1 Netatalk Frequently Asked Questions
2 ($Id: FAQ,v 1.12 2003-02-24 23:33:14 srittau Exp $)
4 -----------------------------------------------------------------------------
6 Q1: Where can I get more information on Netatalk?
7 Q2: What is this I keep seeing about asun?
8 Q3: How do I get the most recent version of Netatalk?
9 Q4: Can I get an almost current version of Netatalk without having to learn CVS?
10 Q4a: Is there an RPM, package, or tarball for my platform?
11 Q5: I'm having massive file deletion problems!
12 Q6: I am having lots of file locking problems!
13 Q7: I'm getting this message in my logs:
14 WARNING: DID conflict for ... Are these the same file?
15 Q8: I can't seem to use passwords longer than 8 characters for my netatalk
16 accounts. How can I fix that?
17 Q9: I would like to use encrypted passwords to authenticate to the Netatalk
18 server. How do I do that?
19 Q10: How can I set who has access to certain directories?
20 Q11: What are the .AppleDouble and .Parent directories which are created in
21 the netatalk locations?
22 Q12: Hidden files - what's up with that?
23 Q13: I get a "socket: Invalid argument" error when trying to start netatalk
24 under Linux. What is causing this?
25 Q14: Netatalk works over Appletalk, but my IP connections are refused, even
26 though I have enabled them in the configuration files.
27 Q15: I'm having Quark Express file locking problems, is there information on that?
28 Q16: I'm getting this error in Quark Express when trying to save a file to
29 the server: 'Error Type -50'
30 Q17: Does netatalk work with Mac OSX?
31 Q18: I'm getting an 'Application for this document not found' error on OS X.
32 Q19: I'm getting an 'Error Type -43' error on OS X.
33 Q20: How do I get the directories that are created by Netatalk to have the
34 correct permissions by default?
35 Q21: What does this error mean:
36 'afpd[#####]: setdirmode: chmod .AppleDouble Operation not permitted'
37 Q22: I'm having problems with the Trash folder: either when someone drags
38 files into it, the system want's them todelete them immeidately, or files
39 get stuck in there and won't delete.
40 Q23: The daemons aren't starting, things aren't showing up in the Chooser,
41 and I get a message like this in the logs: afpd[####]: Can't register
43 Q24: I want to be able to allow users to change their passwords? How do
44 I enable this feature. Every time I try I get an error that it was
45 unable to save the password.
46 Q25: Can a mount a Mac volume on my unix machine?
47 Q26: Can I run Samba and Netatalk together to access the same files?
48 Q27: Files I create on my Samba shares are invisible on the mac side.
49 Q27a: How can I set netatalk to hide some files from the Samba (or
51 Q28: Files I create on my netatalk shares are invisible on the PC side.
52 Q28a: How can I set Samba to hide the netatalk specific files (e.g.
54 Q29: I compiled Samba with the --with-netatalk flag. What did that do?
55 Q30: What about the differences in naming schemes, and legal/illegal
56 characters between Windows, Macs (and unix?)
57 Q31: Where can I get the cnid-db (Berkely DB) software? (needed for
59 Q32: What about security in Netatalk?
63 -----------------------------------------------------------------------------
66 Q1: Where can I get more information on Netatalk?
68 A: Netatalk's home page can be found at:
70 http://netatalk.sourceforge.net/
72 Netatalk is maintained at SourceForge. The Netatalk project page on
73 SourceForge is located at:
75 http://sourceforge.net/projects/netatalk/
77 There are (at least) three very active e-mail lists to which you can
78 subscribe. The first, netatalk-admins, is for usage and setup/compile
79 questions. Subscription information as well as an archive are available at:
81 http://lists.sourceforge.net/lists/listinfo/netatalk-admins
83 This can be very high volume, but usually a few messages a day.
85 Netatalk-devel list is more specific to coding and testing. The archive
86 and more information can found at:
