Topic: AFPD / NetATalk suite (with timemachine and authentication support)

There's been many people trying to get afpd to work properly on openWRT and I haven't seen so many success stories. Here's how to get netatalk to work with authentication and how to get timemachine support to work as well.
To complete this you will need to build your own netatalk package, until patch I've provided gets integrated.

First of all, currently openwrt ships with outdated netatalk, we need to fix this. Secondly, to make authentications work, we need support for shadow. Follow the guides how to build your own image and packages to get started and
then patch netatalk in packages with this https://dev.openwrt.org/attachment/ticket/11109/netatalk222.diff.

Compile fresh 2.2.2 netatalk with --with-shadow flag and install package on to your router. In this guide I am not going to guide you through partitioning, you'll do your own choices about that, but I decided to use HFSPLUS on my external harddisk as filesystem format, reason for this is that then it's compatible with Mac as well. To get fsck with HFS/hfsplus support you need diskdev_cmds - I've sent a patch to trac ages ago, but it's not been integrated yet for some reason, anyway, if you decide to use hfsplus as well, fsck might be handy, and while we are compiling packages, compile and install this package as well: https://dev.openwrt.org/attachment/ticket/7407/diskdev_cmds.diff

Okay. You should also install atleast shadow support for your router, I installed everything related: adduser, moduser, deluser, addgroup, modgroup, delgroup, shadow.. These are included in normal packages..
I also would install avahi. For convenience also I would install uuidgen.

My setup is WNDR3700 that has 1 USB port which I have connected to powered 7-port usb-hub. There I have connected my external harddisk (has it's own power source), and a 4gb usb stick and a 3g dongle.
I have made my 4gb usb stick to be my extroot (overlay). Because sometimes my system had hanged and hd was corrupted pretty easily I chose to keep AppleDouble database on the usb stick. See my configs. You keep them where you want but I decided to do this setup. I'll recommend it to you too.

---
How does authentication work and what about afppasswd? Yes, afpd comes with afppasswd command that manipulates afp's own password file. This is so that user could have different passwords for afp service and pam, but if user doesn't exist for real and cannot login (for example, because of wrongly setup home directory), they cannot login to afp as well. So I don't use afppasswd at all.
---

Let's move on to configurations. At default afpd can become pretty heavy, here's some tweaks.

1) Edit /etc/init.d/afpd and set MAXCONS to 4 - If only one machine is connected, this should cover it. If more than one - keep default 7.

2) AFPD often causes system to hang (and harddisk to need fsck after boot), let's minimize the load a bit, open /etc/netatalk/afpd.conf and set this as it's contents:

- -noddp -advertise_ssh -uampath /usr/lib/uams -uamlist uams_guest.so,uams_passwd.so,uams_dhx_passwd.so,uams_randnum.so,uams_dhx2.so -passwdfile /etc/netatalk/afppasswd -savepassword -passwdminlen 0 -nosetpassword -defaultvol /etc/netatalk/AppleVolumes.default -systemvol /etc/netatalk/AppleVolumes.system -nouservol -guestname "nobody" -sleep 1 -dsireadbuf 9 -dircachesize 1024 -server_quantum 65536 -fceholfmod 30 -nodebug

I've reduced dsireadbuf, dircachesize, server_quantum and fceholfmod - set software to nodebug mode and also set some default paths and settings about password aswell with authentication routines. This setup reduces load significantly and I was able to backup about 100gb on my WNDR3700 without router to hang. This might slow it a bit down, but not that much.

3) AppleVolumes.default, use TDB as cnid_scheme, it works best on these routers. Here's my AppleVolumes.default file, make modifications to suite your needs.

