Netatalk Frequently Asked Questions
($Id: FAQ,v 1.14 2010-04-25 13:59:53 hat001 Exp $)
-----------------------------------------------------------------------------
Q1: Where can I get more information on Netatalk?
Q2: What is this I keep seeing about asun?
Q3: How do I get the most recent version of Netatalk?
Q4: Can I get an almost current version of Netatalk without having to learn Git?
Q4a: Is there an RPM, package, or tarball for my platform?
Q5: I'm having massive file deletion problems!
Q6: I am having lots of file locking problems!
Q7: I'm getting this message in my logs:
WARNING: DID conflict for ... Are these the same file?
Q8: I can't seem to use passwords longer than 8 characters for my netatalk
accounts. How can I fix that?
Q9: I would like to use encrypted passwords to authenticate to the Netatalk
server. How do I do that?
Q10: How can I set who has access to certain directories?
Q11: What are the .AppleDouble and .Parent directories which are created in
the netatalk locations?
Q12: Hidden files - what's up with that?
Q13: I get a "socket: Invalid argument" error when trying to start netatalk
under Linux. What is causing this?
Q14: Netatalk works over Appletalk, but my IP connections are refused, even
though I have enabled them in the configuration files.
Q15: I'm having Quark Express file locking problems, is there information on that?
Q16: I'm getting this error in Quark Express when trying to save a file to
the server: 'Error Type -50'
Q17: Does netatalk work with Mac OSX?
Q18: I'm getting an 'Application for this document not found' error on OS X.
Q19: I'm getting an 'Error Type -43' error on OS X.
Q20: How do I get the directories that are created by Netatalk to have the
correct permissions by default?
Q21: What does this error mean:
'afpd[#####]: setdirmode: chmod .AppleDouble Operation not permitted'
Q22: I'm having problems with the Trash folder: either when someone drags
files into it, the system want's them todelete them immeidately, or files
get stuck in there and won't delete.
Q23: The daemons aren't starting, things aren't showing up in the Chooser,
and I get a message like this in the logs: afpd[####]: Can't register
Tests:AFPServer@*
Q24: I want to be able to allow users to change their passwords? How do
I enable this feature. Every time I try I get an error that it was
unable to save the password.
Q25: Can a mount a Mac volume on my unix machine?
Q26: Can I run Samba and Netatalk together to access the same files?
Q27: Files I create on my Samba shares are invisible on the mac side.
Q27a: How can I set netatalk to hide some files from the Samba (or
unix) sides?
Q28: Files I create on my netatalk shares are invisible on the PC side.
Q28a: How can I set Samba to hide the netatalk specific files (e.g.
.AppleDouble).
Q29: I compiled Samba with the --with-netatalk flag. What did that do?
Q30: What about the differences in naming schemes, and legal/illegal
characters between Windows, Macs (and unix?)
Q31: Where can I get the cnid-db (Berkely DB) software? (needed for
--with-did=cnid)
Q32: What about security in Netatalk?
-----------------------------------------------------------------------------
Q1: Where can I get more information on Netatalk?
A: Netatalk's home page can be found at:
http://netatalk.sourceforge.net/
Netatalk is maintained at SourceForge. The Netatalk project page on
SourceForge is located at:
http://sourceforge.net/projects/netatalk/
There are (at least) three very active e-mail lists to which you can
subscribe. The first, netatalk-admins, is for usage and setup/compile
questions. Subscription information as well as an archive are available at:
http://lists.sourceforge.net/lists/listinfo/netatalk-admins
This can be very high volume, but usually a few messages a day.
Netatalk-devel list is more specific to coding and testing. The archive
and more information can found at:
http://lists.sourceforge.net/lists/listinfo/netatalk-devel
This list varies in volume, but is usually moderately active.
Netatalk-docs is specific to documentation. For more information see:
http://lists.sourceforge.net/mailman/listinfo/netatalk-docs
There are other netatalk information sites. Some of these are no
longer actively updated, some are site-specific, but still have
good information:
http://www.anders.com/projects/netatalk/
http://www.faredge.com.au/netatalk/index.html
Q2: What is this I keep seeing about asun?
A: Before Netatalk moved to SourceForge, Adrian Sun (asun) had written
some patches to Netatalk which helped significantly with its usability,
especially using AppleShare IP. These patches are still provided by many
Unix vendors. All of these patches are included in the current SourceForge
versions.
Q3: How do I get the most recent version of Netatalk?
A: Via Git from SourceForge.net. This is the actively maintained version
of Netatalk, changes are being made constantly, and therefore it is not
suitable for production environments. The netatalk at SourceForge is in
Beta, so keep that in mind.
