1 Netatalk Frequently Asked Questions
2 ($Id: FAQ,v 1.14 2010-04-25 13:59:53 hat001 Exp $)
4 -----------------------------------------------------------------------------
6 Q1: Where can I get more information on Netatalk?
7 Q2: What is this I keep seeing about asun?
8 Q3: How do I get the most recent version of Netatalk?
9 Q4: Can I get an almost current version of Netatalk without having to learn Git?
10 Q4a: Is there an RPM, package, or tarball for my platform?
11 Q5: I'm having massive file deletion problems!
12 Q6: I am having lots of file locking problems!
13 Q7: I'm getting this message in my logs:
14 WARNING: DID conflict for ... Are these the same file?
15 Q8: I can't seem to use passwords longer than 8 characters for my netatalk
16 accounts. How can I fix that?
17 Q9: I would like to use encrypted passwords to authenticate to the Netatalk
18 server. How do I do that?
19 Q10: How can I set who has access to certain directories?
20 Q11: What are the .AppleDouble and .Parent directories which are created in
21 the netatalk locations?
22 Q12: Hidden files - what's up with that?
23 Q13: I get a "socket: Invalid argument" error when trying to start netatalk
24 under Linux. What is causing this?
25 Q14: Netatalk works over Appletalk, but my IP connections are refused, even
26 though I have enabled them in the configuration files.
27 Q15: I'm having Quark Express file locking problems, is there information on that?
28 Q16: I'm getting this error in Quark Express when trying to save a file to
29 the server: 'Error Type -50'
30 Q17: Does netatalk work with Mac OSX?
31 Q18: I'm getting an 'Application for this document not found' error on OS X.
32 Q19: I'm getting an 'Error Type -43' error on OS X.
33 Q20: How do I get the directories that are created by Netatalk to have the
34 correct permissions by default?
35 Q21: What does this error mean:
36 'afpd[#####]: setdirmode: chmod .AppleDouble Operation not permitted'
37 Q22: I'm having problems with the Trash folder: either when someone drags
38 files into it, the system want's them todelete them immeidately, or files
39 get stuck in there and won't delete.
40 Q23: The daemons aren't starting, things aren't showing up in the Chooser,
41 and I get a message like this in the logs: afpd[####]: Can't register
43 Q24: I want to be able to allow users to change their passwords? How do
44 I enable this feature. Every time I try I get an error that it was
45 unable to save the password.
46 Q25: Can a mount a Mac volume on my unix machine?
47 Q26: Can I run Samba and Netatalk together to access the same files?
48 Q27: Files I create on my Samba shares are invisible on the mac side.
49 Q27a: How can I set netatalk to hide some files from the Samba (or
51 Q28: Files I create on my netatalk shares are invisible on the PC side.
52 Q28a: How can I set Samba to hide the netatalk specific files (e.g.
54 Q29: I compiled Samba with the --with-netatalk flag. What did that do?
55 Q30: What about the differences in naming schemes, and legal/illegal
56 characters between Windows, Macs (and unix?)
57 Q31: Where can I get the cnid-db (Berkely DB) software? (needed for
59 Q32: What about security in Netatalk?
63 -----------------------------------------------------------------------------
66 Q1: Where can I get more information on Netatalk?
68 A: Netatalk's home page can be found at:
70 http://netatalk.sourceforge.net/
72 Netatalk is maintained at SourceForge. The Netatalk project page on
73 SourceForge is located at:
75 http://sourceforge.net/projects/netatalk/
77 There are (at least) three very active e-mail lists to which you can
78 subscribe. The first, netatalk-admins, is for usage and setup/compile
79 questions. Subscription information as well as an archive are available at:
81 http://lists.sourceforge.net/lists/listinfo/netatalk-admins
83 This can be very high volume, but usually a few messages a day.
85 Netatalk-devel list is more specific to coding and testing. The archive
86 and more information can found at:
