netatalk

Configuration

Like Samba, netatalk appears to apply configuration changes without a restart.

Global Configuration

The global configuration defaults work fine. Here's some things you may want to change, with their defaults:

[Global]
zeroconf = yes
log file = /var/log/netatalk.log
log level = info

Volume Configuration

Volumes are added in afp.conf with section headers.

[afp-share]
path = /var/afp/share

To add valid or invalid users, seperate with a space or comma. Groups have a prefix of @.

valid users = user-one @afp-users
invalid users = user-two

Netatalk will use filesystem extended attributes by default to store information about the files.

appledouble = ea
Volume Permissions

Permissions are a little tricky, in how they are set and how they seem to be working. Here's how to setup a volume share where all files and directories are owned by one group, so that users in this group can read / write.

First, set the group sticky bit on the parent directory (or on all the directories if you are using an existing set of directories):

chmod g+s /var/afp/share

Also set the correct group write permissions:

chmod 2775 /var/afp/share

Next, add this to the afp.conf entry for the volume:

valid users = @afp-users
file perm = 0660
directory perm = 0770

Now, the permissions set here in the configuration file, and the ones you'll see on the filesystem from Linux look different. For example, the directory may be set to 2775, and the file to 0664. It's fine, though, don't worry about it. The users in the group will still be able to write to it just fine.

Connecting to a share

When connecting to a share from Finder, netatalk will allow you to send the UNIX display name ('User One') or the UNIX username ('userone').

If there is only one share, Finder will automatically connect to that one.

If there are multiple volumes, Finder will only display the ones that the user has permissions to access – either read write or read only.

Reload Configuration

Making changes to the afp.conf file and exiting will reload the AFPD process. Optionally, send the SIGHUP signal via kill:

pkill --signal SIGHUP afpd

Logs

See logrotate for settings for netatalk. The copyrotate setting needs to be used.

Kernel Configuration

For avahi to work properly, turn on IP Multicasting (CONFIG_IP_MULTICAST)

Firewall

AppleTalk runs on port 548 over TCP.

Avahi needs to multicast on UDP port 5353 to 224.0.0.251

# AppleTalk
$iptables -A INPUT -p tcp --dport 548 -j ACCEPT
# Multicast DNS / Avahi
$iptables -A INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
$iptables -A OUTPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

Special Files

.DS_Store

The .DS_Store file is created by Finder in every directory that it encounters. It stores metadata for Finder about how to display files: order, icon, etc. They can be safely removed.

You can disable OS X from creating them on remote network shares, by running this command:

defaults write com.apple.desktopservices DSDontWriteNetworkStores true

You will then need to either log out and back in or restart the OS X computer before the changes take affect.

.TemporaryItems

This directory is created with permissions 3777 when a user unpacks a ZIP archive onto the network share. It is not deleted when the accompanying archive file is removed.

Notes

Samba

If running Samba alongside of netatalk, the hostnames need to be different for Samba. Otherwise, you will see HOSTNAME in caps in Mac OS X's network shares, which is replacing the AppleShare connection.

Display connected users
macusers

Server Information

Run asip-status.pl localhost to display what the AFPD supports:

AFP reply from localhost:548
Flags: 1  Cmd: 3  ID: 57005
Reply: DSIGetStatus
Request ID: 57005
Machine type: Netatalk3.0.5
AFP versions: AFP2.2,AFPX03,AFP3.1,AFP3.2,AFP3.3
UAMs: DHX2,DHCAST128
Volume Icon & Mask: Yes
Flags: 
    SupportsCopyFile
    SupportsServerMessages
    SupportsServerSignature
    SupportsTCP/IP
    SupportsSrvrNotifications
    SupportsOpenDirectory
    SupportsUTF8Servername
    SupportsUUIDs
    SupportsExtSleep
    SupportsSuperClient
Server name: nas
Signature:
2b cb 04 4b 00 15 38 ab 75 15 fb 52 a3 23 ca 5f  +..K..8.u..R.#._
                                                  
Network address: 192.168.12.22 (TCP/IP address)
UTF8 Servername: nas