--- /dev/null
+Installation and Configuration of Netatalk 1.5
+Lance Levsen, l.levsen@printwest.com
+V0.2, 02 March 2001
+
+
+Prerequisites
+=============
+
+1. Libtool (only needed by developers)
+Libtool encapsulates the platform specific dependencies for the
+creation of libraries. It determines if the local platform can support
+shared libraries or if it only supports static libraries.
+
+Documentation: http://www.gnu.org/software/libtool/
+Program: (see the GNU mirrors) /gnu/libtool/libtool-1.3.5.tar.gz
+
+2. GNU m4 (only needed by developers)
+GNU m4 is an implementation of the Unix macro processor. It reads
+stdin and copies to stdout expanding defined macros as it processes
+the text.
+
+Documentation: http://www.gnu.org/software/m4/
+Program: (see the GNU mirrors) /gnu/m4/m4-1.4.tar.gz
+
+3. Autoconf
+Autoconf is a package of m4 macros that produce shell scripts to
+configure source code packages.
+
+Documentation: http://www.gnu.org/software/autoconf/
+Program: (see the GNU mirrors) /gnu/autoconf/autoconf-2-13.tar.gz
+
+4. Automake
+Automake is a tool that generates 'Makefile.in' files.
+
+Documentation: http://www.gnu.org/software/automake/
+Program: (see the GNU mirrors) /gnu/automake/auto-1.4.tar.gz
+
+Optional
+========
+5. OpenSSL
+The OpenSSL Project is a collaborative effort to develop a robust,
+commercial-grade, full-featured, and Open Source toolkit implementing
+the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
+v1) protocols as well as a full-strength general purpose cryptography
+library.
+This is required to enable DHX login support.
+
+Get everything at http://www.openssl.org/
+
+
+You can get the Linux PAM documentation and sources from
+http://www.kernel.org/pub/linux/libs/pam/
+
+6. TCP Wrappers
+Wietse Venema's network logger, also known as TCPD or LOG_TCP. These
+programs log the client host name of incoming telnet, ftp, rsh,
+rlogin, finger etc. requests. Security options are: access control per
+host, domain and/or service; detection of host name spoofing or host
+address spoofing; booby traps to implement an early-warning system.
+
+TCP Wrappers can be gotten at ftp://ftp.porcupine.org/pub/security/
+
+7. PAM (Pluggable Authentication Modules for Linux)
+Linux-PAM is a suite of shared libraries that enable the local system
+administrator to choose how applications authenticate users.
+
+Information on Linux-PAM can be retrieved from
+http://kernel.stuph.org/pub/linux/libs/pam/
+
+Installing Netatalk
+===================
+
+1. Read the configure options.
+$> ./configure --help
+
+This prints a listing of the command line options for configure to
+use. Notables are:
+
+--disable-admin-group: disable admin group (default on),
+
+--disable-ddp: disable DDP support,
+
+--enable-dropkludge: enable the experimental dropbox fix (INSECURE!)
+
+ --with-pam: enable password authentication modules support,
+
+--with-shadow: enable shadow password support,
+
+--with-tcp-wrappers: enable TCP wrappers support
+
+--with-ssl-dirs=[PATH]: specify path to OpenSSL installation.
+NOTE: This is dependent on the same directory layout as the source
+distribution of Openssl. That is: ./include/ and ./lib/ to be on the
+same level. Many .rpm formats do not have their files laid out in this
+format.
+
+--enable-lastdid: Recreate version 37b behaviour where directory id's
+are incrementally calculated versus the new hash method. Unfortunately
+for machines that have a lot of devices, and/or a lot of inodes the
+hash can fail with multiple directories resolving to the same DID.
+
+Enable/Disable the desired options like this:
+$>./configure --option1 --option2 ....
+
+2. Assuming ./configure worked well,
+$> make (as root or sudo)
+
+3. Assuming the program compiled without errors,
+$> make install (as root or sudo)
+
+Assuming you haven't changed the install directories, this will
+install the configutation files in /etc/atalk. The uams in
+/etc/atalk/uams. The binaries will be in /usr/sbin/.
+
+4. Configure Netatalk (See below 'Configuring Netatalk')
+The default location for the configuration files is /etc/atalk/.
+
+5. Setup your rc script so that Netatalk is started on boot.
+You can find sample initscripts in ./distrib/initscripts/ from the
+source directory.
+
+6. If you enabled PAM, then copy the ./config/netatalk PAM file to
+/etc/pam.d/ or where ever your system puts the PAM configuration
+files.
