+++ /dev/null
-Configuring Netatalk
-====================
-
-These files should have been copied into the configuration directory
-(default: /usr/local/etc) by the `make install' in step 4 of
-the INSTALL file.
-
-
-Netatalk supplies two different types of AFP servers and both can run at
-the same time. Classic AFP over AppleTalk requires afpd and atalkd. AFP
-over IP only requires afpd.
-
-
-
-1. /usr/local/etc/afpd.conf
-===========================
-
-Edit /usr/local/etc/afpd.conf as required. Some options:
-
-Format:
-- [options] to specify options for the default server
-and/or
- "Server name" [options] to specify an additional server
-
-The following options are available:
-
-Transport Protocols:
- -[no]tcp Make AFP-over-TCP [not] available
- -[no]ddp Make AFP over AppleTalk [not] available. if you have
- -proxy specified, specify -uamlist "" to prevent ddp
- connections from working.
- -transall Make both available (default)
-
-Transport Options:
- -ipaddr <w.x.y.z>
- Specifies the IP address the server should
- respond to (default is the first IP address of the system).
- This option also allows one machine to advertise TCP/IP for
- another machine.
- -server_quantum <number>
- Specifies the DSI server quantum. The minimum
- value is 1MB. The max value is 0xFFFFFFFF. If you specify a
- value that is out of range, you'll get the default value
- (currently the minimum).
- -admingroup <groupname>
- Specifies the group of administrators who should all
- be seen as the superuser when they log in. Default
- is disabled.
- -ddpaddr x.y Specifies the DDP address of the server. the default
- is to auto-assign an address (0.0). this is only
- useful if you're running on a multihomed host.
- -port <number> Specifies the TCP port the server should
- respond to (default is 548)
- -fqdn <name:port> Specify a fully-qualified domain name
- (+optional port). this gets discarded if the
- server can't resolve it. this is not honored
- by appleshare clients <= 3.8.3 (default: none)
- -proxy Run an AppleTalk proxy server for specified AFP/TCP
- server (if address/port aren't given, then first IP
- address of the system/548 will be used). if you don't
- want the proxy server to act as a ddp server as well,
- set -uamlist to an empty string.
-
-Authentication Methods:
- -uampath <path> Use this path to look for User Authentication
- Modules. (default: /etc/atalk/uams)
- -uamlist <a,b,c> Comma-separated list of UAMs. (default:
- uams_guest.so,uams_clrtxt.so,uams_dhx.so)
-
- Some Common UAMs
- uams_guest.so: Allow guest logins
-
- uams_clrtxt.so: (uams_pam.so or uams_passwd.so)
- Allow logins with passwords transmitted in the clear.
-
- uams_randnum.so: Allow Random Number and Two-Way Random Number
- exchange for authentication.
-
- uams_dhx.so: (uams_dhx_pam.so or uams_dhx_passwd.so)
- Allow Diffie-Hellman eXchange (DHX) for authentication.
-
-Password Options:
- -[no]savepassword [Don't] Allow clients to save password locally
- -passwdfile <path> Use this path to store Randnum
- passwords. (default: ~/.passwd. the only other
- useful value is /etc/atalk/afppasswd.)
- -passwdminlen <#> Minimum password length. may be ignored.
- -[no]setpassword [Don't] Allow clients to change their passwords.
- -loginmaxfail <#> Maximum number of failed logins. this may be
- ignored if the uam can't handle it.
-
-AppleVolumes files:
- -defaultvol <path> Specifies path to AppleVolumes.default file
- (default /etc/atalk/AppleVolumes.default, same
- as -f on command line)
- -systemvol <path> Specifies path to AppleVolumes.system file
- (default /etc/atalk/AppleVolumes.system, same
- as -s on command line)
- -[no]uservolfirst [Don't] read the user's ~/AppleVolumes or
- ~/.AppleVolumes before reading
- /etc/atalk/AppleVolumes.default (same as -u on
- command line)
- -[no]uservol [Don't] Read the user's volume file
-
- -nlspath <path> Prepend this path to each code page filename in volume
- options (default: /etc/atalk/nls).
-
-Miscellaneous:
- -guestname "user" Specifies the user name for the guest login
- (default "nobody", same as -g on command line)
- -loginmesg "Message" Client will display "Message" upon logging in
- (no default, same as -l "Message" on
- command-line)
- -nodebug Switch off debugging
- -client_polling Disable server notifications. This forces the
- clients to poll every 10 seconds for directory updates. Note,
- currently this is the only way to get asynchronous updates.