88 http://lists.sourceforge.net/lists/listinfo/netatalk-devel
90 This list varies in volume, but is usually moderately active.
92 Netatalk-docs is specific to documentation. For more information see:
94 http://lists.sourceforge.net/mailman/listinfo/netatalk-docs
96 There are other netatalk information sites. Some of these are no
97 longer actively updated, some are site-specific, but still have
100 http://www.anders.com/projects/netatalk/
101 http://www.faredge.com.au/netatalk/index.html
104 Q2: What is this I keep seeing about asun?
106 A: Before Netatalk moved to SourceForge, Adrian Sun (asun) had written
107 some patches to Netatalk which helped significantly with its usability,
108 especially using AppleShare IP. These patches are still provided by many
109 Unix vendors. All of these patches are included in the current SourceForge
113 Q3: How do I get the most recent version of Netatalk?
115 A: Via CVS from SourceForge.net. This is the actively maintained version
116 of Netatalk, changes are being made constantly, and therefore it is not
117 suitable for production environments. The netatalk at SourceForge is in
118 Beta, so keep that in mind.
120 To create the CVS tree - from the directory you want to use as your CVS
123 % cvs -d:pserver:anonymous@cvs.netatalk.sf.net:/cvsroot/netatalk login
125 hit <enter> at the Password: prompt
128 -d:pserver:anonymous@cvs.netatalk.sf.net:/cvsroot/netatalk co
131 This will create a netatalk subdirectory, and check out all of the files.
132 If you run this same command subsequently, you will update any files which
133 have changed (on the CVS server) since your last checkout.
135 Once you've done that, read the INSTALL file in the netatalk/ directory,
136 plus the CONFIGURE file. If you're installing from CVS, you'll most likely
137 need have some supplementary software installed, such as gmake. Some
138 systems work fine with make. Additional information can be found in doc/.
140 The main things to know, though, are this: you must run
144 in the netatalk/ directory first, in order to create your configure file.
148 % ./configure --help | more
150 in order to get a feel for which compile flags are available. Some of these
151 flags are summarized below, some are summarized in the INSTALL file, and
152 some have individual README files.
154 To learn more about CVS, good places to start are:
156 http://www.cvshome.org
157 http://www.cvshome.org/docs/manual
158 http://www.cvshome.org/form/form.cgi (this is the FAQ)
160 There are GUI CVS systems for Windows and MacOS. Search on SourceForge for
164 Q4: Can I get an almost current version of Netatalk without having to learn CVS?
166 A: Yes. Daily snapshots of the CVS tree should be posted for the benefit of
167 those that don't want to / can't use CVS. They are available at:
169 http://www.marcuscom.com/netatalk/nightly/
171 You should be able to treat these images as you would a release. Just
172 configure as you normally work, then run make (or gmake as the case may
173 be). There is no need to run autogen.sh on these images.
176 Q4a: Is there an RPM, package, or tarball for my platform?
178 A: Perhaps. These vary in how often they're updated:
181 port: /usr/ports/net/netatalk - maintained by Joe Clark
183 included in the distribution
185 port: /usr/ports/net/netatalk/ - not actively maintained
187 included in all current distributions
189 included in the distribution
192 Q5: I'm having massive file deletion problems!
194 Q6: I am having lots of file locking problems!
196 Q7: I'm getting this message in my logs:
197 WARNING: DID conflict for ... Are these the same file?
199 A: Compile with the --with-did=last flag set. This activates a different
200 method of calculating inodes in the software, and will hopefully fix some
201 of these problems. This code, along with the CNID code, was still being
202 worked out in Pre7. The cnid/bdb flags also go along with this:
204 --with-bdb=PATH specify path to Berkeley DB installation
205 --with-did=[scheme] set DID scheme (cnid,last)
207 (For more information on CNID, see the README.cnid file.)
209 --with-did=last reverted things back to the old 1.4b2 directory ID
210 calculation algorithm. This also solved the problem of the syslog
211 messages and the users complaining of file deletions. It's also been
212 found that by disabling *BSD's SOFTUPDATES feature on Netatalk volumes (on
213 FreeBSD), multi-user interaction seemed to work better. This was back in
214 a late 4.2-BETA, so it's not clear if this still holds true in 4.4-RELEASE
218 Q8: I can't seem to use passwords longer than 8 characters for my Netatalk
219 accounts. How can I fix that?
