1 Installation and Configuration of Netatalk 1.5
2 Lance Levsen, l.levsen@printwest.com
9 1. Libtool (only needed by developers)
10 Libtool encapsulates the platform specific dependencies for the
11 creation of libraries. It determines if the local platform can support
12 shared libraries or if it only supports static libraries.
14 Documentation: http://www.gnu.org/software/libtool/
15 Program: (see the GNU mirrors) /gnu/libtool/libtool-1.3.5.tar.gz
17 2. GNU m4 (only needed by developers)
18 GNU m4 is an implementation of the Unix macro processor. It reads
19 stdin and copies to stdout expanding defined macros as it processes
22 Documentation: http://www.gnu.org/software/m4/
23 Program: (see the GNU mirrors) /gnu/m4/m4-1.4.tar.gz
26 Autoconf is a package of m4 macros that produce shell scripts to
27 configure source code packages.
29 Documentation: http://www.gnu.org/software/autoconf/
30 Program: (see the GNU mirrors) /gnu/autoconf/autoconf-2-13.tar.gz
33 Automake is a tool that generates 'Makefile.in' files.
35 Documentation: http://www.gnu.org/software/automake/
36 Program: (see the GNU mirrors) /gnu/automake/auto-1.4.tar.gz
41 The OpenSSL Project is a collaborative effort to develop a robust,
42 commercial-grade, full-featured, and Open Source toolkit implementing
43 the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
44 v1) protocols as well as a full-strength general purpose cryptography
46 This is required to enable DHX login support.
48 Get everything at http://www.openssl.org/
51 You can get the Linux PAM documentation and sources from
52 http://www.kernel.org/pub/linux/libs/pam/
55 Wietse Venema's network logger, also known as TCPD or LOG_TCP. These
56 programs log the client host name of incoming telnet, ftp, rsh,
57 rlogin, finger etc. requests. Security options are: access control per
58 host, domain and/or service; detection of host name spoofing or host
59 address spoofing; booby traps to implement an early-warning system.
61 TCP Wrappers can be gotten at ftp://ftp.porcupine.org/pub/security/
63 7. PAM (Pluggable Authentication Modules for Linux)
64 Linux-PAM is a suite of shared libraries that enable the local system
65 administrator to choose how applications authenticate users.
67 Information on Linux-PAM can be retrieved from
68 http://kernel.stuph.org/pub/linux/libs/pam/
73 1. Read the configure options.
76 This prints a listing of the command line options for configure to
79 --disable-admin-group: disable admin group (default on),
81 --disable-ddp: disable DDP support,
83 --enable-dropkludge: enable the experimental dropbox fix (INSECURE!)
85 --with-pam: enable password authentication modules support,
87 --with-shadow: enable shadow password support,
89 --with-tcp-wrappers: enable TCP wrappers support
91 --with-ssl-dirs=[PATH]: specify path to OpenSSL installation.
92 NOTE: This is dependent on the same directory layout as the source
93 distribution of Openssl. That is: ./include/ and ./lib/ to be on the
94 same level. Many .rpm formats do not have their files laid out in this
97 --enable-lastdid: Recreate version 37b behaviour where directory id's
98 are incrementally calculated versus the new hash method. Unfortunately
99 for machines that have a lot of devices, and/or a lot of inodes the
100 hash can fail with multiple directories resolving to the same DID.
102 Enable/Disable the desired options like this:
103 $>./configure --option1 --option2 ....
105 2. Assuming ./configure worked well,
106 $> make (as root or sudo)
108 3. Assuming the program compiled without errors,
109 $> make install (as root or sudo)
111 Assuming you haven't changed the install directories, this will
112 install the configutation files in /etc/atalk. The uams in
113 /etc/atalk/uams. The binaries will be in /usr/sbin/.
115 4. Configure Netatalk (See below 'Configuring Netatalk')
116 The default location for the configuration files is /etc/atalk/.
118 5. Setup your rc script so that Netatalk is started on boot.