- -ticklevel <number> Specify the tickle timeout interval (in seconds)
- -timeout <number> Specify the number of tickles to miss before tearing
- down a client connection
- -icon Use the platform-specific icon.
-
-An example:
-"Lance" -transall -uamlist uams_dhx.so -nosavepassword -setpassword
-"Lance" is the server name, I enable both TCP and DDP, all logins via DHX
-(requires AppleShare Client 3.8.6), the users cannot save the password
-with keychains and it allows the users to set their passwords.
-
-With no afpd.conf the default is:
-
-- -transall -uamlist uams_guest.so,uams_clrtxt.so,uams_dhx.so
--nosavepassword
-
-No server name, allow afp over tcp and afp over AppleTalk , allow
-guest access, logins in clear text and DHX, don't allow the user to
-save the password.
-
-Try man afpd and man afpd.conf for further details.
-
-
-2. /usr/local/etc/atalkd.conf
-=============================
-
-The AppleTalk protocol is configured in atalkd.conf. For detailed
-information please reference
-
-http://www.neon.com/atalk_routing.html and
-http://www-commeng.cso.uiuc.edu/docs/appletalk/
-
-The whole point of setting up atalkd is to allow AppleTalk routing to
-the localhost as a file and print server. The atalkd.conf file sets up
-the AppleTalk routing by assigning AppleTalk zone (or zones)
-information to the networks it is attached to.
-
-Within AppleTalk there are three different types of routers: seed,
-nonseed and soft seed.
-
-Seed publishes the network and zone information to the network. In the
-case of a conflict, this router takes precedence. Nonseed acts as a
-forwarder in that all network and zone information for its network
-segment is pulled from an upstream router. A soft seed router is
-configured like a seed router, but will defer and use upstream seeded
-zone information if there is a conflict.
-
-Netatalk has the option to behave like a nonseed router or a soft seed
-router. Netatalk will defer to an upstream seed if there is a
-conflict. Any missing configurations will be filled from the network.
-
-Appletalk phases are of two types. The unused, unsupported, obsolete
-phase 1, or the new useful phase 2.
-
-Phase 1 was Apple's original protocol for Appletalk over LocalTalk. It
-treated an entire network segment as one AppleTalk network capable of
-holding 254 nodes. Don't use this unless you are directly connected to a
-LocalTalk network (unlikely these days).
-
-Phase 2 is the new version. It allows a configurable network range
-between the numbers 1 and 65279, each network capable of hosting 253
-nodes for a total of 16,515,587 AppleTalk interfaces. That's a lot
-of iMacs. :-)
-
-Within an AppleTalk network addressing is a Network:Node:Socket
-triplet. The socket number is generally dropped because nothing uses the
-information.
-
-Using ethernet and phase 2 the network number can be singular, '1' or
-a range, '1-20'. Node assignment is the responsibility of the clients so
-you don't have to worry about it. The range of 65280-65534 is called
-the startup range and is used by the Mac when it is on a network
-without any routers, you probably shouldn't publish a network within
-this range. If you're publishing to a LocalTalk network segment
-(Hello? Welcome to Y2K. :) your maximum network range is _one_
-network.
-
-Zones must be less then 32 characters long.
-
-Format of lines in this file:
- interface [ -seed ] [ -router | -dontroute ]
- [ -phase { 1 | 2 } ] [ -addr net.node ]
- [ -net first[-last] ] [ -zone ZoneName ] ...
-
- interface: the interface that is publishing the appletalk server. eth0
-
- -seed - requires two interfaces. The router is acting as a
- bridge between the two networks. A soft seed router.
-
- -router - only requires one interface.
-
- -dontroute - don't publish routing information
-
- -addr this machines network.node address.
-
-Examples:
-
-eth0
- - Appletalk network is off eth0, no routing information
-published, get it all off the network.
-
-eth0 -router -phase 2 -addr 100.10 -net 100-110 -zone "Upstairs"
-- Appletalk network is off eth0, this server is not a bridge, it
-publishes zone information for Networks 100-110. The servers appletalk
-node address is node 10 of network 100. This zone is called Upstairs.