221 Q9: I would like to use encrypted passwords to authenticate to the Netatalk
222 server. How do I do that?
224 A: Update to a newer version of AppleShare Client (I think the most
225 recent is 3.8.8). This allows longer passwords, and will allow you to
226 use encrypted passwords. Set which way you would like to authenticate
227 in either afpd.conf or netatalk.conf, depending on your setup.
229 For more information on the AppleShare Client from Apple, and which clients
230 are needed for which MacOS, see
232 http://til.info.apple.com/techinfo.nsf/artnum/n60792?OpenDocument&software
234 (this site requires cookies, and a registration and sign-in).
237 Q10: How can I set who has access to certain directories?
239 A: You can certainly do this with your Unix permissions, but also explore the
240 allow/deny/rwlist/rolist options in the AppleVolumes.default file:
242 # allow/deny/rwlist/rolist format [syntax: allow:user1,@group]:
243 # user1,@group,user2 -> allows/denies access from listed users/groups
244 # rwlist/rolist control whether or not the
245 # volume is ro for those users.
247 Also, some unices, specially FreeBSD, have other options:
250 "What about file and directory permissions? Since I didn't use the FORCE
251 UID/GID code, I decided to use a feature of FreeBSD called SUIDDIR. From
252 the LINT kernel config file:
254 # If you are running a machine just as a fileserver for PC and MAC
255 # users, using SAMBA or Netatalk, you may consider setting this option
256 # and keeping all those users' directories on a filesystem that is
257 # mounted with the suiddir option. This gives new files the same
258 # ownership as the directory (similar to group). It's a security hole
259 # if you let these users run programs, so confine it to file-servers
260 # (but it'll save you lots of headaches in those cases). Root owned
261 # directories are exempt and X bits are cleared. The suid bit must be
262 # set on the directory as well; see chmod(1) PC owners can't see/set
263 # ownerships so they keep getting their toes trodden on. This saves
264 # you all the support calls as the filesystem it's used on will act as
265 # they expect: "It's my dir so it must be my file".
267 FORCE UID/GID code, I decided to use a feature of FreeBSD called
268 SUIDDIR. From the LINT kernel config file:
270 # If you are running a machine just as a fileserver for PC and MAC
271 # users, using SAMBA or Netatalk, you may consider setting this option
272 # and keeping all those users' directories on a filesystem that is
273 # mounted with the suiddir option. This gives new files the same
274 # ownership as the directory (similar to group). It's a security hole
275 # if you let these users run programs, so confine it to file-servers
276 # (but it'll save you lots of headaches in those cases). Root owned
277 # directories are exempt and X bits are cleared. The suid bit must be
278 # set on the directory as well; see chmod(1) PC owners can't see/set
279 # ownerships so they keep getting their toes trodden on. This saves
280 # you all the support calls as the filesystem it's used on will act as
281 # they expect: "It's my dir so it must be my file".
283 And the associated mount command:
285 mount -o suiddir /dev/da2s1e /macvol/artfiles
287 This was used on my dedicated Netatalk/Samba filesystems. On
288 filesystems that were also used for interactive shell access, I chmod'd
289 my Netatalk shares 2770. The reason for this is that I set up a UNIX
290 group for each department in the ad agency. I had an art group, a media
291 group, an accounting group, and then, or course, a general staff group.
292 Each share was only allowed access by the group that needed to access
293 the share. So, the Artfiles share allowed access only to the art group:
295 /macvol/artfiles "Art Files" allow:@art
297 And the others followed in kind. Therefore, the 2770 mask allowed only
298 owners and people in the associated group access to read and write
299 files. The leading 2 set the setgid bit so that all child files and
300 directories would retain the same group permissions. I found this to
303 This was used on my dedicated Netatalk/Samba filesystems. On
304 filesystems that were also used for interactive shell access, I chmod'd
305 my Netatalk shares 2770. The reason for this is that I set up a UNIX
306 group for each department in the ad agency. I had an art group, a media
307 group, an accounting group, and then, or course, a general staff group.