88 http://lists.sourceforge.net/lists/listinfo/netatalk-devel
90 This list varies in volume, but is usually moderately active.
92 Netatalk-docs is specific to documentation. For more information see:
94 http://lists.sourceforge.net/mailman/listinfo/netatalk-docs
96 There are other netatalk information sites. Some of these are no
97 longer actively updated, some are site-specific, but still have
100 http://www.anders.com/projects/netatalk/
101 http://www.faredge.com.au/netatalk/index.html
104 Q2: What is this I keep seeing about asun?
106 A: Before Netatalk moved to SourceForge, Adrian Sun (asun) had written
107 some patches to Netatalk which helped significantly with its usability,
108 especially using AppleShare IP. These patches are still provided by many
109 Unix vendors. All of these patches are included in the current SourceForge
113 Q3: How do I get the most recent version of Netatalk?
115 A: Via Git from SourceForge.net. This is the actively maintained version
116 of Netatalk, changes are being made constantly, and therefore it is not
117 suitable for production environments. The netatalk at SourceForge is in
118 Beta, so keep that in mind.
120 Downloading the Git repository can be done quickly and easily.
122 Make sure you have Git installed. which git should produce a path to git.
127 If you don't have one make a source directory. cd to this directory.
129 $> mkdir /path/to/new/source/dir
130 $> cd /path/to/new/source/dir
134 $> git clone git://netatalk.git.sourceforge.net/gitroot/netatalk/netatalk
135 Initialized empty Git repository in /path/to/new/source/dir/netatalk/.git/
136 remote: Counting objects: 2503, done.
139 This will create a local directory called "netatalk" containing a complete
140 and fresh copy of the whole Netatalk source from the Git repository.
142 In order to keep your repository copy updated, occasionally run:
146 Now cd to the netatalk directory and run ./bootstrap. This will create the
147 configure script required in the next step.
152 Q4: Can I get an almost current version of Netatalk without having to learn Git?
154 A: Yes. Snapshots of the Git tree should be posted for the benefit of
155 those that don't want to / can't use Git. They are available at:
157 http://netatalk.git.sourceforge.net/git/gitweb-index.cgi
159 You should be able to treat these images as you would a release. Just
160 configure as you normally work, then run make (or gmake as the case may
161 be). There is no need to run ./bootstrap on these images.
164 Q4a: Is there an RPM, package, or tarball for my platform?
166 A: Perhaps. These vary in how often they're updated:
169 port: /usr/ports/net/netatalk - maintained by Joe Clark
171 included in the distribution
173 port: /usr/ports/net/netatalk/ - not actively maintained
175 included in all current distributions
177 included in the distribution
180 Q5: I'm having massive file deletion problems!
182 Q6: I am having lots of file locking problems!
184 Q7: I'm getting this message in my logs:
185 WARNING: DID conflict for ... Are these the same file?
187 A: Compile with the --with-did=last flag set. This activates a different
188 method of calculating inodes in the software, and will hopefully fix some
189 of these problems. This code, along with the CNID code, was still being
190 worked out in Pre7. The cnid/bdb flags also go along with this:
192 --with-bdb=PATH specify path to Berkeley DB installation
193 --with-did=[scheme] set DID scheme (cnid,last)
195 (For more information on CNID, see the README.cnid file.)
197 --with-did=last reverted things back to the old 1.4b2 directory ID
198 calculation algorithm. This also solved the problem of the syslog
199 messages and the users complaining of file deletions. It's also been
200 found that by disabling *BSD's SOFTUPDATES feature on Netatalk volumes (on
201 FreeBSD), multi-user interaction seemed to work better. This was back in
202 a late 4.2-BETA, so it's not clear if this still holds true in 4.4-RELEASE
206 Q8: I can't seem to use passwords longer than 8 characters for my Netatalk
207 accounts. How can I fix that?
209 Q9: I would like to use encrypted passwords to authenticate to the Netatalk
210 server. How do I do that?
212 A: Update to a newer version of AppleShare Client (I think the most
213 recent is 3.8.8). This allows longer passwords, and will allow you to
214 use encrypted passwords. Set which way you would like to authenticate
215 in either afpd.conf or netatalk.conf, depending on your setup.
217 For more information on the AppleShare Client from Apple, and which clients
218 are needed for which MacOS, see
220 http://til.info.apple.com/techinfo.nsf/artnum/n60792?OpenDocument&software
222 (this site requires cookies, and a registration and sign-in).