-
-eth0 -phase 2
-eth1 -seed -phase 2 -addr 100.10 -net 100-110 -zone "Upstairs"
-- This allows routing between the appletalk networks on eth0 and eth1,
-for eth1 this server acts as a soft seed router of a phase 2 network
-segment of 100-110 where this machine is 100.10
-
-Try man atalkd and man atalkd.conf for further details.
-
-
-3. /usr/local/etc/netatalk.conf
-===============================
-
-Set the options as appropriate:
-
-AFPD_MAX_CLIENTS - Maximum number of concurrent clients.
-
-ATALK_ZONE - Name of the zone. Should match the zone in afpd.conf, or use @zone.
-
-ATALK_NAME - Name of the netatalk server.
-
-AFPD_UAMLIST - List of uams available to the clients. Should match
-list in afpd.conf "-U uam1, uam2"
-
-AFPD_GUEST - If guest access is enabled, the id of the afpd process
-for the guest client.
-
-ATALKD_RUN, PAPD_RUN, AFPD_RUN - Run these daemons, 'yes/no'.
-
-
-4. /usr/local/etc/papd.conf for the Printer Access Protocol (PAP) daemon.
-===========================
-
-See the config/papd.conf file for some examples.
-A configuration file that works under Solaris 8 is:
-MacLaserJet:\
- :pr=|/usr/bin/lp -d fred:\
- :op=nobody:\
- :pd=/usr/local/etc/HPLJ46_1.PPD:
-
-where
- MacLaserJet is some name you have chosen by which Macintoshes will
- refer to the printer. This is the name that appears in the Chooser.
- pr gives the printer name on the Unix system ('fred' in this example).
- On some operating systems you can just specify something like :pr=fred:
- while on others (including Solaris) it is necessary to pipe the print
- command into lp or lpr as shown above.
- op gives the operator name for LPD spooling
- pd gives the pathname to the PostScript Printer Description (PPD) file.
- PPD files are available from Adobe Inc, via anonymous ftp
- (ftp://ftp.adobe.com//pub/adobe/printerdrivers/mac/all/ppdfiles
- or //pub/adobe/printerdrivers/win/all/ppdfiles)
- or http://download.sourceforge.net/lpr/hp-ppd-0.2.tar.gz
- or from the printer's manufacturer.
-
-Try man papd and man papd.conf for further options.
+++ /dev/null
-Basic Installation
-==================
-
-Netatalk is known to run on these operating systems:
-
- OS Versions Hardware Notes
- -- -------- -------- -----
- Solaris 2.5-8 Sparc
- Linux 1.3.x,2.x PC
- FreeBSD 2.2-current PC after 12 Sept 96
- NetBSD 1.3 PC
- OpenBSD 2.2 PC
- SunOS 4.1+ Sparc kernel must have VDDRV
- option installed
- Ultrix 4.[1-4] 3100,5000
- Tru64 4.0 Alpha afpd only
-
-See README.platforms for more information.
-
-Quickly:
-$> ./configure [options]
-$> make
-$> make install
-
-
-----------------------------------------------------------------
-0. Get the source
-
-A. Download a binary. Several Linux distributions support netatalk
-with a package. There are also Deb's and RPM packages available on the
-the Netatalk Sourceforge
-site. (http://sourceforge.net/projects/netatalk/)
-
-B. Download the tarball. There are tar.gz and tar.bz2 files available
-for download and compiling.
-(http://sourceforge.net/projects/netatalk/)
-
-C. Anonymous CVS. Downloading of the CVS source can be done quickly
-and easily.
-
-1. make sure you have cvs installed.
-$> which cvs
-should produce a path to cvs.
-
-2. if you don't have one make a source directory. Mine is
-~lance/src/working/ cd to this directory.
-
-3. Authenticate yourself with your local cvs and the remote cvs: (all
-one line)
-
-cvs \
--d:pserver:anonymous@cvs.netatalk.sourceforge.net:/cvsroot/netatalk \
-login
-
-Just hit enter for the password for the anonymous user.
-
-4. Now that both machines know who you are, get the source: (all one
-line)
-
-cvs -z3 \
--d:pserver:anonymous@cvs.netatalk.sourceforge.net:/cvsroot/netatalk \
-co netatalk
-
-This tells cvs what compression, (-z3) what protocol, repository and
-where the source is (-d:protocol:host:path) what to do (co is an alias
-for checkout) and what (netatalk) module.
-
-This will create a netatalk directory and download a complete and
-fresh copy of the netatalk source
-
-
-----------------------------------------------------------------
-
-1. ./autogen.sh (Not necessary for a release tarball.)