308 Each share was only allowed access by the group that needed to access
309 the share. So, the Artfiles share allowed access only to the art group:
311 /macvol/artfiles "Art Files" allow:@art
313 And the others followed in kind. Therefore, the 2770 mask allowed only
314 owners and people in the associated group access to read and write
315 files. The leading 2 set the setgid bit so that all child files and
316 directories would retain the same group permissions. I found this to
320 Q11: What are the .AppleDouble and .Parent directories which are created in
321 the Netatalk locations?
323 A: See the README.veto file in this directory.
325 The .AppleDouble folders hold the resource fork information for the Mac
326 files, plus other attributes which are not normally stored by Unix. For
327 this reason, when you want to move files around in your Mac volumes, it's
328 a good idea to do it from the Mac side (as opposed to from the Unix side,
329 or Samba), unless you make absolutely sure you get the .AppleDouble
330 directories. These directories are often hidden from the Samba side, via
331 the veto files configuration.
333 You can also set Netatalk to not create an .AppleDouble directory unless
334 it absolutely needs it, by setting the noadouble setting in
335 AppleVolumes.default.
338 Q12: Hidden files - what's up with that?
340 A: If you set the noadouble flag in AppleVolumes.default, you won't see
341 the .Apple* or .Parent directories on the Mac side. If you use the veto
342 files option in Samba, they may be hidden from the Windows side as well.
343 (More information in the Samba section, and in the README.veto file in
347 Q13: I get a "socket: Invalid argument" error when trying to start Netatalk
348 under Linux. What is causing this?
350 A: The "appletalk" and "ipddp" kernel modules have to be installed under
351 linux for Netatalk to function. The appletalk module can be automatically
352 loaded by adding the line "alias net-pf-5 appletalk" to the
353 /etc/modules.conf file. Issuing the command "modprobe (module)" will
354 load the module for the current session.
357 Q14: Netatalk works over AppleTalk, but my IP connections are refused, even
358 though I have enabled them in the configuration files.
360 A: If tcp_wrappers support is compiled into Netatalk, access has to be
361 granted in /etc/hosts.allow for Netatalk to successfully accept IP
362 connections. This can be done by the addition of the line:
364 afpd: 127. xxx.xxx.xxx. (whatever other subnets)
367 Q15: I'm having Quark Express file locking problems, is there information on
370 A: Yes, see the question regarding DID conflicts and the --enable-did= flag.
371 Also, try using the --flock-locks flag. Enabling this code disabled the
372 new byte locking feature. With FLOCK locks, the whole file would be locked.
373 With byte locks, a byte range could be locked without locking the whole
377 Q16: I'm getting this error in Quark Express when trying to save a file to
378 the server: 'Error Type -50'
380 A: Turn off the document preview feature off in Quark.
383 Q17: Does netatalk work with MacOS X?
385 A: Yes, but only the most recent versions, and it's still being finalized.
386 Versions prior to 1.5Pre7 did NOT work with OS X, although some really
387 early versions did (netatalk 1.4+asun?).
390 Q18: I'm getting an 'Application for this document not found' error on MacOS X.
392 Q19: I'm getting an 'Error Type -43' error on MacOS X.
394 A: Configure with --with-did=last. More info on this flag is given in the
395 DID conflicts question.
398 Q20: How do I get the directories that are created by Netatalk to have the
399 correct permissions by default?
401 A: Investigate the setgid bit on your Unix platform. It's a good idea to
402 set this on your shared directories, and your .AppleDouble directories.
403 From the mail archives: "Usually directories designated for use with
404 AppleShare have the setgid (g+s) bit set. It forces inheritance of
405 permissions. Without it, the .AppleDouble subdirectory can't be created
406 since the new folder doesn't necessarily have the same write privileges."
408 Information about the setgid bit can be found in Evi Nemeth's
409 "Unix System Administration Handbook" (3rd. ed, chap 5.5, pg. 69):
411 "The bits with octal values 4000 and 2000 are the setuid and setgid bits.
