1 Installation and Configuration of Netatalk 1.5
2 Lance Levsen, l.levsen@printwest.com
6 1. Libtool (only needed by developers)
7 Libtool encapsulates the platform specific dependencies for the
8 creation of libraries. It determines if the local platform can support
9 shared libraries or if it only supports static libraries.
11 Documentation: http://www.gnu.org/software/libtool/
12 Program: (see the GNU mirrors) /gnu/libtool/libtool-1.3.5.tar.gz
14 2. GNU m4 (only needed by developers)
15 GNU m4 is an implementation of the Unix macro processor. It reads
16 stdin and copies to stdout expanding defined macros as it processes
19 Documentation: http://www.gnu.org/software/m4/
20 Program: (see the GNU mirrors) /gnu/m4/m4-1.4.tar.gz
23 Autoconf is a package of m4 macros that produce shell scripts to
24 configure source code packages.
26 Documentation: http://www.gnu.org/software/autoconf/
27 Program: (see the GNU mirrors) /gnu/autoconf/autoconf-2.13.tar.gz
30 Automake is a tool that generates 'Makefile.in' files.
32 Documentation: http://www.gnu.org/software/automake/
33 Program: (see the GNU mirrors) /gnu/automake/automake-1.4.tar.gz
38 The OpenSSL Project is a collaborative effort to develop a robust,
39 commercial-grade, full-featured, and Open Source toolkit implementing
40 the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
41 v1) protocols as well as a full-strength general purpose cryptography
43 This is required to enable DHX login support.
45 Get everything at http://www.openssl.org/
48 Wietse Venema's network logger, also known as TCPD or LOG_TCP. These
49 programs log the client host name of incoming telnet, ftp, rsh,
50 rlogin, finger etc. requests. Security options are: access control per
51 host, domain and/or service; detection of host name spoofing or host
52 address spoofing; booby traps to implement an early-warning system.
54 TCP Wrappers can be gotten at ftp://ftp.porcupine.org/pub/security/
56 7. PAM (Pluggable Authentication Modules for Linux)
57 Linux-PAM provides a flexible mechanism for authenticating
58 users. PAM was invented by SUN Microsystems.
60 Author: Andrew Morgan <morgan@linux.kernel.org>
62 Linux-PAM is a suite of shared libraries that enable the local system
63 administrator to choose how applications authenticate users.
65 You can get the Linux PAM documentation and sources from
66 http://www.kernel.org/pub/linux/libs/pam/
72 1. Read the configure options.
75 This prints a listing of the command line options for configure to
78 --prefix: top level src directory for ./bin, ./etc, ./include, ./lib,
79 ./man, ./sbin, ./share.
81 --disable-admin-group: disable admin group (default on),
83 --disable-ddp: disable DDP support,
85 --enable-dropkludge: enable the experimental dropbox fix (INSECURE!)
87 --with-pam: enable password authentication modules support,
89 --with-shadow: enable shadow password support,
91 --with-tcp-wrappers: enable TCP wrappers support
93 --with-ssl-dirs=[PATH]: specify path to OpenSSL installation.
94 NOTE: This is dependent on the same directory layout as the source
95 distribution of Openssl. That is: ./include/ and ./lib/ to be on the
96 same level. Many .rpm formats do not have their files laid out in this
99 --enable-lastdid: Recreate version 37b behaviour where directory id's
100 are incrementally calculated versus the new hash method. Unfortunately
101 for machines that have a lot of devices, and/or a lot of inodes the
102 hash can fail with multiple directories resolving to the same DID.
104 Enable/Disable the desired options, make, and make install.
106 $>./configure --option1 --option2 ....
107 $> make (as root or sudo)
108 $> make install (as root or sudo)
110 Assuming you haven't changed the install directories, this will
111 install the configutation files in /etc/atalk. The uams in
112 /etc/atalk/uams. The binaries will be in /usr/sbin/.
114 4. Configure Netatalk (See below 'Configuring Netatalk')
115 The default location for the configuration files is /etc/atalk/.
117 5. Setup your rc script so that Netatalk is started on boot.
118 You can find sample initscripts in ./distrib/initscripts/ from the
121 6. If you enabled PAM, then copy the ./config/netatalk PAM file to
122 /etc/pam.d/ or where ever your system puts the PAM configuration
129 Netatalk supplies two different types of Appletalk servers and both
130 can run at the same time. Classic Appletalk requires afpd and
131 atalkd. Appletalk over IP only requires afpd. Classic Appletalk on
132 GNU/LInux requires that CONFIG_ATALK is compiled into the kernel or as
133 a kernel module. To check to see if the kernel has Appletalk
136 $> dmesg | grep Apple
137 This just parses the boot messages for any line containing
140 To see all the loaded modules (as root):
143 If you don't find it, you may have to compile a kernel and turn on
144 Appletalk in Networking options -> Appletalk DDP. You have an option
145 to install as a module or directly into the kernel.