-This shell script runs libtoolize, aclocal, autoheader, automake and
-autoconf. This sets up all the conditions for the next step. You may
-or may not have to do this. If you downloaded a release tarball, or if
-your download contains a ./configure file then this has already been
-run for you.
-
-----------------------------------------------------------------
-
-2. ./configure
-This step reads the options to the ./configure program and checks your
-system against the requirements of those options. It generally fails
-if your system doesn't meet the requirements. You should read the
-DEVELOPER file because some of these options require external sources
-to function correctly. (PAM, OpenSSL, Berkeley DB, TCP Wrappers, etc).
-
-Netatalk options to the ./configure script: Use ./configure --help for
-a complete list.
-
---disable-admin-group: disable admin group (default on),
-
---disable-ddp: disable DDP support (AppleTalk),
-
---enable-debug: enable debugging messages in syslog,
-
---enable-dropkludge: enable the experimental dropbox fix
- (INSECURE!),
-
---with-bdb=PATH: specify path to Berkeley DB installation,
-
---with-did=[scheme]: set DID scheme (cnid,last),
- CNID is a new scheme using Berkeley DB files to store a
- per-volume cnid database persistently.
-
- The last DID scheme recreates version 37b behaviour where
- directory id's are incrementally calculated versus the new
- hash method. Unfortunately for machines that have a lot of
- devices, and/or a lot of inodes the hash can fail with
- multiple directories resolving to the same DID.
-
---with-message-dir=path: path to message files [default is DISABLED],
-
---enable-srvloc: Turn on Server Location Protocol support,
-
---with-pam: enable pluggable authentication modules support,
- PAM provides a flexible mechanism for authenticating
- users. PAM was invented by SUN Microsystems.
-
- Linux-PAM is a suite of shared libraries that enable the local
- system administrator to choose how applications authenticate users.
- You can get the Linux PAM documentation and sources from
- http://www.kernel.org/pub/linux/libs/pam/
-
---with-shadow: enable shadow password support,
-
---disable-shell-check: disable checking for a valid shell,
-
---with-flock-locks: enable flock locks support,
-
---with-tcp-wrappers: enable TCP wrappers support.
- Wietse Venema's network logger, also known as TCPD or
- LOG_TCP. These programs log the client host name of incoming
- telnet, ftp, rsh, rlogin, finger etc. requests. Security
- options are: access control per host, domain and/or service;
- detection of host name spoofing or host address spoofing;
- booby traps to implement an early-warning system. TCP
- Wrappers can be gotten at
- ftp://ftp.porcupine.org/pub/security/
-
---with-ssl-dirs=[PATH]: specify path to OpenSSL installation.
- NOTE: This is dependent on the same directory layout as the
- source distribution of Openssl. That is: ./include/ and
- ./lib/ to be on the same level. Many .rpm formats do not
- have their files laid out in this format.
- The OpenSSL Project is a collaborative effort to develop a
- robust, commercial-grade, full-featured, and Open Source
- toolkit implementing the Secure Sockets Layer (SSL v2/v3)
- and Transport Layer Security (TLS v1) protocols as well as a
- full-strength general purpose cryptography library.
- This is required to enable DHX login support, which
- will encrypt all of the passwords being sent across the
- connection. (Some old mac clients don't support this, check
- the FAQ for the section on AppleShare clients.)
- Check to see if your unix has OpenSSL already, or
- get everything at http://www.openssl.org/
-
---with-uams-path=path: path to UAMs [default=PKGCONF/uams]
-
---enable-fhs: use Filesystem Hierarchy Standard (FHS) compatibility
-
---with-ssl-dir=PATH: specify path to openssl installation (must contain
- lib and include dirs)
-
---enable-pgp-uam: enable build of PGP UAM module
-
---enable-krb4-uam: enable build of Kerberos v4 UAM module
-
---enable-overwrite: Overwrite configuration files in PKGCONFDIR
-
-----------------------------------------------------------------
-
-3. make
-
-Compile all of the programs.
-Note: GNU make is required to build netatalk.
-
-----------------------------------------------------------------
-
-4. make install Install the programs, scripts and man pages in the
-places specified by the ./configure process.
+++ /dev/null
-Netatalk and AFP 3.x
-
-It's alpha work, don't use it on a production box or on an existing volume,
-it will trash filenames.