Downloading the Git repository can be done quickly and easily.
Make sure you have Git installed. which git should produce a path to git.
$> which git
/usr/bin/git
If you don't have one make a source directory. cd to this directory.
$> mkdir /path/to/new/source/dir
$> cd /path/to/new/source/dir
Now get the source:
$> git clone git://netatalk.git.sourceforge.net/gitroot/netatalk/netatalk
Initialized empty Git repository in /path/to/new/source/dir/netatalk/.git/
remote: Counting objects: 2503, done.
...
This will create a local directory called "netatalk" containing a complete
and fresh copy of the whole Netatalk source from the Git repository.
In order to keep your repository copy updated, occasionally run:
$> git pull
Now cd to the netatalk directory and run ./bootstrap. This will create the
configure script required in the next step.
$> ./bootstrap
Q4: Can I get an almost current version of Netatalk without having to learn Git?
A: Yes. Snapshots of the Git tree should be posted for the benefit of
those that don't want to / can't use Git. They are available at:
http://netatalk.git.sourceforge.net/git/gitweb-index.cgi
You should be able to treat these images as you would a release. Just
configure as you normally work, then run make (or gmake as the case may
be). There is no need to run ./bootstrap on these images.
Q4a: Is there an RPM, package, or tarball for my platform?
A: Perhaps. These vary in how often they're updated:
FreeBSD
port: /usr/ports/net/netatalk - maintained by Joe Clark
SuSE Linux
included in the distribution
OpenBSD
port: /usr/ports/net/netatalk/ - not actively maintained
Debian GNU/Linux
included in all current distributions
RedHat Linux
included in the distribution
Q5: I'm having massive file deletion problems!
Q6: I am having lots of file locking problems!
Q7: I'm getting this message in my logs:
WARNING: DID conflict for ... Are these the same file?
A: Compile with the --with-did=last flag set. This activates a different
method of calculating inodes in the software, and will hopefully fix some
of these problems. This code, along with the CNID code, was still being
worked out in Pre7. The cnid/bdb flags also go along with this:
--with-bdb=PATH specify path to Berkeley DB installation
--with-did=[scheme] set DID scheme (cnid,last)
(For more information on CNID, see the README.cnid file.)
--with-did=last reverted things back to the old 1.4b2 directory ID
calculation algorithm. This also solved the problem of the syslog
messages and the users complaining of file deletions. It's also been
found that by disabling *BSD's SOFTUPDATES feature on Netatalk volumes (on
FreeBSD), multi-user interaction seemed to work better. This was back in
a late 4.2-BETA, so it's not clear if this still holds true in 4.4-RELEASE
or not.
Q8: I can't seem to use passwords longer than 8 characters for my Netatalk
accounts. How can I fix that?
Q9: I would like to use encrypted passwords to authenticate to the Netatalk
server. How do I do that?
A: Update to a newer version of AppleShare Client (I think the most
recent is 3.8.8). This allows longer passwords, and will allow you to
use encrypted passwords. Set which way you would like to authenticate
in either afpd.conf or netatalk.conf, depending on your setup.
For more information on the AppleShare Client from Apple, and which clients
are needed for which MacOS, see
http://til.info.apple.com/techinfo.nsf/artnum/n60792?OpenDocument&software
(this site requires cookies, and a registration and sign-in).
Q10: How can I set who has access to certain directories?
A: You can certainly do this with your Unix permissions, but also explore the
allow/deny/rwlist/rolist options in the AppleVolumes.default file:
# allow/deny/rwlist/rolist format [syntax: allow:user1,@group]:
# user1,@group,user2 -> allows/denies access from listed users/groups
# rwlist/rolist control whether or not the
# volume is ro for those users.
Also, some unices, specially FreeBSD, have other options:
(By Joe Clark)
"What about file and directory permissions? Since I didn't use the FORCE
UID/GID code, I decided to use a feature of FreeBSD called SUIDDIR. From
the LINT kernel config file:
