HOW-TO: AFP announced over Avahi *READY*


Recommended Posts

Currently I have unRAID 4.5b7 up and running, works like a charm! The cache disk function is finally fixed and now I can finally enjoy the full 32 MB/s of my Gigabit network... WHAT??? Well... I actually was used to that kind of speeds because I thought that's just the drawback of using unRAID instead of the full-blown fileserver I had running before. Until I started up Windows, something that really rarely happens. I needed something from my unRAID server and copied it over to my machine and noticed something very strange: I got a whopping 80 MB/s!!!

 

Now, I'm a big fan of Apple products and especially OSX, but there's something that I can't really wrap my head around: Apple refuses to update their Samba client for OSX, even with the recent release of Snow Leopard. Us Mac users are stuck with Samba 3.0.1 (I believe), the same version that was shipped with 10.4 Tiger... that's right... a 4-5 year release full of security AND performance issues.

 

Until now I was satisfied with Samba announced over Avahi so that my shares show up nicely in the Finder sidebar. After this discovery, not so much....

 

I've done some experimenting with getting Netatalk (AFP) to work with unRAID before, but got stuck at a login screen asking for my credentials and never got past this. Since I already had my shares in the Finder sidebar and assumed that the speeds I got where limited by unRAID, not Samba, I saw no real reason to continue this frustrating research...

I never removed the Netatalk installation from the GO script, so typing

afp://[xxxx].local

in the Connect To Server dialog of Finder leaves me where I left off: a dialog window asking for my credentials which will give an error about an invalid username/password, no matter what I try. If I choose to use Guest access I am shown the contents of

disk4

, the only disk that I shared in

AppleVolumes.default

, but I cannot access any subfolder because the Guest account does not have permissions for these folders.

 

I used the terminal of unRAID to

chown

one of the subfolders of disk4 and a large file to the user

nobody

(the username of Guest). I can now access that specific folder and copy over the file to my machine. And FINALLY, I get an amazing 70 MB/s, instead of the crappy 32 MB/s I had before.

 

But short of chowning every disk, folder and file to

nobody

I still cannot access my shares with regular users. According this website this could be because Netatalk was not compiled with support for shadow passwords. I checked

/etc/shadow

and with exception of the

ssh

user, this file is empty, so I assume unRAID does not use shadow passwords. But this knowledge does not really help, it doesn't solve my problem.

 

Help please?

 

P.S.: when I get it working I will post a complete HOW-TO, or if somebody wants to help and wants to know what packages are needed and what files to change.

Link to comment
  • Replies 69
  • Created
  • Last Reply

Top Posters In This Topic

I installed Slackware 13 in a Virtual Machine on OSX and even with the default configuration I am able to connect to this VM with AFP without problems. I added a user with

useradd

and created a home directory in

/home

. Added this folder to

AppleVolumes.default

and connected right away... no stuck at login screen, just works!

 

But WHY, OH WHY doesn't this work on unRAID? It MIGHT have something to do with shadow passwords. The default Slackware 13 installation uses shadow passwords so the

/etc/shadow

is populated with all users. But that's the only thing I can think of... the rest is absolutely the same...

Link to comment

Okay, got it working!!! Short version: the AFP daemon requires shadow passwords. That, and

/bin/bash

should be defined in

/etc/passwd

instead of

/bin/false

.

 

Then, if you have more than 1 user that will connect through AFP, they should be member of the group

users(100)

instead of it's own group. This must also be defined in

/etc/passwd

. The disks and (sub)folders should be chown-ed to the group

users(100)

and permissions set to

2775

.

 

I will post a complete HOW-TO and full explanation tonight.

Link to comment

I would be interested in this. Do you have it working with user shares?

Yes, although sometimes a bit flaky... you have to

chown

every folder/share/disk that you would like to share to the group

users(100)

. I noticed that sometimes when I try to access the user share an error shows up in the log and I cannot access it. Disk shares do not have this problem. It probably has something to do with the user shares being dynamically created by unRAID and thus have different permissions. I'm not sure about this, but it could explain this behavior.

 

And even IF user shares will never work properly with AFP, it will still give you a great performance boost, both while copying or browsing folders/files. I have emailed Tom concerning the changes I made to permissions/ownership and asked about possible drawbacks/problems. I hope he can put the final touch on this.

Link to comment

The HOW-TO

 

[1]Packages

The current version of Netatalk is 2.0.4, but unfortunately this is only distributed as a package for Slackware 13, thus has a .txz extension and cannot be installed with

installpkg

. UNLESS ofcourse we update this installer package too.