147 Some default distribution kernels have already compiled Appletalk DDP
148 as a module, you may have to edit your /etc/modules.conf to include:
149 "alias net-pf-5 appletalk ".
151 Note: check your distribution documentation about editing
154 For more complete information about the Linux kernel see the
156 http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html
159 1. /etc/atalk/afpd.conf
160 ======================
162 Edit /etc/atalk/afpd.conf as required. Some options:
165 - [options] to specify options for the default server
167 "Server name" [options] to specify an additional server
169 The following options are available:
172 -[no]tcp Make AFP-over-TCP [not] available
173 -[no]ddp Make AFP over AppleTalk [not] available. if you have
174 -proxy specified, specify -uamlist "" to prevent ddp
175 connections from working.
176 -transall Make both available (default)
180 Specifies the IP address the server should
181 respond to (default is the first IP address of the system). This
182 option also allows one machine to advertise TCP/IP for another machine.
183 -server_quantum <number>
184 Specifies the DSI server quantum. The minimum
185 value is 1MB. The max value is 0xFFFFFFFF. If you specify a value that
186 is out of range, you'll get the default value (currently the
188 -admingroup <groupname>
189 Specifies the group of administrators who should all
190 be seen as the superuser when they log in. Default
192 -ddpaddr x.y Specifies the DDP address of the server. the default
193 is to auto-assign an address (0.0). this is only
194 useful if you're running on a multihomed host.
195 -port <number> Specifies the TCP port the server should
196 respond to (default is 548)
197 -fqdn <name:port> Specify a fully-qualified domain name
198 (+optional port). this gets discarded if the
199 server can't resolve it. this is not honored
200 by appleshare clients <= 3.8.3 (default: none)
201 -proxy Run an AppleTalk proxy server for specified AFP/TCP
202 server (if address/port aren't given, then first IP
203 address of the system/548 will be used). if you don't
204 want the proxy server to act as a ddp server as well,
205 set -uamlist to an empty string.
207 Authentication Methods:
208 -uampath <path> Use this path to look for User Authentication
209 Modules. (default: /etc/atalk/uams)
210 -uamlist <a,b,c> Comma-separated list of UAMs. (default:
211 uams_guest.so,uams_clrtxt.so,uams_dhx.so)
214 uams_guest.so: Allow guest logins
216 uams_clrtxt.so: (uams_pam.so or uams_passwd.so)
217 Allow logins with passwords transmitted in the clear.
219 uams_randnum.so: Allow Random Number and Two-Way Random Number
220 exchange for authentication.
222 uams_dhx.so: (uams_dhx_pam.so or uams_dhx_passwd.so)
223 Allow Diffie-Hellman eXchange (DHX) for authentication.
226 -[no]savepassword [Don't] Allow clients to save password locally
227 -passwdfile <path> Use this path to store Randnum
228 passwords. (default: ~/.passwd. the only other
229 useful value is /etc/atalk/afppasswd.)
230 -passwdminlen <#> Minimum password length. may be ignored.
231 -[no]setpassword [Don't] Allow clients to change their passwords.
232 -loginmaxfail <#> Maximum number of failed logins. this may be
233 ignored if the uam can't handle it.
236 -defaultvol <path> Specifies path to AppleVolumes.default file
237 (default /etc/atalk/AppleVolumes.default, same
238 as -f on command line)
239 -systemvol <path> Specifies path to AppleVolumes.system file
240 (default /etc/atalk/AppleVolumes.system, same
241 as -s on command line)
242 -[no]uservolfirst [Don't] read the user's ~/AppleVolumes or
243 ~/.AppleVolumes before reading
244 /etc/atalk/AppleVolumes.default (same as -u on
246 -[no]uservol [Don't] Read the user's volume file
248 -nlspath <path> Prepend this path to each code page filename in volume
249 options (default: /etc/atalk/nls).
252 -guestname "user" Specifies the user name for the guest login
253 (default "nobody", same as -g on command line)
254 -loginmesg "Message" Client will display "Message" upon logging in
255 (no default, same as -l "Message" on
257 -nodebug Switch off debugging
258 -tickleval <number> Specify the tickle timeout interval (in seconds)
259 -icon Use the platform-specific icon.