# If you are running a machine just as a fileserver for PC and MAC
# users, using SAMBA or Netatalk, you may consider setting this option
# and keeping all those users' directories on a filesystem that is
# mounted with the suiddir option. This gives new files the same
# ownership as the directory (similar to group). It's a security hole
# if you let these users run programs, so confine it to file-servers
# (but it'll save you lots of headaches in those cases). Root owned
# directories are exempt and X bits are cleared. The suid bit must be
# set on the directory as well; see chmod(1) PC owners can't see/set
# ownerships so they keep getting their toes trodden on. This saves
# you all the support calls as the filesystem it's used on will act as
# they expect: "It's my dir so it must be my file".
FORCE UID/GID code, I decided to use a feature of FreeBSD called
SUIDDIR. From the LINT kernel config file:
# If you are running a machine just as a fileserver for PC and MAC
# users, using SAMBA or Netatalk, you may consider setting this option
# and keeping all those users' directories on a filesystem that is
# mounted with the suiddir option. This gives new files the same
# ownership as the directory (similar to group). It's a security hole
# if you let these users run programs, so confine it to file-servers
# (but it'll save you lots of headaches in those cases). Root owned
# directories are exempt and X bits are cleared. The suid bit must be
# set on the directory as well; see chmod(1) PC owners can't see/set
# ownerships so they keep getting their toes trodden on. This saves
# you all the support calls as the filesystem it's used on will act as
# they expect: "It's my dir so it must be my file".
And the associated mount command:
mount -o suiddir /dev/da2s1e /macvol/artfiles
This was used on my dedicated Netatalk/Samba filesystems. On
filesystems that were also used for interactive shell access, I chmod'd
my Netatalk shares 2770. The reason for this is that I set up a UNIX
group for each department in the ad agency. I had an art group, a media
group, an accounting group, and then, or course, a general staff group.
Each share was only allowed access by the group that needed to access
the share. So, the Artfiles share allowed access only to the art group:
/macvol/artfiles "Art Files" allow:@art
And the others followed in kind. Therefore, the 2770 mask allowed only
owners and people in the associated group access to read and write
files. The leading 2 set the setgid bit so that all child files and
directories would retain the same group permissions. I found this to
work well.
This was used on my dedicated Netatalk/Samba filesystems. On
filesystems that were also used for interactive shell access, I chmod'd
my Netatalk shares 2770. The reason for this is that I set up a UNIX
group for each department in the ad agency. I had an art group, a media
group, an accounting group, and then, or course, a general staff group.
Each share was only allowed access by the group that needed to access
the share. So, the Artfiles share allowed access only to the art group:
/macvol/artfiles "Art Files" allow:@art
And the others followed in kind. Therefore, the 2770 mask allowed only
owners and people in the associated group access to read and write
files. The leading 2 set the setgid bit so that all child files and
directories would retain the same group permissions. I found this to
work well."
Q11: What are the .AppleDouble and .Parent directories which are created in
the Netatalk locations?
A: See the README.veto file in this directory.
The .AppleDouble folders hold the resource fork information for the Mac
files, plus other attributes which are not normally stored by Unix. For
this reason, when you want to move files around in your Mac volumes, it's
a good idea to do it from the Mac side (as opposed to from the Unix side,
or Samba), unless you make absolutely sure you get the .AppleDouble
directories. These directories are often hidden from the Samba side, via
the veto files configuration.
You can also set Netatalk to not create an .AppleDouble directory unless
it absolutely needs it, by setting the noadouble setting in
AppleVolumes.default.
Q12: Hidden files - what's up with that?
A: If you set the noadouble flag in AppleVolumes.default, you won't see
the .Apple* or .Parent directories on the Mac side. If you use the veto
files option in Samba, they may be hidden from the Windows side as well.
(More information in the Samba section, and in the README.veto file in
this directory.)
Q13: I get a "socket: Invalid argument" error when trying to start Netatalk
under Linux. What is causing this?
A: The "appletalk" and "ipddp" kernel modules have to be installed under
linux for Netatalk to function. The appletalk module can be automatically
loaded by adding the line "alias net-pf-5 appletalk" to the
/etc/modules.conf file. Issuing the command "modprobe (module)" will
load the module for the current session.
Q14: Netatalk works over AppleTalk, but my IP connections are refused, even
though I have enabled them in the configuration files.
A: If tcp_wrappers support is compiled into Netatalk, access has to be
granted in /etc/hosts.allow for Netatalk to successfully accept IP
connections. This can be done by the addition of the line:
afpd: 127. xxx.xxx.xxx. (whatever other subnets)
Q15: I'm having Quark Express file locking problems, is there information on
that?
A: Yes, see the question regarding DID conflicts and the --enable-did= flag.
Also, try using the --flock-locks flag. Enabling this code disabled the
new byte locking feature. With FLOCK locks, the whole file would be locked.
With byte locks, a byte range could be locked without locking the whole
file.
Q16: I'm getting this error in Quark Express when trying to save a file to
the server: 'Error Type -50'
A: Turn off the document preview feature off in Quark.
Q17: Does netatalk work with MacOS X?
A: Yes, but only the most recent versions, and it's still being finalized.
Versions prior to 1.5Pre7 did NOT work with OS X, although some really
early versions did (netatalk 1.4+asun?).