225 Q10: How can I set who has access to certain directories?
227 A: You can certainly do this with your Unix permissions, but also explore the
228 allow/deny/rwlist/rolist options in the AppleVolumes.default file:
230 # allow/deny/rwlist/rolist format [syntax: allow:user1,@group]:
231 # user1,@group,user2 -> allows/denies access from listed users/groups
232 # rwlist/rolist control whether or not the
233 # volume is ro for those users.
235 Also, some unices, specially FreeBSD, have other options:
238 "What about file and directory permissions? Since I didn't use the FORCE
239 UID/GID code, I decided to use a feature of FreeBSD called SUIDDIR. From
240 the LINT kernel config file:
242 # If you are running a machine just as a fileserver for PC and MAC
243 # users, using SAMBA or Netatalk, you may consider setting this option
244 # and keeping all those users' directories on a filesystem that is
245 # mounted with the suiddir option. This gives new files the same
246 # ownership as the directory (similar to group). It's a security hole
247 # if you let these users run programs, so confine it to file-servers
248 # (but it'll save you lots of headaches in those cases). Root owned
249 # directories are exempt and X bits are cleared. The suid bit must be
250 # set on the directory as well; see chmod(1) PC owners can't see/set
251 # ownerships so they keep getting their toes trodden on. This saves
252 # you all the support calls as the filesystem it's used on will act as
253 # they expect: "It's my dir so it must be my file".
255 FORCE UID/GID code, I decided to use a feature of FreeBSD called
256 SUIDDIR. From the LINT kernel config file:
258 # If you are running a machine just as a fileserver for PC and MAC
259 # users, using SAMBA or Netatalk, you may consider setting this option
260 # and keeping all those users' directories on a filesystem that is
261 # mounted with the suiddir option. This gives new files the same
262 # ownership as the directory (similar to group). It's a security hole
263 # if you let these users run programs, so confine it to file-servers
264 # (but it'll save you lots of headaches in those cases). Root owned
265 # directories are exempt and X bits are cleared. The suid bit must be
266 # set on the directory as well; see chmod(1) PC owners can't see/set
267 # ownerships so they keep getting their toes trodden on. This saves
268 # you all the support calls as the filesystem it's used on will act as
269 # they expect: "It's my dir so it must be my file".
271 And the associated mount command:
273 mount -o suiddir /dev/da2s1e /macvol/artfiles
275 This was used on my dedicated Netatalk/Samba filesystems. On
276 filesystems that were also used for interactive shell access, I chmod'd
277 my Netatalk shares 2770. The reason for this is that I set up a UNIX
278 group for each department in the ad agency. I had an art group, a media
279 group, an accounting group, and then, or course, a general staff group.
280 Each share was only allowed access by the group that needed to access
281 the share. So, the Artfiles share allowed access only to the art group:
283 /macvol/artfiles "Art Files" allow:@art
285 And the others followed in kind. Therefore, the 2770 mask allowed only
286 owners and people in the associated group access to read and write
287 files. The leading 2 set the setgid bit so that all child files and
288 directories would retain the same group permissions. I found this to
291 This was used on my dedicated Netatalk/Samba filesystems. On
292 filesystems that were also used for interactive shell access, I chmod'd
293 my Netatalk shares 2770. The reason for this is that I set up a UNIX
294 group for each department in the ad agency. I had an art group, a media
295 group, an accounting group, and then, or course, a general staff group.
296 Each share was only allowed access by the group that needed to access
297 the share. So, the Artfiles share allowed access only to the art group:
299 /macvol/artfiles "Art Files" allow:@art
301 And the others followed in kind. Therefore, the 2770 mask allowed only
302 owners and people in the associated group access to read and write
303 files. The leading 2 set the setgid bit so that all child files and
304 directories would retain the same group permissions. I found this to
308 Q11: What are the .AppleDouble and .Parent directories which are created in
309 the Netatalk locations?
