Mac OS X Server,  Ubuntu,  Unix

Hosting afp on Linux

One of the main reasons people get a server is to share files. Mac OS X Server is one of the more common devices used to share files to Mac OS X clients, using afp, the default file sharing protocol for Mac OS X. But you don’t have to use Mac OS X Server. You can use Linux as well. We’re going to look at using an open source project called netatalk to do so. If you find that after reading this that you’d like to find out more about netatalk then check out the open source project page at http://netatalk.sourceforge.net.

The netatalk installer can be installed through most of the package installers for Linux. However, due to licensing issues with many versions of Linux, some of what you need might not come with the source, namely that Mac OS X 10.5 and above will not be able to authenticate to the netatalk daemon due to the lack of uams so files for dhx. Therefore, we’re going to look at building netatalk from source using apt-get in Ubuntu or Debian (for Redhat, use yum). To get started let’s get our dependencies (everything in this article needs to be run with elevated privileges):

apt-get install dpkg-dev devscripts libssl-dev fakeroot cracklib2-dev

Now let’s grab the netatalk source:

apt-get source netatalk

Now let’s get any other dependencies we might not have noticed already:

apt-get build-dep netatalk

Now cd into the netatalk directory (current version is 2.0.3):

cd netatalk-2.0.3

Now let’s tell it to build with SSL enabled:

DEB_BUILD_OPTIONS=ssl debuild

And to finally run the built package:

dpkg -i ../netatalk_*.deb

Next, let’s choose which authentication mechanisms we want to support. I practically always enable the pam modules so that netatalk can pass authentication back through my directory service and it’s very important that for Mac OS X 10.5 and above support that you make sure to go ahead and enable dhx as well. For most environments I’ll also disable cleartext passwords at this time. This is all done in the /etc/netatalk/afpd.conf file. At the bottom, by default you will see a list of authentication modules. Add the following line, adding any additional uams modules you’d like to support and removing any you would not like to support:

– -transall -uamlist uams_guest.so,uams_dhx_pam.so,uams_dhx_passwd.so,uams_dhx.so

We can also go ahead and restrict users from being able to save their password using the -nosavepassword option, meaning the line would instead appear as follows:

– -transall -uamlist uams_guest.so,uams_dhx_pam.so,uams_dhx_passwd.so,uams_dhx.so -nosavepassword

Note: The afpd.conf man page and the project documentation will lay out more about what each of these does.

Once you have updated afpd.conf you will want to edit the /etc/netatalk/AppleVolumes.default file, which is where you create your shares. At the bottom of this file you’ll want to add a line that adds each new share (home directories are automatically shared by default). Here, you’ll specify the path to the share, followed by how you want the share to appear in the connect to server dialog, followed by an allow statement of who is able to access the share and then the options for the share (options are indicated in the man page and have commented descriptions in the actual file):

/SHARED/Accounting “Accounting” allow:accounting,root options:crlf,noadouble,mswindows,nodots,usehex dbpath:/tmp

The above file is also where you would make changes to the method used to store authentication database used (ie – using CNID In order to have different daemons or more likely to kill off the AppleTalk daemon) you’ll need to customize the /etc/default/netatalk file. Here, you can choose whether AppleTalk will run (ATALKD_RUN, whether to use bdb (CNID_METAD_RUN) and whether or not AFP will run (AFPD_RUN). You can also choose a maximum number of users to hit the server (AFPD_MAX_CLIENTS) and set AppleTalk names and zones if you’re running AppleTalk (ATALK_NAME and ATALK_ZONE respectively). And by default, AFP guests (AFPD_GUEST) are mapped to nobody (for permissions)…

Once you’ve made your changes, save and then let’s restart the daemon and test connectivity:

/etc/init.d/netatalk restart

While testing, I usually like to run a tail of syslog to see if any errors pop up:

tail -f /var/log/syslog

When new versions come out, you will then be able to perform an update using apt-get as well:

apt-get update && apt-get install netatalk

If you find that through this you installed some things that you’d like to get rid of or that you’d like to start over, you can get rid of netatalk using the apt-get autoremove option:

apt-get autoremove netatalk

And if you don’t want the dependencies either, check out deborphan to clean those up as well!