Q18: I'm getting an 'Application for this document not found' error on MacOS X.
Q19: I'm getting an 'Error Type -43' error on MacOS X.
A: Configure with --with-did=last. More info on this flag is given in the
DID conflicts question.
Q20: How do I get the directories that are created by Netatalk to have the
correct permissions by default?
A: Investigate the setgid bit on your Unix platform. It's a good idea to
set this on your shared directories, and your .AppleDouble directories.
From the mail archives: "Usually directories designated for use with
AppleShare have the setgid (g+s) bit set. It forces inheritance of
permissions. Without it, the .AppleDouble subdirectory can't be created
since the new folder doesn't necessarily have the same write privileges."
Information about the setgid bit can be found in Evi Nemeth's
"Unix System Administration Handbook" (3rd. ed, chap 5.5, pg. 69):
"The bits with octal values 4000 and 2000 are the setuid and setgid bits.
These bits allow programs to access files and processes that would
otherwise be off-limits to the users that run them. [...] When set on a
directory, the setgid bit causes newly created files within the directory
to take on the group membership of the directory rather than the defualt
group of the user that created the file. This convention makes it easier
to share a directory of files among several users, as long as they all
belong to a common group. Check your system before relying on this
feature, since not all version of UNIX provide it. [...] This interpretation
of the setgid bit is unrelated to it's meaning when set on an executable
file, but there is never any ambiguity as to which meaning is
appropriate."
NOTE: The setuid is usually discussed along with the setgid bit. The
setuid bit is VERY dangerous. If you set it on an executable, and the
executable is owned by root, anyone who runs that executable is root for
the duration of that executable's run, so a clever person can leverage
that into a full-scale compromise. The setgid bit also has other security
implications, so be careful where you set it.
You set it by doing a chmod 2xxx, where xxx are the normal file permissions
(i.e. owner/group/other permissions).
Q21: What does this error mean:
'afpd[#####]: setdirmode: chmod .AppleDouble Operation not permitted'
A: This can be due to a few things.
1) The setgid bit might not be set on either your directory, or on the
.AppleDouble directory. It has to be set recursively on the .AppleDouble
folder.
2) You may not be member of the group set on the directory you're trying
to write to.
3) This was a persistant bug in 1.5pre6 for awhile, upgrading might help.
Q22: I'm having problems with the Trash folder: either when someone drags
files into it, the system wants them to delete them immediately, or files
get stuck in there and won't delete.
A: chmod the Network Trash folder to 2775 (/home/public/Network Trash
Folder for instance).
As of 10/16/01, MacOS X trash didn't work properly with afps volumes.
Apple is working on it.
Q23: The daemons aren't starting, things aren't showing up in the Chooser,
and I get a message like this in the logs: afpd[####]: Can't register
Tests:AFPServer@*
This is sometimes a result of missing NIC information in the atalkd.conf
file. Put your network interface (something like le0, eth0, fxp0, lo0)
alone on a line in atalkd.conf, and reboot. When atalkd starts, it will
populate the file with a line such as:
le1 -seed -phase 2 -addr 66.6 -net 66-67 -zone "No Parking"
To find your network interface, run
% ifconfig -a | more
and see which interface has your IP address. Use that one.
Q24: I want to be able to allow users to change their passwords. How do
I enable this feature? Every time I try I get an error that it was
unable to save the password.
A: Use -[no]setpassword in afpd.conf. This enables or disables the ability of
clients to change their passwords.
Q25: Can a mount a Mac volume on my Unix machine?
A: Well, maybe. MacOS X obviously might be able to do this with NFS.
Also, there is a program called afpfs which was designed to do this,
but is not actively maintained and has been reportedly highly unstable.
It should be available from:
http://www.panix.com/~dfoster/afpfs/
Q26: Can I run Samba and Netatalk together to access the same files?
A: Sure. Lots of us do. But there are some concerns. Quite often it's
useful, for instance, to hide files of one OS from the other. See
the AppleVolumes.default file in Netatalk, and investigate the veto
files option in Samba. (See the README.veto file.)
Also, when copying and moving files created on the Mac, it's better
to do that from the Mac, rather than from the Unix server or from
Samba. This is because the .AppleDouble folders hold the resource fork
information for the Mac files, plus other attributes which are not
normally stored by Unix.
You can also set Netatalk to not create an .AppleDouble directory unless
it absolutely needs it, by setting the noadouble setting in
AppleVolumes.default.
Q27: Files I create on my Samba shares are invisible on the Mac side.
A: Have you checked the AppleVolumes(.default? .sytem? I don't remember
which one hides files!) file?
