1
Netatalk Frequently Asked Questions
2
($Id: FAQ,v 1.9.2.3 2003/11/21 01:54:30 bfernhomberg Exp $)
4
-----------------------------------------------------------------------------
6
Q1: Where can I get more information on Netatalk?
7
Q2: What is this I keep seeing about asun?
8
Q3: How do I get the most recent version of Netatalk?
9
Q4: Can I get an almost current version of Netatalk without having to learn
11
Q5: Is there an RPM, package, or tarball for my platform?
12
Q6: I can't seem to use passwords longer than 8 characters for my netatalk
13
accounts. How can I fix that?
14
Q7: I would like to use encrypted passwords to authenticate to the Netatalk
15
server. How do I do that?
16
Q8: How can I set who has access to certain directories?
17
Q9: What are the .AppleDouble and .Parent directories which are created in
18
the netatalk locations?
19
Q10: Hidden files - what's up with that?
20
Q11: I get a "socket: Invalid argument" error when trying to start netatalk
21
under Linux. What is causing this?
22
Q12: Netatalk works over Appletalk, but my IP connections are refused, even
23
though I have enabled them in the configuration files.
24
Q13: removed, deprecated
25
Q14: I'm getting this error in Quark Express when trying to save a file to
26
the server: 'Error Type -50'
27
Q15: Does netatalk work with Mac OSX?
28
Q16: I'm getting an 'Application for this document not found' error on OS X.
29
Q17: I'm getting an 'Error Type -43' error on OS X.
30
Q18: How do I get the directories that are created by Netatalk to have the
31
correct permissions by default?
32
Q19: What does this error mean:
33
'afpd[#####]: setdirmode: chmod .AppleDouble Operation not permitted'
34
Q20: I'm having problems with the Trash folder: either when someone drags
35
files into it, the system want's them todelete them immeidately, or files
36
get stuck in there and won't delete.
37
Q21: The daemons aren't starting, things aren't showing up in the Chooser,
38
and I get a message like this in the logs: afpd[####]: Can't register
40
Q22: I want to be able to allow users to change their passwords? How do
41
I enable this feature. Every time I try I get an error that it was
42
unable to save the password.
43
Q23: Can a mount a Mac volume on my unix machine?
44
Q24: Can I run Samba and Netatalk together to access the same files?
45
Q25: Files I create on my Samba shares are invisible on the mac side.
46
Q26: How can I set netatalk to hide some files from the Samba (or
48
Q27: Files I create on my netatalk shares are invisible on the PC side.
49
Q28: How can I set Samba to hide the netatalk specific files (e.g.
51
Q29: I compiled Samba with the --with-netatalk flag. What did that do?
52
Q30: What about the differences in naming schemes, and legal/illegal
53
characters between Windows, Macs (and unix?)
54
Q31: Where can I get the cnid-db (Berkely DB) software? (needed for
56
Q32: What about security in Netatalk?
60
-----------------------------------------------------------------------------
63
Q1: Where can I get more information on Netatalk?
65
A: Netatalk's home page can be found at:
67
http://netatalk.sourceforge.net/
69
Netatalk is maintained at SourceForge. The Netatalk project page on
70
SourceForge is located at:
72
http://sourceforge.net/projects/netatalk/
74
There are (at least) three very active e-mail lists to which you can
75
subscribe. The first, netatalk-admins, is for usage and setup/compile
76
questions. Subscription information as well as an archive are available at:
78
http://lists.sourceforge.net/lists/listinfo/netatalk-admins
80
This can be very high volume, but usually a few messages a day.
82
Netatalk-devel list is more specific to coding and testing. The archive
83
and more information can found at:
85
http://lists.sourceforge.net/lists/listinfo/netatalk-devel
87
This list varies in volume, but is usually moderately active.
89
Netatalk-docs is specific to documentation. For more information see:
91
http://lists.sourceforge.net/mailman/listinfo/netatalk-docs
93
There are other netatalk information sites. Some of these are no
94
longer actively updated, some are site-specific, but still have
97
http://www.anders.com/projects/netatalk/
98
http://www.faredge.com.au/netatalk/index.html
101
Q2: What is this I keep seeing about asun?
103
A: Before Netatalk moved to SourceForge, Adrian Sun (asun) had written
104
some patches to Netatalk which helped significantly with its usability,
105
especially using AppleShare IP. These patches are still provided by many
106
Unix vendors. All of these patches are included in the current SourceForge
110
Q3: How do I get the most recent version of Netatalk?
112
A: Via CVS from SourceForge.net. This is the actively maintained version
113
of Netatalk, changes are being made constantly, and therefore it is not
114
suitable for production environments. The netatalk at SourceForge is in
115
Beta, so keep that in mind.
