OpenWrt Forum Archive

Topic: Netatalk AFP with authentication

The content of this topic has been archived on 3 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi everyone,
I would like to get afpd to work to serve files to my mac. It works with guest login, but I would like to use password authentication.
The Configuration files:

/etc/netatalk/AppleVolumes.default:


-
/mnt/backup TimeMachine allow:root,afpuser cnidscheme:dbd options:tm




/etc/netatalk/afpd.conf:

- -noddp -uampath /usr/lib/uams -uamlist uams_guest.so,uams_passwd.so,uams_dhx_passwd.so,uams_randnum.so -passwdfile /etc/netatalk/afppasswd -savepassword -passwdminlen 0 -nosetpassword -defaultvol /etc/netatalk/AppleVolumes.default -systemvol /etc/netatalk/AppleVolumes.system -nouservol -guestname "nobody" -sleep 1 -icon



I setup /etc/netatalk/afppasswd with
afppasswd -c

and also changing passwords for root and afpuser afterwards with no success. Any ideas?

I used AFP on Debian a long time ago, with regular *nix accounts (user1, user2, and user3) though:

#/etc/netatalk/AppleVolumes.default
/mnt/share "share" allow:user1,user2,user3 rwlist:user1,user2,user3

# /etc/netatalk/afpd.conf
- -transall -uamlist uams_dhx.so -nosavepassword -noddp

Check out http://afp548.com/ too

I'm not sure if this applies to openwrt too, but I had a afp-installation on debian sometime ago, with the default package only cleartext-authentication was possible (which newer OSX-versions do not like). For encrypted authentication I needed to compile netatalk myself. I think it was because of the way how openssl is linked to netatalk which results in licence-incompatibilities. Just check if openssl (libssl) is a dependency of netatalk.

(Last edited by eleon216 on 31 May 2011, 10:11)

Thanks for your help!
libopenssl got installed:
netatalk depends on:
    libdb47
    libgcrypt
    libopenssl
    librpc

ls /usr/lib/uams  shows:
uams_dhx_passwd.so  uams_guest.so       uams_passwd.so      uams_randnum.so

I read cleartext passwords aren't supported since Mac OS 10.5


edit: I enabled logging, here is the output:

May 31 12:03:20.888661 afpd[6910] {dsi_tcp.c:209} (I:DSI): AFP/TCP session from 192.168.2.130:62160
May 31 12:03:20.892752 afpd[6910] {uams_dhx_passwd.c:112} (I:UAMS): dhx login: afpuser
May 31 12:03:20.893933 afpd[6910] {uams_dhx_passwd.c:118} (I:UAMS): no shadow passwd entry for afpuser

edit2: compiled netatalk with --without-shadow output is now:

May 31 15:23:56.712982 afpd[7637] {uams_dhx_passwd.c:112} (I:UAMS): dhx login: afpuser
May 31 15:23:56.728271 afpd[7637] {afp_dsi.c:89} (I:AFPDaemon): 0.18KB read, 0.12KB written
May 31 15:23:56.731953 afpd[7622] {server_child.c:389} (I:Default): server_child[1] 7637 done


still without luck sad
edit:passwords got messed up, it kinda works now but still needs more configuration in avahi

(Last edited by stevo on 31 May 2011, 15:23)

Hi all,

several days i lost by poking around with netatalk and avahi.
Is here anybody, who got netatalk/avahi setup to run with authentication with a Mac OS X?
Guest-login i get working, but i need the authentication. Every constellation i try results in "wrong password" .. tried passwd. afppasswd, shadow, randnum, dhx, dhx2...

i got it working!!!
After removing one weird option in afp.service it works now. With authentication. At the moment i am not sure, which type of authentication is used, but since it takes several seconds for the login, i assume it is dhx/dhx2..
This evening i will try a bit around and reduce the configuration to the absolute minimum. After that i will write a howto for netatalk/avahi with authentication and timemachine usage for max os x.

