Like Samba, netatalk appears to apply configuration changes without a restart.

Global Configuration

The global configuration defaults work fine. Here's some things you may want to change, with their defaults:

zeroconf = yes
log file = /var/log/netatalk.log
log level = info

Volume Configuration

Volumes are added in afp.conf with section headers.

path = /var/afp/share

To add valid or invalid users, seperate with a space or comma. Groups have a prefix of @.

valid users = user-one @afp-users
invalid users = user-two

Netatalk will use filesystem extended attributes by default to store information about the files.

appledouble = ea
Volume Permissions

Permissions are a little tricky, in how they are set and how they seem to be working. Here's how to setup a volume share where all files and directories are owned by one group, so that users in this group can read / write.

First, set the group sticky bit on the parent directory (or on all the directories if you are using an existing set of directories):

chmod g+s /var/afp/share

Also set the correct group write permissions:

chmod 2775 /var/afp/share

Next, add this to the afp.conf entry for the volume:

valid users = @afp-users
file perm = 0660
directory perm = 0770

Now, the permissions set here in the configuration file, and the ones you'll see on the filesystem from Linux look different. For example, the directory may be set to 2775, and the file to 0664. It's fine, though, don't worry about it. The users in the group will still be able to write to it just fine.

Connecting to a share

When connecting to a share from Finder, netatalk will allow you to send the UNIX display name ('User One') or the UNIX username ('userone').

If there is only one share, Finder will automatically connect to that one.

If there are multiple volumes, Finder will only display the ones that the user has permissions to access – either read write or read only.

Reload Configuration

Making changes to the afp.conf file and exiting will reload the AFPD process. Optionally, send the SIGHUP signal via kill:

pkill --signal SIGHUP afpd


See logrotate for settings for netatalk. The copyrotate setting needs to be used.

Kernel Configuration

For avahi to work properly, turn on IP Multicasting (CONFIG_IP_MULTICAST)


AppleTalk runs on port 548 over TCP.

Avahi needs to multicast on UDP port 5353 to

# AppleTalk
$iptables -A INPUT -p tcp --dport 548 -j ACCEPT
# Multicast DNS / Avahi
$iptables -A INPUT -p udp --dport 5353 -d -j ACCEPT
$iptables -A OUTPUT -p udp --dport 5353 -d -j ACCEPT

Special Files


The .DS_Store file is created by Finder in every directory that it encounters. It stores metadata for Finder about how to display files: order, icon, etc. They can be safely removed.

You can disable OS X from creating them on remote network shares, by running this command:

defaults write DSDontWriteNetworkStores true

You will then need to either log out and back in or restart the OS X computer before the changes take affect.


This directory is created with permissions 3777 when a user unpacks a ZIP archive onto the network share. It is not deleted when the accompanying archive file is removed.



If running Samba alongside of netatalk, the hostnames need to be different for Samba. Otherwise, you will see HOSTNAME in caps in Mac OS X's network shares, which is replacing the AppleShare connection.

Display connected users

Server Information

Run localhost to display what the AFPD supports:

AFP reply from localhost:548
Flags: 1  Cmd: 3  ID: 57005
Reply: DSIGetStatus
Request ID: 57005
Machine type: Netatalk3.0.5
AFP versions: AFP2.2,AFPX03,AFP3.1,AFP3.2,AFP3.3
Volume Icon & Mask: Yes
Server name: nas
2b cb 04 4b 00 15 38 ab 75 15 fb 52 a3 23 ca 5f  +..K..8.u..R.#._
Network address: (TCP/IP address)
UTF8 Servername: nas