:DEFAULT: allow:root,jake dbpath:/etc/netatalk/AppleDB/$v options:upriv ea:ad
:DEFAULT_CNID_SCHEME: tdb

/tmp Temp options:upriv,searchdb
/overlay Overlay options:ro,upriv,searchdb
/mnt/Hdd/ Hdd options:upriv,searchdb
/mnt/Devel/ Development allow:root,jake,nobody rolist:nobody rwlist:root,jake options:upriv,searchdb
/mnt/Shared/ Shared allow:root,jake,nobody rolist:nobody rwlist:root,jake options:upriv,searchdb
/mnt/Music/ Music allow:root,jake,nobody rolist:nobody rwlist:root,jake options:upriv,searchdb cnidscheme:tdb
/mnt/Movies/ Movies allow:root,jake,nobody rolist:nobody rwlist:root,jake options:upriv,searchdb cnidscheme:tdb
/mnt/Documents/ Documents option:upriv,searchdb cnidscheme:tdb
# Didn't get this to work for some reason
#/mnt/Private/$u/ $u allow:$u dbpath:/etc/netatalk/AppleDB/homedirs/$u options:upriv,usedots,searchdb cnidscheme:tdb
/mnt/Private/jake/ jake allow:root,jake dbpath:/etc/netatalk/AppleDB/homedirs/jake options:upriv,usedots,searchdb cnidscheme:tdb
/mnt/Private/TimeMachine/imac/ TimeMachine allow:nobody cnidscheme:tdb dbpath:/etc/netatalk/AppleDB/tm/imac options:usedots,upriv,tm

4) Follow guides on how to setup avahi for afpd/timemachine, here's mine:

<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
        <name replace-wildcards="yes">%h</name>
        <service>
                <type>_adisk._tcp</type>
                <port>9</port>
                <txt-record>sys=waMA=INSERTMACHERE,adVF=0x100</txt-record>
                <txt-record>sys=waMA=SECONDMACHERE,adVF=0x100</txt-record>
                <txt-record>dk0=adVF=0x100,adVN=Temp,adVU=73d13e1c-a35a-4fa2-bd7d-cb602929751d</txt-record>
                <txt-record>dk1=adVF=0x100,adVN=Overlay,adVU=33571b8e-d650-41a2-8809-b19f75a18d62</txt-record>
                <txt-record>dk2=adVF=0x100,adVN=Hdd,adVU=f2cea23c-c5bb-41b5-8a02-73429c61746e</txt-record>
                <txt-record>dk3=adVF=0x01,adVN=Development,adVU=1a5761ce-c35a-4e07-9375-f5ce6b4db386</txt-record>
                <txt-record>dk4=adVF=0x01,adVN=Shared,adVU=cef4bf1c-ab0e-45d2-b4be-1966893bd22f</txt-record>
                <txt-record>dk5=adVF=0x01,adVN=Music,adVU=f0b087df-f6ef-43d7-a717-4f67e0a32d9c</txt-record>
                <txt-record>dk6=adVF=0x01,adVN=Movies,adVU=743d693f-ae88-4d07-821b-769cc5be3be1</txt-record>
                <txt-record>dk7=adVF=0x100,adVN=Documents,adVU=b98f08cf-0a6a-4da0-9fc7-5b8c925cb5ae</txt-record>
                <txt-record>dk8=adVF=0x100,adVN=jake,adVU=a13d2b6f-6585-4e22-8eeb-1125218a9f72</txt-record>
                <txt-record>dk10=adVF=0xa1,adVN=TimeMachine,adVU=EA29AA60-2D26-2654-6F59-E9B305324D9D</txt-record>
        </service>
</service-group>

I used uuidgen to generate uuids..

5) tune your /etc/config/fstab. Sync option is not good - especially when backing up large amounts. Try to change it to async or something else.
Here's my hfsplus mount options:

rw,async,relatime,umask=22,uid=65534,gid=1000,nls=utf8

6) some more tweaks:
this has been reported to grow usb speed, so my rc.local says:

echo 1024 > /sys/block/sda/device/max_sectors
echo 1024 > /sys/block/sdb/device/max_sectors
echo 1024 > /sys/block/sdc/device/max_sectors

7) this is more WNDR3700 specific, but it's been reported to grow networking speed, so.. my /etc/sysctl.conf has these lines added to the end:

#Custom
net.ipv4.neigh.default.gc_thresh1=1024
net.ipv4.neigh.default.gc_thresh2=2048
net.ipv4.neigh.default.gc_thresh3=4096

---

My setup is not only possible setup to get things work, but if you've had hardtime to get it work, maybe you should set it up like this and go from here?
There's also a reason why my TimeMachine is globally accessible: it was slower to connect to it when I had it behind authentication. I do a lot of stuff on my computer, so I also backup pretty often.. I decided to go this way - but it works just fine with authentication as well.