412 These bits allow programs to access files and processes that would
413 otherwise be off-limits to the users that run them. [...] When set on a
414 directory, the setgid bit causes newly created files within the directory
415 to take on the group membership of the directory rather than the defualt
416 group of the user that created the file. This convention makes it easier
417 to share a directory of files among several users, as long as they all
418 belong to a common group. Check your system before relying on this
419 feature, since not all version of UNIX provide it. [...] This interpretation
420 of the setgid bit is unrelated to it's meaning when set on an executable
421 file, but there is never any ambiguity as to which meaning is
424 NOTE: The setuid is usually discussed along with the setgid bit. The
425 setuid bit is VERY dangerous. If you set it on an executable, and the
426 executable is owned by root, anyone who runs that executable is root for
427 the duration of that executable's run, so a clever person can leverage
428 that into a full-scale compromise. The setgid bit also has other security
429 implications, so be careful where you set it.
431 You set it by doing a chmod 2xxx, where xxx are the normal file permissions
432 (i.e. owner/group/other permissions).
435 Q21: What does this error mean:
436 'afpd[#####]: setdirmode: chmod .AppleDouble Operation not permitted'
438 A: This can be due to a few things.
440 1) The setgid bit might not be set on either your directory, or on the
441 .AppleDouble directory. It has to be set recursively on the .AppleDouble
444 2) You may not be member of the group set on the directory you're trying
447 3) This was a persistant bug in 1.5pre6 for awhile, upgrading might help.
450 Q22: I'm having problems with the Trash folder: either when someone drags
451 files into it, the system wants them to delete them immediately, or files
452 get stuck in there and won't delete.
454 A: chmod the Network Trash folder to 2775 (/home/public/Network Trash
455 Folder for instance).
457 As of 10/16/01, MacOS X trash didn't work properly with afps volumes.
458 Apple is working on it.
460 Q23: The daemons aren't starting, things aren't showing up in the Chooser,
461 and I get a message like this in the logs: afpd[####]: Can't register
464 This is sometimes a result of missing NIC information in the atalkd.conf
465 file. Put your network interface (something like le0, eth0, fxp0, lo0)
466 alone on a line in atalkd.conf, and reboot. When atalkd starts, it will
467 populate the file with a line such as:
469 le1 -seed -phase 2 -addr 66.6 -net 66-67 -zone "No Parking"
471 To find your network interface, run
475 and see which interface has your IP address. Use that one.
478 Q24: I want to be able to allow users to change their passwords. How do
479 I enable this feature? Every time I try I get an error that it was
480 unable to save the password.
482 A: Use -[no]setpassword in afpd.conf. This enables or disables the ability of
483 clients to change their passwords.
486 Q25: Can a mount a Mac volume on my Unix machine?
488 A: Well, maybe. MacOS X obviously might be able to do this with NFS.
489 Also, there is a program called afpfs which was designed to do this,
490 but is not actively maintained and has been reportedly highly unstable.
491 It should be available from:
493 http://www.panix.com/~dfoster/afpfs/
495 Q26: Can I run Samba and Netatalk together to access the same files?
497 A: Sure. Lots of us do. But there are some concerns. Quite often it's
498 useful, for instance, to hide files of one OS from the other. See
499 the AppleVolumes.default file in Netatalk, and investigate the veto
500 files option in Samba. (See the README.veto file.)
502 Also, when copying and moving files created on the Mac, it's better
503 to do that from the Mac, rather than from the Unix server or from
504 Samba. This is because the .AppleDouble folders hold the resource fork
505 information for the Mac files, plus other attributes which are not
506 normally stored by Unix.
508 You can also set Netatalk to not create an .AppleDouble directory unless
509 it absolutely needs it, by setting the noadouble setting in
510 AppleVolumes.default.
513 Q27: Files I create on my Samba shares are invisible on the Mac side.
515 A: Have you checked the AppleVolumes(.default? .sytem? I don't remember
516 which one hides files!) file?
518 How long are the file names? Names longer than 31 BYTES (not characters)
519 are not visible on the Mac side. This is because some old MacOS's don't
520 accept long names, and some Finders crash when they encounter them.
521 Therefore Netatalk hides long filenames to prevent crashes. If you
522 prefer Netatalk to truncate the names, use the --with-mangling ./configure
523 option when compiling Netatalk.