117
To create the CVS tree - from the directory you want to use as your CVS
120
% cvs -d:pserver:anonymous@cvs.netatalk.sf.net:/cvsroot/netatalk login
122
hit <enter> at the Password: prompt
125
-d:pserver:anonymous@cvs.netatalk.sf.net:/cvsroot/netatalk co
128
This will create a netatalk subdirectory, and check out all of the files.
129
If you run this same command subsequently, you will update any files which
130
have changed (on the CVS server) since your last checkout.
132
Once you've done that, read the INSTALL file in the netatalk/ directory,
133
plus the CONFIGURE file. If you're installing from CVS, you'll most likely
134
need have some supplementary software installed, such as gmake. Some
135
systems work fine with make. Additional information can be found in doc/.
137
The main things to know, though, are this: you must run
141
in the netatalk/ directory first, in order to create your configure file.
145
% ./configure --help | more
147
in order to get a feel for which compile flags are available. Some of these
148
flags are summarized below, some are summarized in the INSTALL file, and
149
some have individual README files.
151
To learn more about CVS, good places to start are:
153
http://www.cvshome.org
154
http://www.cvshome.org/docs/manual
155
http://www.cvshome.org/form/form.cgi (this is the FAQ)
157
There are GUI CVS systems for Windows and MacOS. Search on SourceForge for
161
Q4: Can I get an almost current version of Netatalk without having to learn CVS?
163
A: Yes. Daily snapshots of the CVS tree should be posted for the benefit of
164
those that don't want to / can't use CVS. They are available at:
166
http://www.marcuscom.com/netatalk/nightly/
168
You should be able to treat these images as you would a release. Just
169
configure as you normally work, then run make (or gmake as the case may
170
be). There is no need to run autogen.sh on these images.
173
Q5: Is there an RPM, package, or tarball for my platform?
175
A: Perhaps. These vary in how often they're updated:
178
port: /usr/ports/net/netatalk - maintained by Joe Clark
180
included in the distribution
182
port: /usr/ports/net/netatalk/ - not actively maintained
184
included in all current distributions
186
included in the distribution
189
Q6: I can't seem to use passwords longer than 8 characters for my Netatalk
190
accounts. How can I fix that?
192
Q7: I would like to use encrypted passwords to authenticate to the Netatalk
193
server. How do I do that?
195
A: Update to a newer version of AppleShare Client (I think the most
196
recent is 3.8.8). This allows longer passwords, and will allow you to
197
use encrypted passwords. Set which way you would like to authenticate
198
in either afpd.conf or netatalk.conf, depending on your setup.
200
For more information on the AppleShare Client from Apple, and which clients
201
are needed for which MacOS, see
203
http://til.info.apple.com/techinfo.nsf/artnum/n60792?OpenDocument&software
205
(this site requires cookies, and a registration and sign-in).
208
Q8: How can I set who has access to certain directories?
210
A: You can certainly do this with your Unix permissions, but also explore the
211
allow/deny/rwlist/rolist options in the AppleVolumes.default file:
213
# allow/deny/rwlist/rolist format [syntax: allow:user1,@group]:
214
# user1,@group,user2 -> allows/denies access from listed users/groups
215
# rwlist/rolist control whether or not the
216
# volume is ro for those users.
218
Also, some unices, specially FreeBSD, have other options:
221
"What about file and directory permissions? Since I didn't use the FORCE
222
UID/GID code, I decided to use a feature of FreeBSD called SUIDDIR. From
223
the LINT kernel config file:
225
# If you are running a machine just as a fileserver for PC and MAC
226
# users, using SAMBA or Netatalk, you may consider setting this option
227
# and keeping all those users' directories on a filesystem that is
228
# mounted with the suiddir option. This gives new files the same
229
# ownership as the directory (similar to group). It's a security hole
230
# if you let these users run programs, so confine it to file-servers
231
# (but it'll save you lots of headaches in those cases). Root owned
232
# directories are exempt and X bits are cleared. The suid bit must be
233
# set on the directory as well; see chmod(1) PC owners can't see/set
234
# ownerships so they keep getting their toes trodden on. This saves
235
# you all the support calls as the filesystem it's used on will act as
236
# they expect: "It's my dir so it must be my file".
238
FORCE UID/GID code, I decided to use a feature of FreeBSD called
239
SUIDDIR. From the LINT kernel config file:
241
# If you are running a machine just as a fileserver for PC and MAC
242
# users, using SAMBA or Netatalk, you may consider setting this option
243
# and keeping all those users' directories on a filesystem that is
244
# mounted with the suiddir option. This gives new files the same
245
# ownership as the directory (similar to group). It's a security hole
246
# if you let these users run programs, so confine it to file-servers
247
# (but it'll save you lots of headaches in those cases). Root owned
248
# directories are exempt and X bits are cleared. The suid bit must be
249
# set on the directory as well; see chmod(1) PC owners can't see/set
250
# ownerships so they keep getting their toes trodden on. This saves
251
# you all the support calls as the filesystem it's used on will act as
252
# they expect: "It's my dir so it must be my file".
254
And the associated mount command:
256
mount -o suiddir /dev/da2s1e /macvol/artfiles
258
This was used on my dedicated Netatalk/Samba filesystems. On
259
filesystems that were also used for interactive shell access, I chmod'd
260
my Netatalk shares 2770. The reason for this is that I set up a UNIX
261
group for each department in the ad agency. I had an art group, a media
262
group, an accounting group, and then, or course, a general staff group.
263
Each share was only allowed access by the group that needed to access
264
the share. So, the Artfiles share allowed access only to the art group:
266
/macvol/artfiles "Art Files" allow:@art
268
And the others followed in kind. Therefore, the 2770 mask allowed only
269
owners and people in the associated group access to read and write
270
files. The leading 2 set the setgid bit so that all child files and
271
directories would retain the same group permissions. I found this to
274
This was used on my dedicated Netatalk/Samba filesystems. On
275
filesystems that were also used for interactive shell access, I chmod'd
276
my Netatalk shares 2770. The reason for this is that I set up a UNIX
277
group for each department in the ad agency. I had an art group, a media
278
group, an accounting group, and then, or course, a general staff group.
279
Each share was only allowed access by the group that needed to access
280
the share. So, the Artfiles share allowed access only to the art group:
282
/macvol/artfiles "Art Files" allow:@art
284
And the others followed in kind. Therefore, the 2770 mask allowed only
285
owners and people in the associated group access to read and write
286
files. The leading 2 set the setgid bit so that all child files and
287
directories would retain the same group permissions. I found this to
291
Q9: What are the .AppleDouble and .Parent directories which are created in
292
the Netatalk locations?
294
A: See the README.veto file in this directory.
296
The .AppleDouble folders hold the resource fork information for the Mac
297
files, plus other attributes which are not normally stored by Unix. For
298
this reason, when you want to move files around in your Mac volumes, it's
299
a good idea to do it from the Mac side (as opposed to from the Unix side,
300
or Samba), unless you make absolutely sure you get the .AppleDouble
301
directories. These directories are often hidden from the Samba side, via
302
the veto files configuration.
304
You can also set Netatalk to not create an .AppleDouble directory unless
305
it absolutely needs it, by setting the noadouble setting in
306
AppleVolumes.default.
309
Q10: Hidden files - what's up with that?
311
A: If you set the noadouble flag in AppleVolumes.default, you won't see
312
the .Apple* or .Parent directories on the Mac side. If you use the veto
313
files option in Samba, they may be hidden from the Windows side as well.
314
(More information in the Samba section, and in the README.veto file in
318
Q11: I get a "socket: Invalid argument" error when trying to start Netatalk
319
under Linux. What is causing this?
321
A: The "appletalk" and "ipddp" kernel modules have to be installed under
322
linux for Netatalk to function. The appletalk module can be automatically
323
loaded by adding the line "alias net-pf-5 appletalk" to the
324
/etc/modules.conf file. Issuing the command "modprobe (module)" will
325
load the module for the current session.
328
Q12: Netatalk works over AppleTalk, but my IP connections are refused, even
329
though I have enabled them in the configuration files.
331
A: If tcp_wrappers support is compiled into Netatalk, access has to be
332
granted in /etc/hosts.allow for Netatalk to successfully accept IP
333
connections. This can be done by the addition of the line:
335
afpd: 127. xxx.xxx.xxx. (whatever other subnets)
338
Q13: (removed, deprecated)
341
Q14: I'm getting this error in Quark Express when trying to save a file to
342
the server: 'Error Type -50'
344
A: Turn off the document preview feature off in Quark.
347
Q15: Does netatalk work with MacOS X?
349
A: Yes, but only the most recent versions, and it's still being finalized.
350
Versions prior to 1.5Pre7 did NOT work with OS X, although some really
351
early versions did (netatalk 1.4+asun?).
354
Q16: I'm getting an 'Application for this document not found' error on MacOS X.
356
Q17: I'm getting an 'Error Type -43' error on MacOS X.