119 You can find sample initscripts in ./distrib/initscripts/ from the
122 6. If you enabled PAM, then copy the ./config/netatalk PAM file to
123 /etc/pam.d/ or where ever your system puts the PAM configuration
130 Netatalk supplies two different types of Appletalk servers and both
131 can run at the same time. Classic Appletalk requires afpd and
132 atalkd. Appletalk over IP only requires afpd. Classic Appletalk on
133 GNU/LInux requires that CONFIG_ATALK is compiled into the kernel or as
134 a kernel module. To check to see if the kernel has Appletalk
137 $> dmesg | grep Apple
138 This just parses the boot messages for any line containing
141 To loaded as a module:
144 If you don't find it, you may have to compile a kernel and turn on
145 Appletalk in Networking options -> Appletalk DDP. You have an option
146 to install as a module or directly into the kernel.
148 Some default distribution kernels have already compiled Appletalk DDP
149 as a module, you may have to edit your /etc/modules.conf to include:
150 "alias net-pf-5 appletalk ".
152 Note: check your distribution documentation about editing
155 For more complete information about the Linux kernel see the
157 http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html
160 1. /etc/atalk/afpd.conf
161 Edit /etc/atalk/afpd.conf as required. Some options:
164 - [options] to specify options for the default server
166 "Server name" [options] to specify an additional server
168 The following options are available:
171 -[no]tcp Make AFP-over-TCP [not] available
172 -[no]ddp Make AFP over AppleTalk [not] available. if you have
173 -proxy specified, specify -uamlist "" to prevent ddp
174 connections from working.
175 -transall Make both available (default)
179 Specifies the IP address the server should
180 respond to (default is the first IP address of the system). This
181 option also allows one machine to advertise TCP/IP for another machine.
182 -server_quantum <number>
183 Specifies the DSI server quantum. The minimum
184 value is 1MB. The max value is 0xFFFFFFFF. If you specify a value that
185 is out of range, you'll get the default value (currently the
187 -admingroup <groupname>
188 Specifies the group of administrators who should all
189 be seen as the superuser when they log in. Default
191 -ddpaddr x.y Specifies the DDP address of the server. the default
192 is to auto-assign an address (0.0). this is only
193 useful if you're running on a multihomed host.
194 -port <number> Specifies the TCP port the server should
195 respond to (default is 548)
196 -fqdn <name:port> Specify a fully-qualified domain name
197 (+optional port). this gets discarded if the
198 server can't resolve it. this is not honored
199 by appleshare clients <= 3.8.3 (default: none)
200 -proxy Run an AppleTalk proxy server for specified AFP/TCP
201 server (if address/port aren't given, then first IP
202 address of the system/548 will be used). if you don't
203 want the proxy server to act as a ddp server as well,
204 set -uamlist to an empty string.
206 Authentication Methods:
207 -uampath <path> Use this path to look for User Authentication
208 Modules. (default: /etc/atalk/uams)
209 -uamlist <a,b,c> Comma-separated list of UAMs. (default:
210 uams_guest.so,uams_clrtxt.so,uams_dhx.so)
213 uams_guest.so: Allow guest logins
215 uams_clrtxt.so: (uams_pam.so or uams_passwd.so)
216 Allow logins with passwords transmitted in the clear.
218 uams_randnum.so: Allow Random Number and Two-Way Random Number
219 exchange for authentication.
221 uams_dhx.so: (uams_dhx_pam.so or uams_dhx_passwd.so)
222 Allow Diffie-Hellman eXchange (DHX) for authentication.
225 -[no]savepassword [Don't] Allow clients to save password locally
226 -passwdfile <path> Use this path to store Randnum
227 passwords. (default: ~/.passwd. the only other
228 useful value is /etc/atalk/afppasswd.)
229 -passwdminlen <#> Minimum password length. may be ignored.
230 -[no]setpassword [Don't] Allow clients to change their passwords.
231 -loginmaxfail <#> Maximum number of failed logins. this may be
232 ignored if the uam can't handle it.
235 -defaultvol <path> Specifies path to AppleVolumes.default file
236 (default /etc/atalk/AppleVolumes.default, same
237 as -f on command line)
238 -systemvol <path> Specifies path to AppleVolumes.system file
239 (default /etc/atalk/AppleVolumes.system, same
240 as -s on command line)
241 -[no]uservolfirst [Don't] read the user's ~/AppleVolumes or
242 ~/.AppleVolumes before reading
243 /etc/atalk/AppleVolumes.default (same as -u on
245 -[no]uservol [Don't] Read the user's volume file
247 -nlspath <path> Prepend this path to each code page filename in volume
248 options (default: /etc/atalk/nls).