+
+
+Configuring Netatalk
+====================
+
+Netatalk supplies two different types of Appletalk servers and both
+can run at the same time. Classic Appletalk requires afpd and
+atalkd. Appletalk over IP only requires afpd. Classic Appletalk on
+GNU/LInux requires that CONFIG_ATALK is compiled into the kernel or as
+a kernel module. To check to see if the kernel has Appletalk
+installed:
+
+$> dmesg | grep Apple
+This just parses the boot messages for any line containing
+'Apple'.
+
+To loaded as a module:
+$> lsmod
+
+If you don't find it, you may have to compile a kernel and turn on
+Appletalk in Networking options -> Appletalk DDP. You have an option
+to install as a module or directly into the kernel.
+
+Some default distribution kernels have already compiled Appletalk DDP
+as a module, you may have to edit your /etc/modules.conf to include:
+"alias net-pf-5 appletalk ".
+
+Note: check your distribution documentation about editing
+/etc/modules.conf.
+
+For more complete information about the Linux kernel see the
+Kernel-HOWTO:
+http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html
+
+
+1. /etc/atalk/afpd.conf
+Edit /etc/atalk/afpd.conf as required. Some options:
+
+Format:
+- [options] to specify options for the default server
+and/or
+ "Server name" [options] to specify an additional server
+
+The following options are available:
+
+Transport Protocols:
+ -[no]tcp Make AFP-over-TCP [not] available
+ -[no]ddp Make AFP over AppleTalk [not] available. if you have
+ -proxy specified, specify -uamlist "" to prevent ddp
+ connections from working.
+ -transall Make both available (default)
+
+Transport Options:
+ -ipaddr <w.x.y.z>
+ Specifies the IP address the server should
+ respond to (default is the first IP address of the system). This
+ option also allows one machine to advertise TCP/IP for another machine.
+ -server_quantum <number>
+ Specifies the DSI server quantum. The minimum
+ value is 1MB. The max value is 0xFFFFFFFF. If you specify a value that
+ is out of range, you'll get the default value (currently the
+ minimum).
+ -admingroup <groupname>
+ Specifies the group of administrators who should all
+ be seen as the superuser when they log in. Default
+ is disabled.
+ -ddpaddr x.y Specifies the DDP address of the server. the default
+ is to auto-assign an address (0.0). this is only
+ useful if you're running on a multihomed host.
+ -port <number> Specifies the TCP port the server should
+ respond to (default is 548)
+ -fqdn <name:port> Specify a fully-qualified domain name
+ (+optional port). this gets discarded if the
+ server can't resolve it. this is not honored
+ by appleshare clients <= 3.8.3 (default: none)
+ -proxy Run an AppleTalk proxy server for specified AFP/TCP
+ server (if address/port aren't given, then first IP
+ address of the system/548 will be used). if you don't
+ want the proxy server to act as a ddp server as well,
+ set -uamlist to an empty string.
+
+Authentication Methods:
+ -uampath <path> Use this path to look for User Authentication
+ Modules. (default: /etc/atalk/uams)
+ -uamlist <a,b,c> Comma-separated list of UAMs. (default:
+ uams_guest.so,uams_clrtxt.so,uams_dhx.so)
+
+ Some Common UAMs
+ uams_guest.so: Allow guest logins
+
+ uams_clrtxt.so: (uams_pam.so or uams_passwd.so)
+ Allow logins with passwords transmitted in the clear.
+
+ uams_randnum.so: Allow Random Number and Two-Way Random Number
+ exchange for authentication.
+
+ uams_dhx.so: (uams_dhx_pam.so or uams_dhx_passwd.so)
+ Allow Diffie-Hellman eXchange (DHX) for authentication.
+
+Password Options:
+ -[no]savepassword [Don't] Allow clients to save password locally
+ -passwdfile <path> Use this path to store Randnum
+ passwords. (default: ~/.passwd. the only other
+ useful value is /etc/atalk/afppasswd.)
+ -passwdminlen <#> Minimum password length. may be ignored.
+ -[no]setpassword [Don't] Allow clients to change their passwords.
+ -loginmaxfail <#> Maximum number of failed logins. this may be
+ ignored if the uam can't handle it.
+
+AppleVolumes files:
+ -defaultvol <path> Specifies path to AppleVolumes.default file
+ (default /etc/atalk/AppleVolumes.default, same
+ as -f on command line)
+ -systemvol <path> Specifies path to AppleVolumes.system file
+ (default /etc/atalk/AppleVolumes.system, same
+ as -s on command line)
+ -[no]uservolfirst [Don't] read the user's ~/AppleVolumes or
+ ~/.AppleVolumes before reading
+ /etc/atalk/AppleVolumes.default (same as -u on
+ command line)
+ -[no]uservol [Don't] Read the user's volume file
+
+ -nlspath <path> Prepend this path to each code page filename in volume
+ options (default: /etc/atalk/nls).