311 A: See the README.veto file in this directory.
313 The .AppleDouble folders hold the resource fork information for the Mac
314 files, plus other attributes which are not normally stored by Unix. For
315 this reason, when you want to move files around in your Mac volumes, it's
316 a good idea to do it from the Mac side (as opposed to from the Unix side,
317 or Samba), unless you make absolutely sure you get the .AppleDouble
318 directories. These directories are often hidden from the Samba side, via
319 the veto files configuration.
321 You can also set Netatalk to not create an .AppleDouble directory unless
322 it absolutely needs it, by setting the noadouble setting in
323 AppleVolumes.default.
326 Q12: Hidden files - what's up with that?
328 A: If you set the noadouble flag in AppleVolumes.default, you won't see
329 the .Apple* or .Parent directories on the Mac side. If you use the veto
330 files option in Samba, they may be hidden from the Windows side as well.
331 (More information in the Samba section, and in the README.veto file in
335 Q13: I get a "socket: Invalid argument" error when trying to start Netatalk
336 under Linux. What is causing this?
338 A: The "appletalk" and "ipddp" kernel modules have to be installed under
339 linux for Netatalk to function. The appletalk module can be automatically
340 loaded by adding the line "alias net-pf-5 appletalk" to the
341 /etc/modules.conf file. Issuing the command "modprobe (module)" will
342 load the module for the current session.
345 Q14: Netatalk works over AppleTalk, but my IP connections are refused, even
346 though I have enabled them in the configuration files.
348 A: If tcp_wrappers support is compiled into Netatalk, access has to be
349 granted in /etc/hosts.allow for Netatalk to successfully accept IP
350 connections. This can be done by the addition of the line:
352 afpd: 127. xxx.xxx.xxx. (whatever other subnets)
355 Q15: I'm having Quark Express file locking problems, is there information on
358 A: Yes, see the question regarding DID conflicts and the --enable-did= flag.
359 Also, try using the --flock-locks flag. Enabling this code disabled the
360 new byte locking feature. With FLOCK locks, the whole file would be locked.
361 With byte locks, a byte range could be locked without locking the whole
365 Q16: I'm getting this error in Quark Express when trying to save a file to
366 the server: 'Error Type -50'
368 A: Turn off the document preview feature off in Quark.
371 Q17: Does netatalk work with MacOS X?
373 A: Yes, but only the most recent versions, and it's still being finalized.
374 Versions prior to 1.5Pre7 did NOT work with OS X, although some really
375 early versions did (netatalk 1.4+asun?).
378 Q18: I'm getting an 'Application for this document not found' error on MacOS X.
380 Q19: I'm getting an 'Error Type -43' error on MacOS X.
382 A: Configure with --with-did=last. More info on this flag is given in the
383 DID conflicts question.
386 Q20: How do I get the directories that are created by Netatalk to have the
387 correct permissions by default?
389 A: Investigate the setgid bit on your Unix platform. It's a good idea to
390 set this on your shared directories, and your .AppleDouble directories.
391 From the mail archives: "Usually directories designated for use with
392 AppleShare have the setgid (g+s) bit set. It forces inheritance of
393 permissions. Without it, the .AppleDouble subdirectory can't be created
394 since the new folder doesn't necessarily have the same write privileges."
396 Information about the setgid bit can be found in Evi Nemeth's
397 "Unix System Administration Handbook" (3rd. ed, chap 5.5, pg. 69):
399 "The bits with octal values 4000 and 2000 are the setuid and setgid bits.
400 These bits allow programs to access files and processes that would
401 otherwise be off-limits to the users that run them. [...] When set on a
402 directory, the setgid bit causes newly created files within the directory
403 to take on the group membership of the directory rather than the defualt
404 group of the user that created the file. This convention makes it easier
405 to share a directory of files among several users, as long as they all
406 belong to a common group. Check your system before relying on this
407 feature, since not all version of UNIX provide it. [...] This interpretation
408 of the setgid bit is unrelated to it's meaning when set on an executable
409 file, but there is never any ambiguity as to which meaning is
412 NOTE: The setuid is usually discussed along with the setgid bit. The
413 setuid bit is VERY dangerous. If you set it on an executable, and the
414 executable is owned by root, anyone who runs that executable is root for
415 the duration of that executable's run, so a clever person can leverage
416 that into a full-scale compromise. The setgid bit also has other security
417 implications, so be careful where you set it.