 

So, you will need the following packages:

 

1: xz-4.999.8beta-i486-1.tgz
2: pkgtools-13.0-noarch-2.tgz
3: netatalk-2.0.4-i486-2.txz

 

If you want to have the shares show up in the Finder sidebar you will also need Avahi. You can find instructions for installation in the HOW-TO mentioned in the topicstart. There, you will also find instructions on how to install these packages.

 

[2] Configuration

 

After you have installed the packages, we are now ready to configure the daemon. There are 3 important configuration files for the daemon you will need to edit and can be found in

/etc/netatalk/

.

 

[1] afpd.conf

 

Replace the last line with the following:

 

- -transall -uamlist uams_dhx.so -savepassword

 

This will disable Guest access, enables DHX authentication (I won't go into that) and allows users to save their passwords locally.

 

[2] netatalk.conf

 

Edit the lines so it looks like this:

 

ATALKD_RUN=no
PAPD_RUN=no
CNID_METAD_RUN=yes
AFPD_RUN=yes
TIMELORD_RUN=no
A2BOOT_RUN=no

 

This enables the AFP deamon and an apparently required CNID meta daemon.

 

[3] AppleVolumes.default

 

Update: DO NOT share your User Shares, this creates a lot of errors in the database the AFP daemon uses.

 

This file creates the AFP shares you wish to have for your users. Create a line for every disk or user share with the following parameters:

 

/mnt/disk1 "disk1" allow:[user] cnidscheme:cdb options:upriv,usedots perm:2770

 

Replace [user] with the user you wish to have access. You can add multiple users by separating them with a comma. You can also define a group of users, use a @ as prefix like this:

allow:@users

. You will need this if you want to multiple users have access to your shares, more on this later.

 

[3] Users, groups

 

So, now you have installed the packages and configured the daemon to your needs, let's setup your users.

 

If you add a user using the unRAID WebGUI it will create a new entry in the

/etc/passwd

file. But, unlike many other *nix systems, it will create a new user group for every single users, instead of adding it to the default user group

users(100)

. Because ownership of files and folders is based on both owner and group, a file/folder created by one user will not be accessible by other users. The solve this problem, every user created by unRAID have to be added manually to the same group.

 

So, one entry in the

/etc/passwd

will normally look something like this:

 

david:{some.random.string}:1007:1007::/bin/false

 

But should actually look like this:

 

david:{some.random.string}:1007:100::/bin/false

 

And, because AFP requires a valid bash to be set, it should look like this:

 

david:{some.random.string}:1007:100::/bin/bash

 

Secondly, the AFP daemon requires you to have set up shadow passwords, so the

{some.random.string}

(that's your encrypted password, btw) should be replaced by

x

. BUT FIRST COPY THAT LINE OF TEXT TO A TEXTEDITOR, YOU WILL NEED IT LATER. If you have done that, or shadow passwords is already setup, the entry should look like this:

 

david:x:1007:100::/bin/bash

 

Then, for every user that you want to have access to AFP, add an entry to the

/etc/shadow

file, using the following format:

 

david:{some.random.string}:14542:0:99999::::

 

You can guess where you have to put the copied line of text...

 

[4] Ownership and permissions

 

Now you have installed the packages, configured the daemon and setup your users the way AFP likes it, but there's one last very important thing to do: set permissions of your shares to the right owner and group. The reason for this is that the AFP daemon uses Unix privileges to grant or deny access to certain shares, based on the ownership and permissions set to a folder or file. While Samba uses a mask to set every file and folder to

root:root

, this is not the case with AFP.

 

I really have no clue if the following will affect any process or functionality of unRAID, but since unRAID does everything by

root

I'm guessing not.

 

You have to set the ownership of every disk, share, file and folder that you wish to share to the user group

users(100)

. If you leave it set to

root:root

you will be presented with some nice do not enter warning signs on top of your folders. That's not what we want....

 

Use the following command on the top folder, disk or share that you wish to share (replace the username and folder accordingly...):

 

chown -R david:users /mnt/disk1

 

This can take a while, depending on the number of files and folders to be

chown

-ed. After this has finished enter

ls -la /mnt/

to confirm that the ownership indeed has been changed.

 

Finally, permissions have to be set for the disk/share/folder as well, otherwise other users of your group still aren't able to access the files. Use the following command:

 

chmod -R 2775 /mnt/disk1

 

This will grant you and other users both read and writing permissions, and guests only read. If, like me, you use XBMC to watch media stored on your unRAID server, the above command will result in empty folders being shown when browsing in XBMC. I don't know WHY this happens, only that it DOES. If you access your Samba share through Windows/Linux/OSX the files are still there... You can solve this however, by using the following command instead:

 

chmod -R 2770 /mnt/disk1

 

This will deny Guests all access to your files, but now XBMC shows the files again. I repeat: I don't know why this is the case.