Re: AFPD / NetATalk suite (with timemachine and authentication support)

Wow exhaustive.

I hope that they update he package soon, but if it takes too long I might compile myself.

But I noticed that your DB is in /etc/netatalk? It might be better to have the DB on the HDD itself.

Also, in the OpenWRT package I was only able to get it to work by putting the configs for .default into the .system file. It seems as if it loses it completely though it logs the shares but then loses them.

I'm not sure why shadow is disabled on the opkg. But you can get it to work if you put the password in /etc/passwd itself (not a big deal in a single user system).

Re: AFPD / NetATalk suite (with timemachine and authentication support)

jake1981 wrote:

First of all, currently openwrt ships with outdated netatalk, we need to fix this.

Any word on when we can expect that? Who's responsible for such an update anyway?

jake1981 wrote:

Secondly, to make authentications work, we need support for shadow.

I'm not familiar with this. Why is authentication needed? Is it a requirement on part of Apple if you want to use a NAS for TimeMachine backups? Or just for my personal safety to restrict access to my data for other users in my network?

Re: AFPD / NetATalk suite (with timemachine and authentication support)

yesterday i installed netatalk 2.2.1-4 last night and it finally work fine
but after i flash my router and wanna install again its gone?!

i cant find it anywhere yet...

Re: AFPD / NetATalk suite (with timemachine and authentication support)

2.2.1-4 is back but its not working with my router again even with the same conf...

Re: AFPD / NetATalk suite (with timemachine and authentication support)

First off thank you Jake for creating this forum thread as it is currently the most detailed instruction set I have seen on how to enable AFPD/Netatalk on Open WRT.

I have tried to follow everything you have provided as close as possible with some exceptions that I will detail here, but with no luck in finding the share on my wife's MBA.

1. Compiled OpenWRT using 2.2.1-4 and changed without shadow to say with shadow
2. Ensured I can login to the router using my wife's credentials (did not use afppasswd however as instructed)
3. Followed step #1 completely
4. Followed step #2 but my file has some minor differences from the one above (ends with -icon which Jake doesn't have in his, but it was there before so I left it - no idea what it does)
5. Followed step #3 with some minor changes (my wife's user id instead of 'jake'); please note that I did not create directories for dbpath:/etc/netatalk/AppleDB/tm/ (I don't have ..../AppleDB/tm folders)
6. In step #4 I put in my router's MAC address and followed the following syntax:
     
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>

<type>_adisk._tcp</type>
     <port>9</port>
     <txt-record>sys=waMA=<my MAC addy>,adVF=0x100</txt-record>
     <txt-record>dk0=adVF=0x83,adVN=TimeMachine</txt-record>

note that I did not generate UUIDs, is this absolutely necessary?

7. Followed the step #5 except that my /etc/config/fstab HFS+ mount used 'force' to ensure I can write to it, and I did not put umask, uid, and gid (the partition seems properly mounted however)

8. Followed the rest completely.

After all was said and done I ensured that avahi-daemon and afpd services were running using ps command.

When connecting via Finder (afp://<IP>/<share>) from my wife's MBA I get the login screen but am unable to connect.

I am sure I am missing something pretty basic, but for the life of me I can't find what.

Any help is greatly appreciated,

Stevan

Re: AFPD / NetATalk suite (with timemachine and authentication support)

Hi! I hope I'm not a troublesome. I want to compile NetAtalk 2.2.2 but I don't know where to begin as I'm not a *NIX expert. Can someone show me how to begin or where I can look into it? I appreciate the help and apologize for the ignorance.


Thank you