Posted in Apple/Mac OS Debian/Ubuntu Howto

AFP server in under 15 minutes (Debian)

January 14, 2010 - 10 comments

Tested under Debian Lenny 32 bits.

This howto is based on http://www.kremalicious.com/2008/06/ubuntu-as-mac-file-server-and-time-machine-volume/
Matthias’ post is very comprehensive. This post is basically a raw copy paste of commands, if you want more information, go see Matthias post.
If you find this useful, please give credit to Matthias :-)

Why AFP (Apple Filing Protocol) ?

I wanted to see if AFP was faster than SMB.
A quick test showed my Macbook (running OS 10.6.2) is transfering files 20 % faster on AFP than SMB.

Build netatalk to support encryption

Starting with Netatalk version 2.0.4 (and Debian Squeeze) you won’t need to rebuild to support SSL (see Frank’s comment).

Lenny comes with version 2.0.3 so we still need to go through recompilation (which I recommend doing on another box).

# apt-get build-dep netatalk
# apt-get install cracklib2-dev fakeroot libssl-dev
# apt-get source netatalk
# cd netatalk-2*
# DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -rfakeroot

Install modified version of netatalk

# dpkg -i ../netatalk_2*.deb
# echo "netatalk hold" | dpkg --set-selections

/etc/default/netatalk

ATALKD_RUN=no
PAPD_RUN=no
CNID_METAD_RUN=yes
AFPD_RUN=yes
TIMELORD_RUN=no
A2BOOT_RUN=no

/etc/netatalk/afpd.conf

- -transall -uamlist uams_dhx.so -nosavepassword

/etc/netatalk/AppleVolumes.default

/home/seb "Seb's share" allow:seb

Start netatalk

/etc/init.d/netatalk start

Advertise the service with Avahi

You can skip this step, but it’d mean the server doesn’t magically appear as a Shared drive in your Finder.

apt-get install avahi-daemon

/etc/avahi/services/afpd.service

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h AFP</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
</service-group>

# /etc/init.d/avahi-daemon restart

Firewall :

Allow tcp/548 (netatalk) and tcp/5353 (avahi)

Comments

Frank Lahm

January 14, 2010 - 13:19

No, no, no!!
Starting with 2.0.4 there’s no need for this mumbo-jumbo:
—8<—
# apt-get build-dep netatalk
# apt-get install cracklib2-dev fakeroot libssl-dev
# apt-get source netatalk
# cd netatalk-2*
# DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -rfakeroot
—8<—
…because we have uam_dhx2.so which just has libgcrypt as a build dependency. I've also written this via PM to Mathias, unfortunately I haven't received a response.

Regards,
Frank Lahm, Netatalk Developer

nedos

January 19, 2010 - 16:41

As long as people do still have to build their own packages, i recommend debootstraping a build enviornment so that you don’t get this clutter on the server. It’s how i do it personally, i.e., just create an LVM volume for it.

Greets,

D.

Sébastien Wains

January 21, 2010 - 16:21

I usually have a VM running for building stuff.
That goes without saying that one shouldn’t install a dev environment on a production server.

gLAmelia

January 24, 2010 - 10:03

Now students have a chance to use an assistance of the thesis service , which should write good enough thesis title close to this topic. But I suggest to determine the experienced dissertation service to buy theses at.

pluvo

February 12, 2010 - 0:20

Hi!

“Starting with Netatalk version 2.0.4 (and Debian Squeeze) you won’t need to rebuild to support SSL”

Are you sure? I tried this on Debian Squeeze (testing):

1) aptitude install netatalk avahi-daemon
2) Created: /etc/avahi/services/afpd.service
3) /etc/init.d/avahi-daemon restart

But I can’t connect to my home directory with Mac OS X 10.6.2…

If I rebuild the package, it works.

Sébastien Wains

February 12, 2010 - 0:25

Frank said so, I actually didn’t check it in Squeeze

Can you give us the output of this command when you’re using the debian package from squeeze :
ls -l /usr/lib/netatalk/uams_*