419 You set it by doing a chmod 2xxx, where xxx are the normal file permissions
420 (i.e. owner/group/other permissions).
423 Q21: What does this error mean:
424 'afpd[#####]: setdirmode: chmod .AppleDouble Operation not permitted'
426 A: This can be due to a few things.
428 1) The setgid bit might not be set on either your directory, or on the
429 .AppleDouble directory. It has to be set recursively on the .AppleDouble
432 2) You may not be member of the group set on the directory you're trying
435 3) This was a persistant bug in 1.5pre6 for awhile, upgrading might help.
438 Q22: I'm having problems with the Trash folder: either when someone drags
439 files into it, the system wants them to delete them immediately, or files
440 get stuck in there and won't delete.
442 A: chmod the Network Trash folder to 2775 (/home/public/Network Trash
443 Folder for instance).
445 As of 10/16/01, MacOS X trash didn't work properly with afps volumes.
446 Apple is working on it.
448 Q23: The daemons aren't starting, things aren't showing up in the Chooser,
449 and I get a message like this in the logs: afpd[####]: Can't register
452 This is sometimes a result of missing NIC information in the atalkd.conf
453 file. Put your network interface (something like le0, eth0, fxp0, lo0)
454 alone on a line in atalkd.conf, and reboot. When atalkd starts, it will
455 populate the file with a line such as:
457 le1 -seed -phase 2 -addr 66.6 -net 66-67 -zone "No Parking"
459 To find your network interface, run
463 and see which interface has your IP address. Use that one.
466 Q24: I want to be able to allow users to change their passwords. How do
467 I enable this feature? Every time I try I get an error that it was
468 unable to save the password.
470 A: Use -[no]setpassword in afpd.conf. This enables or disables the ability of
471 clients to change their passwords.
474 Q25: Can a mount a Mac volume on my Unix machine?
476 A: Well, maybe. MacOS X obviously might be able to do this with NFS.
477 Also, there is a program called afpfs which was designed to do this,
478 but is not actively maintained and has been reportedly highly unstable.
479 It should be available from:
481 http://www.panix.com/~dfoster/afpfs/
483 Q26: Can I run Samba and Netatalk together to access the same files?
485 A: Sure. Lots of us do. But there are some concerns. Quite often it's
486 useful, for instance, to hide files of one OS from the other. See
487 the AppleVolumes.default file in Netatalk, and investigate the veto
488 files option in Samba. (See the README.veto file.)
490 Also, when copying and moving files created on the Mac, it's better
491 to do that from the Mac, rather than from the Unix server or from
492 Samba. This is because the .AppleDouble folders hold the resource fork
493 information for the Mac files, plus other attributes which are not
494 normally stored by Unix.
496 You can also set Netatalk to not create an .AppleDouble directory unless
497 it absolutely needs it, by setting the noadouble setting in
498 AppleVolumes.default.
501 Q27: Files I create on my Samba shares are invisible on the Mac side.
503 A: Have you checked the AppleVolumes(.default? .sytem? I don't remember
504 which one hides files!) file?
506 How long are the file names? Names longer than 31 BYTES (not characters)
507 are not visible on the Mac side. This is because some old MacOS's don't
508 accept long names, and some Finders crash when they encounter them.
509 Therefore Netatalk hides long filenames to prevent crashes. If you
510 prefer Netatalk to truncate the names, use the --with-mangling ./configure
511 option when compiling Netatalk.
513 The BYTES distiction is made because there exist doublebyte fonts too,
514 which limit names to 15 chars.
517 Q27a: How can I set Netatalk to hide some files created on the Samba
520 A: AppleVolumes(.system or .default?) allows you to hide certain files.
521 This might be a good thing to set on, say, .cshrc, ssh keys, and
525 Q28: Files I create on my Netatalk shares are invisible on the PC side.
527 Q28a: How can I set Samba to hide the Netatalk specific files (e.g.
530 A: Check your Samba veto files option in smb.conf. It's often useful
531 to hide files like .AppleDouble or the network trash folder here.