 

[5] Start the daemon

 

Ultimately, start the AFP daemon with

/user/sbin/afpd

.

 

[6] Adding the service to Avahi (not required)

 

Create a file called

afpd.service

in

/etc/avahi/services

. This should contain the following:

 

<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">

<service-group>
<name replace-wildcards="yes">%h</name>
<service>
	<type>_afpovertcp._tcp</type>
	<port>548</port>
</service>
<service>
	<type>_device-info._tcp</type>
	<port>0</port>
	<txt-record>model=Xserve</txt-record>
</service>
</service-group>

 

If you followed my last HOW-TO and have the Avahi daemon running, the Samba service and AFP service will now have the same name and thus show up accordingly in your Finder sidebar. This confuses the hell out of OSX, so add a suffix to

%h

to distinguish between them. I changed the service name of Samba to

%h.SMB

so I have the following in my Finder sidebar:

 

Prometheus
Prometheus.SMB

 

[7] Update your GO script

 

As I explained in my previous HOW-TO, all changes made are lost on reboot. You have to install the required packages and copy configuration files on startup. Copy all the configuration files mentioned above to a location on you USB stick, as well as the required packages. Below is a portion of my GO script that installs the packages and copies the configuration files to the proper location.

 

# Start Avahi
echo "Installing Avahi dependencies..."
installpkg /boot/packages/libcap-2.14-i486-1.tgz >null
installpkg /boot/packages/dbus-1.2.6-i486-1.tgz >null
installpkg /boot/packages/gcc-4.2.4-i486-1.tgz >null
installpkg /boot/packages/avahi-0.6.25-i486-1as.tgz >null

# Netatalk
echo "Installing netatalk..."
installpkg /boot/packages/xz-4.999.8beta-i486-1.tgz >null
installpkg /boot/packages/pkgtools-13.0-noarch-2.tgz >null
installpkg /boot/packages/netatalk-2.0.4-i486-2.txz >null
cp /boot/config/afp/netatalk/* /etc/netatalk/
cp /boot/config/afp/avahi/* /etc/avahi/services/
cp /boot/config/afp/etc/* /etc/
echo "Starting AFP daemon..."
/usr/sbin/afpd

echo "Starting Avahi daemon..."
# cp /boot/packages/samba.service /etc/avahi/services/
/usr/bin/dbus-daemon --system
/etc/rc.d/rc.avahidaemon restart >null

 

For completeness sake, these configuration files are copied during startup:

 

1: /etc/passwd
2: /etc/shadow
3: /etc/netatalk/afpd.conf
4: /etc/netatalk/netatalk.conf
5: /etc/netatalk/AppleVolumes.default
6: /etc/avahi/services/samba.service
7: /etc/avahi/services/afpd.service

 

 

This SEEMS like a lot of work to do, but most of it is one time only and it takes a lot longer to explain than to perform these actions.

 

GOOD LUCK! :)

Link to comment
  • 3 months later...

Thank you very much for this write up, dlmh!  I finally have AFP working on my unRAID box.

 

The only question I have is, do I need to chown and chmod all the files every time unRAID reboots?

 

Thanks in advance.

 

Only if you use a cache disk and run something like SabNZBd or uTorrent. I noticed that sometimes files created on the cache disk, and later moved to the parity protected array, have a different owner and/or permissions.

 

The real problem here is actually Samba and AFP messing up each others permissions. This is the reason I use the Samba shares for file management (moving, copying, etc.) and AFP shares if I have to copy from the unRAID box and need the "raw speed". I hardly ever write directly to unRAID box from my other machines, since everything that is stored on unRAID is downloaded on it as well.

 

If I can find or compile a package for Netatalk 2.0.5 with TimeMachine support I will use the cache drive as my personal TimeCapsule and share this folder through AFP, while disabling the export for Samba. Tom mentioned something with regard to unRAID 5.0 about a new way of setting and using permissions that'll allow for Samba and AFP to happily co-exist.

 

Until that time, you'll sometimes have to reset the ownership and permissions for files and folders, but only for the ones that are newly created.  Existing ones should be unaffected on reboot.

Link to comment

Great!  Thanks for the explanation.  Since I only have the 6 drive license of unRAID, I don't have a cache drive, so I should be fine.