+
+Miscellaneous:
+ -guestname "user" Specifies the user name for the guest login
+ (default "nobody", same as -g on command line)
+ -loginmesg "Message" Client will display "Message" upon logging in
+ (no default, same as -l "Message" on
+ command-line)
+ -nodebug Switch off debugging
+ -tickleval <number> Specify the tickle timeout interval (in seconds)
+ -icon Use the platform-specific icon.
+
+An example:
+"Lance" -transall -uamlist uams_dhx.so -nosavepassword -setpassword
+"Lance" is the server name, I enable both TCP and DDP,
+all logins via DHX (requires AppleShare 3.8.6), the users cannot save
+the password with keychains and it allows the users to set their
+passwords.
+
+With no afpd.conf the default is:
+
+- -transall -uamlist uams_guest.so,uams_clrtxt.so,uams_dhx.so
+-nosavepassword
+
+No server name, allow afp over tcp and afp over AppleTalk , allow
+guest access, logins in clear text and DHX, don't allow the user to
+save the password.
+
+2. /etc/atalk/atalkd.conf
+
+Classic Appletalk is configured in atalkd.conf. For detailed
+information please reference
+
+http://www.neon.com/atalk_routing.html and
+http://www-commeng.cso.uiuc.edu/docs/appletalk/
+
+The whole point of seting up atalkd is to allow appletalk routing to
+the localhost as a file and print server. The atalkd.conf file sets up
+the appletalk routing by assigning Appletalk zone (or zones)
+information to the networks it is attached to.
+
+Within appletalk there are three different types of routers: seed,
+nonseed and soft seed.
+
+Seed publishes the network and zone information to the network. In the
+case of a conflict, this router takes precedence. Nonseed acts as a
+forwarder in that all network and zone information for it's network
+segment is pulled from an upstream router. A soft seed router is
+configured like a seed router, but will defer and use upstream seeded
+zone information if there is a conflict.
+
+Netatalk has the option to behave like a nonseed router or a soft seed
+router. Netatalk will defer to an upstream seed if there is a
+conflict. Any missing configurations will be filled from the network.
+
+Appletalk phases are of two types. The unused, unsupported, obsolete
+phase 1, or the new useful phase 2.
+
+Phase 1 was Apples original protocol for Appletalk over Ethernet. It
+treated an entire network segment as one appletalk network capable of
+holding 254 nodes. Don't use this.
+
+Phase 2 is the new version. It allows a configurable network range
+between the numbers 1 and 65279, each network capable of hosting 253
+nodes for a total of 16, 515, 587 Appletalk interfaces. That's a lot
+of iMacs. :-)
+
+Within an Appletalk network addressing is a Network:Node:Socket
+triplet. The socket number is general dropped because nothing uses the
+information.
+
+Using ethernet and phase 2 the network number can be singular, '1' or
+a range 1-20. Node assignment is the responsibility of the clients so
+you don't have to worry about it. The range of 65280-65534 is called
+the startup range and is used by the Mac when it is on a network
+without any routers, you probably shouldn't publish a network withing
+this range. If you're publishing to a LocalTalk network segment
+(Hello? Welcome to Y2K. :) your maximum network range is _one_
+network.
+
+Zone's must be less then 32 characters long.
+
+Format of lines in this file:
+ interface [ -seed ] [ -router | -dontroute ]
+ [ -phase { 1 | 2 } ] [ -addr net.node ]
+ [ -net first[-last] ] [ -zone ZoneName ] ...
+
+ interface: the interface that is publishing the appletalk server. eth0
+
+ -seed - requires two interfaces. The router is acting as a
+ bridge between the two networks. A soft seed router.
+
+ -router - only requires one interface.
+
+ -dontroute - don't publish routing information
+
+ -addr this machines network.node address.
+
+Examples:
+
+eth0
+ - Appletalk network is off eth0, no routing information
+published, get it all off the network.
+
+eth0 -router -phase 2 -addr 100.10 -net 100-110 -zone "Upstairs"
+- Appletalk network is off eth0, this server is not a bridge, it
+publishes zone information for Networks 100-110. The servers appletalk
+node address is node 10 of network 100. This zone is called Upstairs.
+
+eth0 -phase 2
+eth1 -seed -phase 2 -addr 100.10 -net 100-110 -zone "Upstairs"
+- This allows routing between the appletalk networks on eth0 and eth1,
+for eth1 this server acts as a soft seed router of a phase 2 network
+segment of 100-110 where this machine is 100.10
+
+3. /etc/atalk/papd.conf
+
+To be written by someone who actully uses the print server. :)
+
+4. /etc/atalk/netatalk.conf
+
+To be written.
+
projects / netatalk.git / commitdiff