Thanks

pluvo

February 12, 2010 - 0:31

$ ls -l /usr/lib/netatalk/uams_*
lrwxrwxrwx 1 root root 11 11. Feb 23:28 /usr/lib/netatalk/uams_clrtxt.so -> uams_pam.so
-rw-r–r– 1 root root 69458 23. Jan 05:12 /usr/lib/netatalk/uams_dhx2_pam.a
-rw-r–r– 1 root root 1051 23. Jan 05:12 /usr/lib/netatalk/uams_dhx2_pam.la
-rw-r–r– 1 root root 16000 23. Jan 05:12 /usr/lib/netatalk/uams_dhx2_pam.so
-rw-r–r– 1 root root 56852 23. Jan 05:12 /usr/lib/netatalk/uams_dhx2_passwd.a
-rw-r–r– 1 root root 1074 23. Jan 05:12 /usr/lib/netatalk/uams_dhx2_passwd.la
-rw-r–r– 1 root root 12392 23. Jan 05:12 /usr/lib/netatalk/uams_dhx2_passwd.so
lrwxrwxrwx 1 root root 16 11. Feb 23:28 /usr/lib/netatalk/uams_dhx2.so -> uams_dhx2_pam.so
-rw-r–r– 1 root root 31604 23. Jan 05:12 /usr/lib/netatalk/uams_gss.a
-rw-r–r– 1 root root 1030 23. Jan 05:12 /usr/lib/netatalk/uams_gss.la
-rw-r–r– 1 root root 11144 23. Jan 05:12 /usr/lib/netatalk/uams_gss.so
-rw-r–r– 1 root root 15174 23. Jan 05:12 /usr/lib/netatalk/uams_guest.a
-rw-r–r– 1 root root 1002 23. Jan 05:12 /usr/lib/netatalk/uams_guest.la
-rw-r–r– 1 root root 6824 23. Jan 05:12 /usr/lib/netatalk/uams_guest.so
-rw-r–r– 1 root root 10016 23. Jan 05:12 /usr/lib/netatalk/uams_krb4.a
-rw-r–r– 1 root root 995 23. Jan 05:12 /usr/lib/netatalk/uams_krb4.la
-rw-r–r– 1 root root 4552 23. Jan 05:12 /usr/lib/netatalk/uams_krb4.so
-rw-r–r– 1 root root 29062 23. Jan 05:12 /usr/lib/netatalk/uams_pam.a
-rw-r–r– 1 root root 994 23. Jan 05:12 /usr/lib/netatalk/uams_pam.la
-rw-r–r– 1 root root 11056 23. Jan 05:12 /usr/lib/netatalk/uams_pam.so
-rw-r–r– 1 root root 22574 23. Jan 05:12 /usr/lib/netatalk/uams_passwd.a
-rw-r–r– 1 root root 1017 23. Jan 05:12 /usr/lib/netatalk/uams_passwd.la
-rw-r–r– 1 root root 8792 23. Jan 05:12 /usr/lib/netatalk/uams_passwd.so

$ cat /usr/share/doc/netatalk/README.Debian
[...]
Notes about OpenSSL
===================

OpenSSL support is currently disabled, because of licensing issues: The Free
Software Foundation and Debian consider the GNU General Public License (GPL)
under which Netatalk is licensed to be incompatible with the OpenSSL license.

Thanks to gcrypt support (introduced in netatalk 2.0.4beta2) the DHX2 UAM
provides encrypted access for MacOS X 10.4 and newer, but older releases of
MacOS X and MacOS Classic can only connect unencrypted as both of the UAMs DHX
and Randnum requires OpenSSL support.

You can build locally with OpenSSL using the following commands:

sudo aptitude install devscripts
sudo aptitude build-dep netatalk
apt-get source netatalk
cd netatalk-*
dch -l +ssl -D local –force-distribution “Local build with OpenSSL.”
DEB_AUTO_UPDATE_DEBIAN_CONTROL=1 DEB_BUILD_OPTIONS=openssl debuild -us -uc
sudo debi

You my need additional build-dependencies not resolved automatically.

Alternatively you can subscribe to unofficial(!) precompiled packages by
adding the following to your /etc/apt/sources.list:

deb http://debian.jones.dk/ $DIST netatalk
[...]

Sébastien Wains

February 12, 2010 - 0:35

http://packages.debian.org/squeeze/i386/netatalk/filelist

It seems uams_dhx2.so is provided with the package in squeeze

Have you edited your afpd.conf accordingly ?

pluvo

February 12, 2010 - 1:11

afpd.conf

1) Don’t work:
- -transall -uamlist uams_dhx.so,uams_dhx2.so -nosavepassword

2) Don’t work:
- -transall -uamlist uams_dhx.so -nosavepassword

3) Don’t work:
- -transall -uamlist uams_dhx2.so -nosavepassword

Frank Lahm

February 12, 2010 - 7:58

There’s a dedicated place for stuff like this: the netatalk-admins mailing list.

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.