Netatalk 4.0 - Future-proofing Apple File Sharing

[rdmark]

Heads-up that netatalk 4.0.0 is available now as a Debian Sid package. If you add the unstable repo to your package manager you can install it. Although I haven’t tested if all dependencies can be resolved on stable Bookworm or not. At the very least it works great on the latest Testing snapshot (the future Debian Trixie).

Since the netatalk suite is massively sprawling, I created this atomic package structure:

- netatalk — the AFP file server
- netatalk-tools — the various sysadmin tools and scripts
- netatalk-doc — the html manual
- libatalk — the shared library (used by all binaries)
- libatalk-dev — development headers
- atalkd — the AppleTalk controller daemon + sundry AppleTalk network tools
- papd — printer daemon and LocalTalk printing tools
- timelord — time server daemon
- a2boot — Apple II netboot daemon
- macipgw —MacIP gateway daemon

The dependency and recommends should be set up properly so that apt will pull the packages that you need and want.

One neat thing about this structure is that you can install only the AFP server or only the AppleTalk networking suite if you only want, say, the papd print server and nothing else. They all depend on the libatalk shared library but that’s it.

If you run into a dependency bug please let me know!

 

[NJRoadfan]

If you have a NAS device from a major vendor (Synology, etc.), chances are you've used Netatalk without even realizing it.

 

[Mk.558]

I plan on testing Netatalk 4.0 in a VM instance in the near future. I hope I don't have to make my own NAT table for macipgw.

 

[rdmark]

If you have a NAS device from a major vendor (Synology, etc.), chances are you've used Netatalk without even realizing it.

In fact, up until about 2 years ago Synology was still contributing patches for security bugs. Many of the commercial solutions have dropped AFP / Netatalk from their firmwares in recent years, unfortunately. If you are a NAS user, please try to convince the vendor to add it back.

 

[rdmark]

I plan on testing Netatalk 4.0 in a VM instance in the near future. I hope I don't have to make my own NAT table for macipgw.

It is likely that you will have to configure your own NAT table.

I started drafting a wiki page with guidance here: https://github.com/Netatalk/netatalk/wiki/MacIP-Gateway

Still in early stages…

Step one is to make sure you are using a Linux kernel without known AppleTalk bugs. Particularly the pesky DDP packet filtering “feature”. Version 6.9 or later is recommended.

 

[KennyPowers]

In fact, up until about 2 years ago Synology was still contributing patches for security bugs. Many of the commercial solutions have dropped AFP / Netatalk from their firmwares in recent years, unfortunately. If you are a NAS user, please try to convince the vendor to add it back.

I have a Synology DS220+ NAS that was running Netatalk 3 out of the box, but it doesn't play nice with some of my older macs (system 9.2.2 can see it, but system 7 can't). I recently decided to try turning off the built in AFP support (Netatalk 3) and install Netatalk 4 using the docker image. However, I'm getting the socket: Address family not supported by protocol error when starting a container, suggesting that this Synology NAS doesn't have AppleTalk support in the kernel. Indeed:

user@NAS:~$ lsmod | grep appletalk
user@NAS:~$

I guess that means it's probably not going to be feasible to get DDP support on this Synology device?

 

[Mk.558]

It is likely that you will have to configure your own NAT table.

I started drafting a wiki page with guidance here: https://github.com/Netatalk/netatalk/wiki/MacIP-Gateway

Still in early stages…

Step one is to make sure you are using a Linux kernel without known AppleTalk bugs. Particularly the pesky DDP packet filtering “feature”. Version 6.9 or later is recommended.

Ahhh much thanks, I'll try to remember this when I try again soon this week. Those heroes who dumped all those Apple TIL/KB articles know how to keep me busy

Made a post about Netatalk 4.0 on 68kmla.

 

[rdmark]

I have a Synology DS220+ NAS that was running Netatalk 3 out of the box, but it doesn't play nice with some of my older macs (system 9.2.2 can see it, but system 7 can't). I recently decided to try turning off the built in AFP support (Netatalk 3) and install Netatalk 4 using the docker image. However, I'm getting the socket: Address family not supported by protocol error when starting a container, suggesting that this Synology NAS doesn't have AppleTalk support in the kernel. Indeed:

user@NAS:~$ lsmod | grep appletalk
user@NAS:~$

I guess that means it's probably not going to be feasible to get DDP support on this Synology device?

Is the device running a Linux based operating system? You could always attempt to compile your own kernel for it.

 

[KennyPowers]

Is the device running a Linux based operating system? You could always attempt to compile your own kernel for it.

