netatalk 2.x Shenanigans (Debian 12 ‘bookworm’)

FlicTheBunny

New Tinkerer
Dec 18, 2022
16
12
3
UK
So, I have been working through building and using netatalk 2.3 on Debian 12 (bookworm) on my Mac mini server. I will share my progress so far and carry on discussions here:

So far I have:​

  • Successfully cloned out the 2.3 branch, built it and installed it.
    • N.B.: if you are a little confused about running ./configure after cloning or un-tarballing the netatalk source because it doesn’t exist, then you need to first run ./bootstrap in the root folder of the netatalk source to bootstrap your build environment.
    • If you are building for Debian 12 you are best advised to use the --enable-systemd flag. This should add the daemons to systemd and enable them for you.
    • For proper system user integration, it is highly advisable to install libpam0g-dev headers and configure your netatalk build with flag --with-pam
  • I have setup the config files needed for afpdand atalkd
    • N.B.: netatalk.conf is not used if you use systemd, so don’t worry about configuring that.
  • Setup both ‘default’ (via AppleVolumes.default) and user-based shares (via AppleVolumes in a user directory)

  • After working through a few wrinkles with rdmark, I have authentication working on OS9 and late macOS (v12) using uam_clrtxt, uam_randnum and uam_dhx2 which offers the best breadth of compatibility at the cost of some security (clrtxt and randnum are probably not suitable for production environments without additional precautions!).
    • N.B.: DHX (distinct from DHX2 which is unaffected) encryption is the preferred strong encryption for late versions of Mac OS Classic and also early OSX, but it is incompatible with OpenSSL 3.x as used in Debian 12, so will fail if enabled. It can be removed from the uamlist in afpd.conf
      "MyServer" -transall -uamlist uams_clrtxt.so,uams_dhx.so,uams_dhx2.so
      Remove uams_dhx.so part if it is present to leave:
      "MyServer" -transall -uamlist uams_clrtxt.so,so,uams_dhx2.so
    • If you are using randnum you will need to manually curate the user/password list using afppasswd (see man pages and afppasswd -h for details)
  • I have discovered that some OSX/macOS version (I am using Monterey / v12 to test) seem to auto-authenticate by some mechanism if the usernames match. I am unsure if the passwords need to match also, maybe @rdmark can shed some light on this

TO DO:​

  • I still need to get AFP over DDP (classic Appletalk sharing) to work but I have some ideas to try.
  • Work out why AppleTalk authentication isn't working right atm in OS 9.2.2 (via randnum)
  • When viewing the shares I am seeing ._Filename.ext files, It’d be neat if these could be hidden and copied seamlessly, but not critical
  • If work out the wrinkles and I’m feeling brave I might try to reproduce this on my TrueNAS SCALE NAS box (also Debian based)
 
Last edited:
  • Like
Reactions: alexADB