358
A: Configure with --with-did=last. More info on this flag is given in the
359
DID conflicts question.
362
Q18: How do I get the directories that are created by Netatalk to have the
363
correct permissions by default?
365
A: Investigate the setgid bit on your Unix platform. It's a good idea to
366
set this on your shared directories, and your .AppleDouble directories.
367
From the mail archives: "Usually directories designated for use with
368
AppleShare have the setgid (g+s) bit set. It forces inheritance of
369
permissions. Without it, the .AppleDouble subdirectory can't be created
370
since the new folder doesn't necessarily have the same write privileges."
372
Information about the setgid bit can be found in Evi Nemeth's
373
"Unix System Administration Handbook" (3rd. ed, chap 5.5, pg. 69):
375
"The bits with octal values 4000 and 2000 are the setuid and setgid bits.
376
These bits allow programs to access files and processes that would
377
otherwise be off-limits to the users that run them. [...] When set on a
378
directory, the setgid bit causes newly created files within the directory
379
to take on the group membership of the directory rather than the defualt
380
group of the user that created the file. This convention makes it easier
381
to share a directory of files among several users, as long as they all
382
belong to a common group. Check your system before relying on this
383
feature, since not all version of UNIX provide it. [...] This interpretation
384
of the setgid bit is unrelated to it's meaning when set on an executable
385
file, but there is never any ambiguity as to which meaning is
388
NOTE: The setuid is usually discussed along with the setgid bit. The
389
setuid bit is VERY dangerous. If you set it on an executable, and the
390
executable is owned by root, anyone who runs that executable is root for
391
the duration of that executable's run, so a clever person can leverage
392
that into a full-scale compromise. The setgid bit also has other security
393
implications, so be careful where you set it.
395
You set it by doing a chmod 2xxx, where xxx are the normal file permissions
396
(i.e. owner/group/other permissions).
399
Q19: What does this error mean:
400
'afpd[#####]: setdirmode: chmod .AppleDouble Operation not permitted'
402
A: This can be due to a few things.
404
1) The setgid bit might not be set on either your directory, or on the
405
.AppleDouble directory. It has to be set recursively on the .AppleDouble
408
2) You may not be member of the group set on the directory you're trying
411
3) This was a persistant bug in 1.5pre6 for awhile, upgrading might help.
414
Q20: I'm having problems with the Trash folder: either when someone drags
415
files into it, the system wants them to delete them immediately, or files
416
get stuck in there and won't delete.
418
A: chmod the Network Trash folder to 2775 (/home/public/Network Trash
419
Folder for instance).
421
As of 10/16/01, MacOS X trash didn't work properly with afps volumes.
422
Apple is working on it.
424
Q21: The daemons aren't starting, things aren't showing up in the Chooser,
425
and I get a message like this in the logs: afpd[####]: Can't register
428
This is sometimes a result of missing NIC information in the atalkd.conf
429
file. Put your network interface (something like le0, eth0, fxp0, lo0)
430
alone on a line in atalkd.conf, and reboot. When atalkd starts, it will
431
populate the file with a line such as:
433
le1 -seed -phase 2 -addr 66.6 -net 66-67 -zone "No Parking"
435
To find your network interface, run
439
and see which interface has your IP address. Use that one.
442
Q22: I want to be able to allow users to change their passwords. How do
443
I enable this feature? Every time I try I get an error that it was
444
unable to save the password.
446
A: Use -[no]setpassword in afpd.conf. This enables or disables the ability of
447
clients to change their passwords.
450
Q23: Can a mount a Mac volume on my Unix machine?
452
A: Well, maybe. MacOS X obviously might be able to do this with NFS.
453
Also, there is a program called afpfs which was designed to do this,
454
but is not actively maintained and has been reportedly highly unstable.
455
It should be available from:
457
http://www.panix.com/~dfoster/afpfs/
459
Q24: Can I run Samba and Netatalk together to access the same files?
461
A: Sure. Lots of us do. But there are some concerns. Quite often it's
462
useful, for instance, to hide files of one OS from the other. See
463
the AppleVolumes.default file in Netatalk, and investigate the veto
464
files option in Samba. (See the README.veto file.)
466
Also, when copying and moving files created on the Mac, it's better
467
to do that from the Mac, rather than from the Unix server or from
468
Samba. This is because the .AppleDouble folders hold the resource fork
469
information for the Mac files, plus other attributes which are not
470
normally stored by Unix.
472
You can also set Netatalk to not create an .AppleDouble directory unless
473
it absolutely needs it, by setting the noadouble setting in
474
AppleVolumes.default.
477
Q25: Files I create on my Samba shares are invisible on the Mac side.
