hellinga.org

Being a Mac user i sometimes want to transfer some file between my mac and my linux server. The obvious way to do this is using AFP. Debian provides a nice package offering this protocol named "netatalk".

Easy to install by entering "apt-get install netatalk" on your rootshell.

Easy to configure also just modify /etc/netatalk/AppleVolumes.default with the directory's you want to share. Start the service and you're good to go, however one thing bothered me, whilst connecting to my server using AFP, after entering my username and password, Mac OS X complained about sending my password cleartext over the network, that i didn't like.

So i looked up a manual on the internet for setting up netatalk (which can be found here: netatalk.sourceforge.net/2.0/htmldocs/configuration.html) here we see we can load several UAM's as they are called to provide secure authentication. The one we definitly don't want is uams_cleartxt.so as it seems the one we want is uams_dhx.so .

Time to open up /etc/netatalk/afpd.conf go all the way to the bottom and uncomment the last line change the -uamlist so it loads up uams_dhx.so and not uams_cleartxt.so (the other options are ok for now) save the file and restart the service. Try to connect and suddenly Mac OS X begins to complain about some error -35 or so. After searching a while i get the clear idea to search in some logfiles, /var/log/syslog suddenly reveals something like:

----snip----

May 26 21:50:27 myst afpd[10447]: uam: loading (/usr/lib/netatalk/uams_dhx.so)

May 26 21:50:27 myst afpd[10447]: uam: uam not found (status=-1)

May 26 21:50:27 myst afpd[10447]: uam: loading (/usr/lib/netatalk/uams_gss.so)

May 26 21:50:27 myst afpd[10447]: uam: uams_gss.so loaded

May 26 21:50:27 myst afpd[10447]: uam: "Client Krb v2" available

May 26 21:50:27 myst afpd[10447]: Finished parsing Config File

----snip----

After checking /usr/lib/netatalk/ i can confirm that it doesn't exist.

Another search on the internet brings me to this page: https://bugs.launchpad.net/debian/+source/netatalk/+bug/26452

and this tells us exactly what we want to know, it seems that for some licensing issues, netatalk is built without SSL Support and thus uams_dhx.so is not available.

So i decide to build the package myself, after creating a directory in /usr/src i fetch the source using "apt-get source netatalk".

After checking out the debian/rules file i find that if you set some config option it should be built with SSL support. After reading debian/README.Debian i know i should set "DEB_BUILD_OPTIONS=ssl" so i put this in the debian/rules file beneath

"DEB_UPDATE_RCD_PARAMS := defaults 50".

Time to build the package by issueing "dpkg-buildpackage" on my system it complained about some dependencies missing but i figure you know how to install some dependencies.

When dpkg-buildpackage goes on you see the ./configure line passing by if you edited debian/rules ok it should say --with-ssl-dir almost at the end of that line.

Get a cup of coffee and wait till your build completes. When it's done install your newly created deb package by issueing "dpkg -i netatalk_<version>_<arch>.deb"

check /usr/lib/netatalk again there should be a uams_dhx.so now.

Time to restart netatalk again and in /var/log/syslog you now should see something like:

----snip----

May 26 22:41:54 myst afpd[12962]: uam: loading (/usr/lib/netatalk/uams_dhx.so)

May 26 22:41:54 myst afpd[12962]: uam: uams_dhx.so loaded

May 26 22:41:54 myst afpd[12962]: uam: "DHCAST128" available

May 26 22:41:54 myst afpd[12962]: Finished parsing Config File

----snip----

Congratulations you've got it working, no more plaintext passwords over the network.

I also noticed some extra services starting with netatalk which i do not use, if you like you could disable them. Edit your /etc/default/netatalk, somewhere in this file you should see something like "# Set which daemons to run (papd is dependent upon atalkd):" if you only need AFP over TCP like i do change it so that it matches the part below:

----snip----

# Set which daemons to run (papd is dependent upon atalkd):

ATALKD_RUN=no

PAPD_RUN=no

CNID_METAD_RUN=no

AFPD_RUN=yes

TIMELORD_RUN=no

A2BOOT_RUN=no

----snip----

This tells netatalk only to run afpd. At this point it is wise to also change /etc/netatalk/afpd.conf my config line looks like:

----snip----

- -tcp -uamlist uams_dhx.so -nosavepassword

----snip----

This tells afpd to only provide afpd over tcp, only load uams_dhx.so and don't offer to save passwords, you can change it to match your needs off course, see man afpd.conf for more options on this file.

Restart netatalk again and you will notice it only runs afpd now. That's it you're finished now. Have fun with it.