262 "Lance" -transall -uamlist uams_dhx.so -nosavepassword -setpassword
263 "Lance" is the server name, I enable both TCP and DDP,
264 all logins via DHX (requires AppleShare 3.8.6), the users cannot save
265 the password with keychains and it allows the users to set their
268 With no afpd.conf the default is:
270 - -transall -uamlist uams_guest.so,uams_clrtxt.so,uams_dhx.so
273 No server name, allow afp over tcp and afp over AppleTalk , allow
274 guest access, logins in clear text and DHX, don't allow the user to
277 2. /etc/atalk/atalkd.conf
278 =========================
280 Classic Appletalk is configured in atalkd.conf. For detailed
281 information please reference
283 http://www.neon.com/atalk_routing.html and
284 http://www-commeng.cso.uiuc.edu/docs/appletalk/
286 The whole point of seting up atalkd is to allow appletalk routing to
287 the localhost as a file and print server. The atalkd.conf file sets up
288 the appletalk routing by assigning Appletalk zone (or zones)
289 information to the networks it is attached to.
291 Within appletalk there are three different types of routers: seed,
292 nonseed and soft seed.
294 Seed publishes the network and zone information to the network. In the
295 case of a conflict, this router takes precedence. Nonseed acts as a
296 forwarder in that all network and zone information for it's network
297 segment is pulled from an upstream router. A soft seed router is
298 configured like a seed router, but will defer and use upstream seeded
299 zone information if there is a conflict.
301 Netatalk has the option to behave like a nonseed router or a soft seed
302 router. Netatalk will defer to an upstream seed if there is a
303 conflict. Any missing configurations will be filled from the network.
305 Appletalk phases are of two types. The unused, unsupported, obsolete
306 phase 1, or the new useful phase 2.
308 Phase 1 was Apples original protocol for Appletalk over Ethernet. It
309 treated an entire network segment as one appletalk network capable of
310 holding 254 nodes. Don't use this.
312 Phase 2 is the new version. It allows a configurable network range
313 between the numbers 1 and 65279, each network capable of hosting 253
314 nodes for a total of 16,515,587 Appletalk interfaces. That's a lot
317 Within an Appletalk network addressing is a Network:Node:Socket
318 triplet. The socket number is general dropped because nothing uses the
321 Using ethernet and phase 2 the network number can be singular, '1' or
322 a range, '1-20'. Node assignment is the responsibility of the clients so
323 you don't have to worry about it. The range of 65280-65534 is called
324 the startup range and is used by the Mac when it is on a network
325 without any routers, you probably shouldn't publish a network withing
326 this range. If you're publishing to a LocalTalk network segment
327 (Hello? Welcome to Y2K. :) your maximum network range is _one_
330 Zone's must be less then 32 characters long.
332 Format of lines in this file:
333 interface [ -seed ] [ -router | -dontroute ]
334 [ -phase { 1 | 2 } ] [ -addr net.node ]
335 [ -net first[-last] ] [ -zone ZoneName ] ...
337 interface: the interface that is publishing the appletalk server. eth0
339 -seed - requires two interfaces. The router is acting as a
340 bridge between the two networks. A soft seed router.
342 -router - only requires one interface.
344 -dontroute - don't publish routing information
346 -addr this machines network.node address.
351 - Appletalk network is off eth0, no routing information
352 published, get it all off the network.
354 eth0 -router -phase 2 -addr 100.10 -net 100-110 -zone "Upstairs"
355 - Appletalk network is off eth0, this server is not a bridge, it
356 publishes zone information for Networks 100-110. The servers appletalk
357 node address is node 10 of network 100. This zone is called Upstairs.
360 eth1 -seed -phase 2 -addr 100.10 -net 100-110 -zone "Upstairs"
361 - This allows routing between the appletalk networks on eth0 and eth1,
362 for eth1 this server acts as a soft seed router of a phase 2 network
363 segment of 100-110 where this machine is 100.10
365 3. /etc/atalk/netatalk.conf
366 ===========================
368 Set the options as appropriate:
370 AFPD_MAX_CLIENTS - Maximum number of concurrent clients.
372 ATALK_ZONE - Name of the zone. Should match the zone in afpd.conf, or use @zone.
374 ATALK_NAME - Name of the netatalk server.
376 AFPD_UAMLIST - List of uams available to the clients. Should match
377 list in afpd.conf "-U uam1, uam2"
379 AFPD_GUEST - If guest access is enabled, the id of the afpd process
380 for the guest client.
382 ATALKD_RUN, PAPD_RUN, AFPD_RUN - Run these daemons, 'yes/no'.
385 4. /etc/atalk/papd.conf
386 =======================
388 To be written by someone who actully uses the print server. :)