Could you provide your afpd.conf? I played around with authentication when I integrated netatalk in my build, but couldn't get it working for some reason. Tried dhx, dhx2 and randnum.

mag81 wrote:

i got it working!!!
After removing one weird option in afp.service it works now. With authentication. At the moment i am not sure, which type of authentication is used, but since it takes several seconds for the login, i assume it is dhx/dhx2..
This evening i will try a bit around and reduce the configuration to the absolute minimum. After that i will write a howto for netatalk/avahi with authentication and timemachine usage for max os x.

Did you manage to get netatalk and avahi working? Any info would be greatly appreciated.

This is on trunk r29501

yourlogin is a place holder for your user account.


/etc/netatalk/afpd.conf ( i think this is the default)

- -noddp -uampath /usr/lib/uams -uamlist uams_guest.so,uams_passwd.so,uams_dhx_passwd.so,uams_randnum.so,uams_dhx2.so -passwdfile /etc/netatalk/afppasswd -savepassword -passwdminlen 0 -nosetpassword -defaultvol /etc/netatalk/AppleVolumes.default -systemvol /etc/netatalk/AppleVolumes.system -nouservol -guestname "nobody" -sleep 1 -icon

/etc/netatalk/AppleVolumes.default

-
/tmp Temp allow:root,nobody,yourlogin options:upriv,usedots cnidscheme:dbd
/mnt/terminus Terminus allow:root,nobody,yourlogin options:upriv,usedots cnidscheme:dbd

add in /etc/passwd (<encrypted password> is a place holder for your actual encrypted password, copy the one from root until you are sure it works...)

lg:<encrypted password>:10000:10000:GECOS:/home/yourlogin:/bin/ash

in /etc/group

yourlogin:x:10000:

you obviously need to create the home directory and make sure the use owns it as you would when manually creating a user home directory.

i also think you need to touch /etc/netatalk/afppasswd even though the passwords come from the shell accounts. can be left empty.

touch /etc/netatalk/afppasswd

seems to work, if i haven't forgotten anything...

Did you end up writing the how to? I can't get this working.

I created the unix user, I created the afppasswd file too. Login still fails with nothing helpful in log read.

Even with nobody as a valid user in my share I still get an error when connecting:

octopus:~ user$ mount -t afp afp://nobody@seabed0/Octopus /Volumes/ShareMount

mount_afp: AFPMountURL returned error -5023, errno is -5023

(Last edited by napierzaza on 27 Feb 2012, 05:59)

Okay, the way to get it to work it to put your shares configs from "AppleVolumes.default" into the end of AppleVolume.system. Which is contrary to every single instruction set out there and I have no idea why.

Edit: the weird thing is that the shares appear to be read since they appear in the log when you use AppleVolumes.default. But somehow they're not used all the same.

(Last edited by napierzaza on 28 Feb 2012, 15:07)

@napierzaza thank you for that tip. I was looking for a solution since many weeks and tried almost everything to get it run.
This simple and confuse trick really solved the problem.
I found out that the entry in the .default can just be commented out after you copied cat /etc/netatalk/AppleVolumes.default >> /etc/netatalk/AppleVolumes.system
Maybe the file is not applied in the right order...

I don't know, it's so strange since the names of my shares were appearing in the logs as ready. So maybe something about the order in the afpd.conf where the AppleVolumes.default and AppleVolumes.system are declared? I might play around with it to see, but I don't want to break anything again. So strange though.

What worked for me was to put the configuration in the ".AppleVolumes" file of my user's directory.

mountpoint: /mnt/usb2
(permissions had to be reset at every reboot "chown -R jayson /mnt/usb2")

The file: /home/jayson/.AppleVolumes contained the following (:DEFAULT line probably not necessary)

:DEFAULT: allow:root,nobody,guest,jayson cnidscheme:dbd options:usedots,upriv,tm dbpath:/tmp ea:sys umask:077
/mnt/usb2 TimeMachine allow:root,nobody,guest,jayson cnidscheme:dbd options:usedots,upriv,tm dbpath:/tmp



I was hacking away, so some of the options might not be correct.  Please reply if you come up with a better configuration.

I swapped the order of the system file and the default file, did no work. Not sure where to put the bug report or what. Oh well

The discussion might have continued from here.