251 -guestname "user" Specifies the user name for the guest login
252 (default "nobody", same as -g on command line)
253 -loginmesg "Message" Client will display "Message" upon logging in
254 (no default, same as -l "Message" on
256 -nodebug Switch off debugging
257 -tickleval <number> Specify the tickle timeout interval (in seconds)
258 -icon Use the platform-specific icon.
261 "Lance" -transall -uamlist uams_dhx.so -nosavepassword -setpassword
262 "Lance" is the server name, I enable both TCP and DDP,
263 all logins via DHX (requires AppleShare 3.8.6), the users cannot save
264 the password with keychains and it allows the users to set their
267 With no afpd.conf the default is:
269 - -transall -uamlist uams_guest.so,uams_clrtxt.so,uams_dhx.so
272 No server name, allow afp over tcp and afp over AppleTalk , allow
273 guest access, logins in clear text and DHX, don't allow the user to
276 2. /etc/atalk/atalkd.conf
278 Classic Appletalk is configured in atalkd.conf. For detailed
279 information please reference
281 http://www.neon.com/atalk_routing.html and
282 http://www-commeng.cso.uiuc.edu/docs/appletalk/
284 The whole point of seting up atalkd is to allow appletalk routing to
285 the localhost as a file and print server. The atalkd.conf file sets up
286 the appletalk routing by assigning Appletalk zone (or zones)
287 information to the networks it is attached to.
289 Within appletalk there are three different types of routers: seed,
290 nonseed and soft seed.
292 Seed publishes the network and zone information to the network. In the
293 case of a conflict, this router takes precedence. Nonseed acts as a
294 forwarder in that all network and zone information for it's network
295 segment is pulled from an upstream router. A soft seed router is
296 configured like a seed router, but will defer and use upstream seeded
297 zone information if there is a conflict.
299 Netatalk has the option to behave like a nonseed router or a soft seed
300 router. Netatalk will defer to an upstream seed if there is a
301 conflict. Any missing configurations will be filled from the network.
303 Appletalk phases are of two types. The unused, unsupported, obsolete
304 phase 1, or the new useful phase 2.
306 Phase 1 was Apples original protocol for Appletalk over Ethernet. It
307 treated an entire network segment as one appletalk network capable of
308 holding 254 nodes. Don't use this.
310 Phase 2 is the new version. It allows a configurable network range
311 between the numbers 1 and 65279, each network capable of hosting 253
312 nodes for a total of 16, 515, 587 Appletalk interfaces. That's a lot
315 Within an Appletalk network addressing is a Network:Node:Socket
316 triplet. The socket number is general dropped because nothing uses the
319 Using ethernet and phase 2 the network number can be singular, '1' or
320 a range 1-20. Node assignment is the responsibility of the clients so
321 you don't have to worry about it. The range of 65280-65534 is called
322 the startup range and is used by the Mac when it is on a network
323 without any routers, you probably shouldn't publish a network withing
324 this range. If you're publishing to a LocalTalk network segment
325 (Hello? Welcome to Y2K. :) your maximum network range is _one_
328 Zone's must be less then 32 characters long.
330 Format of lines in this file:
331 interface [ -seed ] [ -router | -dontroute ]
332 [ -phase { 1 | 2 } ] [ -addr net.node ]
333 [ -net first[-last] ] [ -zone ZoneName ] ...
335 interface: the interface that is publishing the appletalk server. eth0
337 -seed - requires two interfaces. The router is acting as a
338 bridge between the two networks. A soft seed router.
340 -router - only requires one interface.
342 -dontroute - don't publish routing information
344 -addr this machines network.node address.
349 - Appletalk network is off eth0, no routing information
350 published, get it all off the network.
352 eth0 -router -phase 2 -addr 100.10 -net 100-110 -zone "Upstairs"
353 - Appletalk network is off eth0, this server is not a bridge, it
354 publishes zone information for Networks 100-110. The servers appletalk
355 node address is node 10 of network 100. This zone is called Upstairs.
358 eth1 -seed -phase 2 -addr 100.10 -net 100-110 -zone "Upstairs"
359 - This allows routing between the appletalk networks on eth0 and eth1,
360 for eth1 this server acts as a soft seed router of a phase 2 network
361 segment of 100-110 where this machine is 100.10
363 3. /etc/atalk/papd.conf
365 To be written by someone who actully uses the print server. :)
367 4. /etc/atalk/netatalk.conf