525 The BYTES distiction is made because there exist doublebyte fonts too,
526 which limit names to 15 chars.
529 Q27a: How can I set Netatalk to hide some files created on the Samba
532 A: AppleVolumes(.system or .default?) allows you to hide certain files.
533 This might be a good thing to set on, say, .cshrc, ssh keys, and
537 Q28: Files I create on my Netatalk shares are invisible on the PC side.
539 Q28a: How can I set Samba to hide the Netatalk specific files (e.g.
542 A: Check your Samba veto files option in smb.conf. It's often useful
543 to hide files like .AppleDouble or the network trash folder here.
545 Does the mac file have a \ or / in it? Would this cause Samba to
549 Q29: I compiled Samba with the --with-netatalk flag. What did that do?
551 A: Nothing. Some code was written (by a Samba developer?), but as of
552 Fall 2001, Samba doesn't utilize it.
555 Q30: What about the differences in naming schemes, and legal/illegal
556 characters between Windows, Macs, and Unix?
558 A: Check out the documentation about the 'mswindows' flag in
559 AppleVolumes.default. For instance, having / or \ or : in a name is
560 especially bad, as they are path seperators on Unix, Windows, and MacOS,
561 respectively). Educating the end user is important for this problem.
564 Q31: Where can I get the cnid-db (Berkely DB) software? (needed for
567 A: First check to see if your Unix has a port or package. If not,
568 Berkeley DB is available at:
570 http://www.sleepycat.com/download.html
572 Q32: What about security in Netatalk?
574 A: Most of the security for Netatalk must be derived from the
575 security of the Unix server on which it runs. Directory permissions,
576 valid users, firewalls, IP filters, file integrity checkers, etc.
577 are all part of the equation. That said, it is possible to configure
578 Netatalk to minimize access, and close potential security holes.
580 These two flags are especially important:
582 --with-tcp-wrappers: enable TCP wrappers support.
584 Enables Wietse Venema's network logger, also known as tcpd or
585 LOG_TCP. These programs log the client host name of incoming
586 telnet, ftp, rsh, rlogin, finger etc. requests. Security
587 options are: access control per host, domain and/or service;
588 detection of host name spoofing or host address spoofing;
589 booby traps to implement an early-warning system. TCP
590 Wrappers can be gotten at:
592 ftp://ftp.porcupine.org/pub/security/
594 Note, if you use TCP Wrappers, it would be a good idea to set your
595 afpd.conf file to disable DDP, or accept connections only on TCP.
596 You can also configure afpd to only run on a certain port, which
597 you can then let through your IPFilter.
599 --with-ssl-dirs=[PATH]: specify path to OpenSSL installation.
601 NOTE: This is dependent on the same directory layout as the
602 source distribution of OpenSSL. That is: include/ and
603 lib/ to be on the same level. Many .rpm formats do not
604 have their files laid out in this format.
605 The OpenSSL Project is a collaborative effort to develop a
606 robust, commercial-grade, full-featured, and Open Source
607 toolkit implementing the Secure Sockets Layer (SSL v2/v3)
608 and Transport Layer Security (TLS v1) protocols as well as a
609 full-strength general purpose cryptography library.
610 This is required to enable DHX login support, which
611 will encrypt all of the passwords being sent across the
612 connection. (Some old Mac clients don't support this, check
613 this FAQ for the section on AppleShare clients.)
614 Check to see if your Unix has OpenSSL already, or
617 http://www.openssl.org/
619 Be aware that on the volumes that are shared, some of the
620 special folders (.AppleDesktop, "Network Trash Folder") get
621 assigned. A lot of these get created as world-writable (because that's
622 what the Mac clients are expecting them to be) which is often quite
623 undesirable from the Unix system administrator's point of view.
624 Documenting this behavior could be a somewhat daunting task, but
627 Shares can be set to be read/write only by certain people and groups.
629 The Netatalk code has not been through a major code audit. However,
630 it's Open Source, so if you want to do said audit, contact the
631 Netatalk maintainers (which can be done through the SourceForge site).
633 Has anyone tried to run Netatalk in a chroot jail? If so, please
634 share your experiences with the mailing lists.