information in transit. (Unfortunately i did not retain the reference where i read this and thus can’t share it with you.) This same (already forgotten) source indicated that the same URL in a WWW browser would not be secure. The URL in email would not be secure unless the email were end-to-end encrypted with S/MIME or PGP or similar.
A Time Capsule is indeed Network Attached Storage (NAS), but it is not a file server: a direct link to a specific file in an AFP URL will not cause the file to be downloaded… at least not from. If that’s what you need, you need an FTP or WWW or some other server arrangement.