It is, but what little info I've been able to find on compiling your own kernel for it makes it sound like more trouble than it's worth. Maybe I'll just run Netatalk on a Pi and have the Pi mount the NAS storage via NFS

 

[reasonsandreasons]

If your Synology supports VMM you could also run a compatible Linux (or BSD) in a VM. Pi's probably easier if you have one already, but if you have the performance to spare the VM's cheaper.

 

[KennyPowers]

Maybe I'll just run Netatalk on a Pi and have the Pi mount the NAS storage via NFS

I went this route and it's working beautifully. All of my Macs back to System 7.1 can now access my Synology NAS using a Pi running Netatalk4 as a bridge

 

[V.Yakob]

I went this route and it's working beautifully. All of my Macs back to System 7.1 can now access my Synology NAS using a Pi running Netatalk4 as a bridge

What is written in your uam list and what version of the AppleShare extension is used?

I have never been able to connect to the AFP directory from older versions of AppleShare due to problems with authentication, even Mac OS 8.6, without updating the extension from 9.2.2 does not allow to connect.

I have it written like this:

uam list = uams_dhx.so uams_dhx2.so

 

[KennyPowers]

What is written in your uam list and what version of the AppleShare extension is used?

I have never been able to connect to the AFP directory from older versions of AppleShare due to problems with authentication, even Mac OS 8.6, without updating the extension from 9.2.2 does not allow to connect.

I have it written like this:

uam list = uams_dhx.so uams_dhx2.so

I used the Netatalk Docker image and didn't enable the "INSECURE_AUTH" environment variable. So, looking at the Docker image's entrypoint script:

it looks like my uam list is:

uams_dhx.so uams_dhx2.so uams_randnum.so

Where would I check the version of the AppleShare extension? Is this what you mean?

 

[V.Yakob]

@KennyPowers, Yes, that's what was meant.
I will try "uams_randnum.so" soon, thanx.

 

[rdmark]

@KennyPowers, Yes, that's what was meant.
I will try "uams_randnum.so" soon, thanx.

Yes, the Random Number UAM works great with any AppleShare client on System Software 7.1 (and 6.0.x too I think). The only caveat is that you have to use the "afppasswd" tool to create a special AFP password for your user. The Docker image takes care of that automatically, but if you're managing your own Netatalk installation you have to take care of it yourself. See the manual page for "afppasswd" for more info. It's a few simple commands and you should be golden.

 

[V.Yakob]

@rdmark, Should AppleTalk work on macOS?

The assembly was performed with the keys from the instructions,

meson setup build \
  -Dbuildtype=release \
  -Dwith-appletalk=true \
  -Dwith-tests=true \
  -Dwith-testsuite=true

But it seems that editing the /opt/homebrew/etc/atalkd.conf file does not affect in any way. Moreover, after adding to /opt/homebrew/etc/afp.conf, a message appears in the log:

Oct 26 22:19:50.083287 afpd[41234] {afp_config.c:215} (note:AFPDaemon): AppleTalk support disabled. Is atalkd running?

If you try to run it manually, it's also a failure

% sudo atalkd -f /opt/homebrew/etc/atalkd.conf  
socket: Address family not supported by protocol family
socket: Address family not supported by protocol family
atalkd: can't get interfaces, exiting.

 

[rdmark]

AppleTalk does not work on macOS currently, I'm afraid. Netatalk relies on the operating system's kernel to supply the transport protocol (DDP). Today, only Linux and NetBSD maintain AppleTalk kernel modules. Apple did away with theirs... many years ago.

This wiki page has some more context: https://github.com/Netatalk/netatalk/wiki/AppleTalk-Kernel-Module

 

[V.Yakob]

@rdmark It turns out that you can assemble the package on macOS without this key (-Dwith-appletalk=true), because it doesn't make sense?

 

[rdmark]

@rdmark It turns out that you can assemble the package on macOS without this key (-Dwith-appletalk=true), because it doesn't make sense?

It's a fair point, I can see how it's misleading. Those instructions double as our continuous integration scripts, and building the AppleTalk code on macOS has value as a smoke test even though we cannot actually run it there. I hold up hope that someone will launch a full-featured userspace AppleTalk driver for macOS one of these days.

 

[KennyPowers]

@rdmark I went to try out the printing support with CUPS. The documentation for the Docker image says that the CUPS web interface should be running on port 631, but I don't seem to have anything running on that port. I'm using the host networking driver, so I shouldn't have to forward any ports from the container. Also, shelling into the running container and running lpstat suggests that CUPS isn't running:

/ # lpstat -r
scheduler is not running

What am I missing?