479
A: Have you checked the AppleVolumes(.default? .sytem? I don't remember
480
which one hides files!) file?
482
How long are the file names? Names longer than 31 BYTES (not characters)
483
are not visible on the Mac side. This is because some old MacOS's don't
484
accept long names, and some Finders crash when they encounter them.
485
Therefore Netatalk hides long filenames to prevent crashes. If you
486
prefer Netatalk to truncate the names, use the --with-mangling ./configure
487
option when compiling Netatalk.
489
The BYTES distiction is made because there exist doublebyte fonts too,
490
which limit names to 15 chars.
493
Q26: How can I set Netatalk to hide some files created on the Samba
496
A: AppleVolumes(.system or .default?) allows you to hide certain files.
497
This might be a good thing to set on, say, .cshrc, ssh keys, and
501
Q27: Files I create on my Netatalk shares are invisible on the PC side.
503
Q28: How can I set Samba to hide the Netatalk specific files (e.g.
506
A: Check your Samba veto files option in smb.conf. It's often useful
507
to hide files like .AppleDouble or the network trash folder here.
509
Does the mac file have a \ or / in it? Would this cause Samba to
513
Q29: I compiled Samba with the --with-netatalk flag. What did that do?
515
A: Nothing. Some code was written (by a Samba developer?), but as of
516
Fall 2001, Samba doesn't utilize it.
519
Q30: What about the differences in naming schemes, and legal/illegal
520
characters between Windows, Macs, and Unix?
522
A: Check out the documentation about the 'mswindows' flag in
523
AppleVolumes.default. For instance, having / or \ or : in a name is
524
especially bad, as they are path seperators on Unix, Windows, and MacOS,
525
respectively). Educating the end user is important for this problem.
528
Q31: Where can I get the cnid-db (Berkely DB) software? (needed for
531
A: First check to see if your Unix has a port or package. If not,
532
Berkeley DB is available at:
534
http://www.sleepycat.com/download.html
536
Q32: What about security in Netatalk?
538
A: Most of the security for Netatalk must be derived from the
539
security of the Unix server on which it runs. Directory permissions,
540
valid users, firewalls, IP filters, file integrity checkers, etc.
541
are all part of the equation. That said, it is possible to configure
542
Netatalk to minimize access, and close potential security holes.
544
These two flags are especially important:
546
--with-tcp-wrappers: enable TCP wrappers support.
548
Enables Wietse Venema's network logger, also known as tcpd or
549
LOG_TCP. These programs log the client host name of incoming
550
telnet, ftp, rsh, rlogin, finger etc. requests. Security
551
options are: access control per host, domain and/or service;
552
detection of host name spoofing or host address spoofing;
553
booby traps to implement an early-warning system. TCP
554
Wrappers can be gotten at:
556
ftp://ftp.porcupine.org/pub/security/
558
Note, if you use TCP Wrappers, it would be a good idea to set your
559
afpd.conf file to disable DDP, or accept connections only on TCP.
560
You can also configure afpd to only run on a certain port, which
561
you can then let through your IPFilter.
563
--with-ssl-dirs=[PATH]: specify path to OpenSSL installation.
565
NOTE: This is dependent on the same directory layout as the
566
source distribution of OpenSSL. That is: include/ and
567
lib/ to be on the same level. Many .rpm formats do not
568
have their files laid out in this format.
569
The OpenSSL Project is a collaborative effort to develop a
570
robust, commercial-grade, full-featured, and Open Source
571
toolkit implementing the Secure Sockets Layer (SSL v2/v3)
572
and Transport Layer Security (TLS v1) protocols as well as a
573
full-strength general purpose cryptography library.
574
This is required to enable DHX login support, which
575
will encrypt all of the passwords being sent across the
576
connection. (Some old Mac clients don't support this, check
577
this FAQ for the section on AppleShare clients.)
578
Check to see if your Unix has OpenSSL already, or
581
http://www.openssl.org/
583
Be aware that on the volumes that are shared, some of the
584
special folders (.AppleDesktop, "Network Trash Folder") get
585
assigned. A lot of these get created as world-writable (because that's
586
what the Mac clients are expecting them to be) which is often quite
587
undesirable from the Unix system administrator's point of view.
588
Documenting this behavior could be a somewhat daunting task, but
591
Shares can be set to be read/write only by certain people and groups.
593
The Netatalk code has not been through a major code audit. However,
594
it's Open Source, so if you want to do said audit, contact the
595
Netatalk maintainers (which can be done through the SourceForge site).
597
Has anyone tried to run Netatalk in a chroot jail? If so, please
598
share your experiences with the mailing lists.