533 Does the mac file have a \ or / in it? Would this cause Samba to
537 Q29: I compiled Samba with the --with-netatalk flag. What did that do?
539 A: Nothing. Some code was written (by a Samba developer?), but as of
540 Fall 2001, Samba doesn't utilize it.
543 Q30: What about the differences in naming schemes, and legal/illegal
544 characters between Windows, Macs, and Unix?
546 A: Check out the documentation about the 'mswindows' flag in
547 AppleVolumes.default. For instance, having / or \ or : in a name is
548 especially bad, as they are path seperators on Unix, Windows, and MacOS,
549 respectively). Educating the end user is important for this problem.
552 Q31: Where can I get the cnid-db (Berkely DB) software? (needed for
555 A: First check to see if your Unix has a port or package. If not,
556 Berkeley DB is available at:
558 http://www.sleepycat.com/download.html
560 Q32: What about security in Netatalk?
562 A: Most of the security for Netatalk must be derived from the
563 security of the Unix server on which it runs. Directory permissions,
564 valid users, firewalls, IP filters, file integrity checkers, etc.
565 are all part of the equation. That said, it is possible to configure
566 Netatalk to minimize access, and close potential security holes.
568 These two flags are especially important:
570 --with-tcp-wrappers: enable TCP wrappers support.
572 Enables Wietse Venema's network logger, also known as tcpd or
573 LOG_TCP. These programs log the client host name of incoming
574 telnet, ftp, rsh, rlogin, finger etc. requests. Security
575 options are: access control per host, domain and/or service;
576 detection of host name spoofing or host address spoofing;
577 booby traps to implement an early-warning system. TCP
578 Wrappers can be gotten at:
580 ftp://ftp.porcupine.org/pub/security/
582 Note, if you use TCP Wrappers, it would be a good idea to set your
583 afpd.conf file to disable DDP, or accept connections only on TCP.
584 You can also configure afpd to only run on a certain port, which
585 you can then let through your IPFilter.
587 --with-ssl-dirs=[PATH]: specify path to OpenSSL installation.
589 NOTE: This is dependent on the same directory layout as the
590 source distribution of OpenSSL. That is: include/ and
591 lib/ to be on the same level. Many .rpm formats do not
592 have their files laid out in this format.
593 The OpenSSL Project is a collaborative effort to develop a
594 robust, commercial-grade, full-featured, and Open Source
595 toolkit implementing the Secure Sockets Layer (SSL v2/v3)
596 and Transport Layer Security (TLS v1) protocols as well as a
597 full-strength general purpose cryptography library.
598 This is required to enable DHX login support, which
599 will encrypt all of the passwords being sent across the
600 connection. (Some old Mac clients don't support this, check
601 this FAQ for the section on AppleShare clients.)
602 Check to see if your Unix has OpenSSL already, or
605 http://www.openssl.org/
607 --with-libgcrypt-dir=[PATH]: specify path to Libgcrypt installation.
609 NOTE: This is dependent on the same directory layout as the
610 source distribution of Libgcrypt. That is: include/ and
611 lib/ to be on the same level.
612 This is required to enable DHX2 login support, which
613 will encrypt all of the passwords being sent across the
614 connection. (Some old Mac clients don't support this, check
615 this FAQ for the section on AppleShare clients.)
616 Check to see if your Unix has Libgcrypt already, or
619 http://directory.fsf.org/project/libgcrypt/
621 Be aware that on the volumes that are shared, some of the
622 special folders (.AppleDesktop, "Network Trash Folder") get
623 assigned. A lot of these get created as world-writable (because that's
624 what the Mac clients are expecting them to be) which is often quite
625 undesirable from the Unix system administrator's point of view.
626 Documenting this behavior could be a somewhat daunting task, but
629 Shares can be set to be read/write only by certain people and groups.
631 The Netatalk code has not been through a major code audit. However,
632 it's Open Source, so if you want to do said audit, contact the
633 Netatalk maintainers (which can be done through the SourceForge site).
635 Has anyone tried to run Netatalk in a chroot jail? If so, please
636 share your experiences with the mailing lists.