-Filenames convention is subject to change.
-
-AFP 3.0 and AFP 3.1 are OSX extensions to AFP Apple protocol.
-
-New features:
-------------
-- UTF8 name
-- support for files > 2 GBytes
-
-Requirements
-------------
-- I think glibc2.2 or >
-- a kernel with large files support.
-
-Compilation
------------
-configure --enable-afp3
-
-if you have an error about AC_SYS_LARGEFILE you need to upgrade yours
-autoconf/automake tools.
-
-UAMS
-----
-uams_guest.so
-uams_pam.so uams_passwd.so (clear text login)
-uams_dhx_pam.so uams_dhx_passwd.so
-
-Configuration
--------------
-afpd.conf
-use only uams above with -uamlist
-
-For volumes
-add options:utf8, don't use it with codepage: but you can use mswindows
-
-UTF8 strings
-------------
--Only Mac roman to UTF8 for pre OSX
--255 bytes max.
-
--Decompose/precompose issue
-OS X uses the decomposed form:
- latin small letter a with grave is 0x65 0x301
-
-iconv from Mac to UTF8 and by default NT and Linux keyboards use precomposed form:
- latin small letter a with grave is 0xe0
-
-Filenames are saved in precomposed form and are decomposed for OSX
-
-- It doesn't convert existing volumes to UTF8
+++ /dev/null
-Veto Options Patch for Netatalk
-===============================
-
- The patch at the below address adds a function similar to Samba's
-"veto files" option to Netatalk. It is not derived from Samba is anyway
-so GPL'ing Netatalk wasn't a factor. :-)
-
-http://ariel.ucs.unimelb.edu.au/~epl/netatalk/veto/netatalk-veto.diff
-
- For those people who do not use Samba, it allows the server to hide
-files which the user could otherwise access. Hopefully, if this patch
-works, clients will not be able to see any veto'ed files/directories.
-Nor will they be able to create, rename or move files/directories
-matching the veto'ed filespecs (on the Unix side).
-
- For example, if you use Samba and Netatalk, you would commonly have
-the following line in Samba's configuration files. That line hides the
-files on the filesystem which Netatalk/Mac client creates, but the
-Mac-user never sees. By hiding it, users cannot fiddle with these
-directories and nor will they confuse themselves by files appear in
-Windows which doesn't appear under Macs.
-
-veto files = /.AppleDouble/.AppleDesktop/Network Trash Folder/TheVolumeSettingsFolder/
-
- Likewise, Windows often create some "special" files which you may
-wish to hide from mac users. Hence, the following line might be useful.
-
-veto:recycled/desktop.ini/Folder.htt/Folder Settings/
-
- The option as implemented is case sensitive, so YMMV.
-
-Limitations and other notes
-===========================
-- This patch may have a memory leak as a result of strdup()'ing v_veto,
- but not freeing it anywhere. I'm not sure if this is a practical
- problem, as presumably v_veto should be free()'ed when the user
- disconnects. Upon which the fork()'ed ``afpd'' will die and its
- memory resources reclaimed by the operating system.
-- This patch does not deal with wildcards at all. Once I've worked out
- a good design and algorithm, I might add it. It currently fulfills
- all my requirements. But if there is a demand for wildcard support,
- I'd be happy to spend additional time on this problem. Until then, I
- want to make sure that the rest of the code is correct.
-- In theory, (with the veto option of veto:foobar/) it would be able to
- create a filename named ":66oobar" on the unix side which will then
- appear to the mac client as "foobar". Due to other code in Netatalk
- (not related to this patch), this won't actually work. However, there
- is no fundamental reason why the mac client would not be able to
- read files which seemingly matched the veto filespec (from the mac).
-
-How was the patch made
-======================
-I did things in the following steps.
-1) I added per-volume support for the "veto:string" option to
- ``volume.{c,h}''.
-2) I determined that the veto option was functionally most similar to
- the "validupath()" function. Therefore, after every "validupath()"
- call, I added a "veto_file()".
-3) I placed the "veto_file()" function in the ``etc/afpd/filedir.c''
- source file. It could also be in any of the other files, but I
- figured that filedir.c was the best spot. The "veto_file()" function
- takes the "veto_str" parameter directly from value "string" in point
- 1) above.
-4) Inside "veto_file()", uncomment the DEBUG code if you want.
-
- If you want more information, contact me at <epl@unimelb.edu.au>.