How long are the file names? Names longer than 31 BYTES (not characters)
are not visible on the Mac side. This is because some old MacOS's don't
accept long names, and some Finders crash when they encounter them.
Therefore Netatalk hides long filenames to prevent crashes. If you
prefer Netatalk to truncate the names, use the --with-mangling ./configure
option when compiling Netatalk.
The BYTES distiction is made because there exist doublebyte fonts too,
which limit names to 15 chars.
Q27a: How can I set Netatalk to hide some files created on the Samba
(or Unix) sides?
A: AppleVolumes(.system or .default?) allows you to hide certain files.
This might be a good thing to set on, say, .cshrc, ssh keys, and
the like.
Q28: Files I create on my Netatalk shares are invisible on the PC side.
Q28a: How can I set Samba to hide the Netatalk specific files (e.g.
.AppleDouble).
A: Check your Samba veto files option in smb.conf. It's often useful
to hide files like .AppleDouble or the network trash folder here.
Does the mac file have a \ or / in it? Would this cause Samba to
not see the file?
Q29: I compiled Samba with the --with-netatalk flag. What did that do?
A: Nothing. Some code was written (by a Samba developer?), but as of
Fall 2001, Samba doesn't utilize it.
Q30: What about the differences in naming schemes, and legal/illegal
characters between Windows, Macs, and Unix?
A: Check out the documentation about the 'mswindows' flag in
AppleVolumes.default. For instance, having / or \ or : in a name is
especially bad, as they are path seperators on Unix, Windows, and MacOS,
respectively). Educating the end user is important for this problem.
Q31: Where can I get the cnid-db (Berkely DB) software? (needed for
--with-did=cnid)
A: First check to see if your Unix has a port or package. If not,
Berkeley DB is available at:
http://www.sleepycat.com/download.html
Q32: What about security in Netatalk?
A: Most of the security for Netatalk must be derived from the
security of the Unix server on which it runs. Directory permissions,
valid users, firewalls, IP filters, file integrity checkers, etc.
are all part of the equation. That said, it is possible to configure
Netatalk to minimize access, and close potential security holes.
These two flags are especially important:
--with-tcp-wrappers: enable TCP wrappers support.
Enables Wietse Venema's network logger, also known as tcpd or
LOG_TCP. These programs log the client host name of incoming
telnet, ftp, rsh, rlogin, finger etc. requests. Security
options are: access control per host, domain and/or service;
detection of host name spoofing or host address spoofing;
booby traps to implement an early-warning system. TCP
Wrappers can be gotten at:
ftp://ftp.porcupine.org/pub/security/
Note, if you use TCP Wrappers, it would be a good idea to set your
afpd.conf file to disable DDP, or accept connections only on TCP.
You can also configure afpd to only run on a certain port, which
you can then let through your IPFilter.
--with-ssl-dirs=[PATH]: specify path to OpenSSL installation.
NOTE: This is dependent on the same directory layout as the
source distribution of OpenSSL. That is: include/ and
lib/ to be on the same level. Many .rpm formats do not
have their files laid out in this format.
The OpenSSL Project is a collaborative effort to develop a
robust, commercial-grade, full-featured, and Open Source
toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a
full-strength general purpose cryptography library.
This is required to enable DHX login support, which
will encrypt all of the passwords being sent across the
connection. (Some old Mac clients don't support this, check
this FAQ for the section on AppleShare clients.)
Check to see if your Unix has OpenSSL already, or
get everything at:
http://www.openssl.org/
--with-libgcrypt-dir=[PATH]: specify path to Libgcrypt installation.
NOTE: This is dependent on the same directory layout as the
source distribution of Libgcrypt. That is: include/ and
lib/ to be on the same level.
This is required to enable DHX2 login support, which
will encrypt all of the passwords being sent across the
connection. (Some old Mac clients don't support this, check
this FAQ for the section on AppleShare clients.)
Check to see if your Unix has Libgcrypt already, or
get everything at:
http://directory.fsf.org/project/libgcrypt/
Be aware that on the volumes that are shared, some of the
special folders (.AppleDesktop, "Network Trash Folder") get
assigned. A lot of these get created as world-writable (because that's
what the Mac clients are expecting them to be) which is often quite
undesirable from the Unix system administrator's point of view.
Documenting this behavior could be a somewhat daunting task, but
highly desirable.
Shares can be set to be read/write only by certain people and groups.
The Netatalk code has not been through a major code audit. However,
it's Open Source, so if you want to do said audit, contact the
Netatalk maintainers (which can be done through the SourceForge site).
Has anyone tried to run Netatalk in a chroot jail? If so, please
share your experiences with the mailing lists.