 

Any idea on when Netatalk 2.0.5 will be available?  I look forward to it and unRADI 5.0.

 

As of 4.5 beta XX the cache drive is also supported on the Plus license. Using the cache drive for downloads/temp files is a great way to improve write speeds and having a "clean" array.

 

The availability of the Slackware package for Netatalk 2.0.5 is entirely up to the developers of this distribution. HOWEVER, you can build the package yourself if you have Slackware running in a VM (or otherwise) or have the developer package installed for unRAID. Although it may seem I'm not, I'm in fact quite the Linux n00b, so I'm afraid I can't help you there...

Link to comment

Great!  Thanks for the explanation.  Since I only have the 6 drive license of unRAID, I don't have a cache drive, so I should be fine.

 

Any idea on when Netatalk 2.0.5 will be available?  I look forward to it and unRADI 5.0.

 

As of 4.5 beta XX the cache drive is also supported on the Plus license. Using the cache drive for downloads/temp files is a great way to improve write speeds and having a "clean" array.

 

The availability of the Slackware package for Netatalk 2.0.5 is entirely up to the developers of this distribution. HOWEVER, you can build the package yourself if you have Slackware running in a VM (or otherwise) or have the developer package installed for unRAID. Although it may seem I'm not, I'm in fact quite the Linux n00b, so I'm afraid I can't help you there...

 

Unfortunately, I have practically zero experience with Linux.  lol  I guess I will just have to wait for someone else to make the package available...

Link to comment

I can now confirm that this enables TimeMachine support on shares with the -tm option! :D

 

Please excuse my ignorance...  I have Netatalk 2.0.5 installed and AFP is working as it did with 2.0.4 but I don't seem to have the Time Machine functionality.  How did you get it working?  Thanks.

 

You have to update your

AppleVolumes.default

and add

tm

to your options, so it should something like this:

 

/mnt/cache/_TimeMachine "TimeMachine" allow:[user] cnidscheme:cdb options:upriv,usedots,tm perm:2770

 

Also, make sure the permissions are set correctly for the folder you are sharing.

Link to comment
You have to update your
AppleVolumes.default

and add

tm

to your options, so it should something like this:

 

/mnt/cache/_TimeMachine "TimeMachine" allow:[user] cnidscheme:cdb options:upriv,usedots,tm perm:2770

 

Also, make sure the permissions are set correctly for the folder you are sharing.

 

Working now.  Thank you very much!!

Link to comment
  • 1 month later...

dlmh,

 

your How-To´s are simply stunning!

 

I´m a unRAID newbie. So in the meantime while I´m waiting for the delivery of my hardware components I alienate my netbook to prepare some addons like Mediatomb, unMenu and Avahi.

 

However for the Time Machine backup I also need AFP. So I looked into you AFP How-To and tried to implement as much as I can. So allow me a couple of questions:

 

1.) Am I right, that we don´t need xz-4.999.8beta-i486-1.tgz & pkgtools-13.0-noarch-2.tgz anymore because we have a Netatalk 2.05 package for slackware?

 

2.) I don´t have the /boot/config/afp/ directory. That´s why I´m getting error messages. Any ideas?

 

3.) Can you confirm that these are the only only changes regards your description if my intention is to use Netatalk 2.05:

 

# Avahi (Bonjour)

echo "Installing Avahi dependencies..."

installpkg /boot/packages/libcap-2.14-i486-1.tgz >null

installpkg /boot/packages/dbus-1.2.6-i486-1.tgz >null

installpkg /boot/packages/gcc-4.2.4-i486-1.tgz >null

installpkg /boot/packages/avahi-0.6.25-i486-1as.tgz >null

#

# Netatalk

echo "Installing netatalk..."

# installpkg /boot/packages/xz-4.999.8beta-i486-1.tgz >null

# installpkg /boot/packages/pkgtools-13.0-noarch-2.tgz >null

installpkg /boot/packages/netatalk-2.0.5-i486-1pur.txz >null

# cp /boot/config/afp/netatalk/* /etc/netatalk/

# cp /boot/config/afp/avahi/* /etc/avahi/services/

# cp /boot/config/afp/etc/* /etc/

echo "Starting AFP daemon..."

/usr/sbin/afpd

 

echo "Starting Avahi daemon..."

cp /boot/configfiles/samba.service /etc/avahi/services/

/usr/bin/dbus-daemon --system

/etc/rc.d/rc.avahidaemon restart >null

 

Thank you very much.

Link to comment

dlmh,

 

your How-To´s are simply stunning!

 

I´m a unRAID newbie. So in the meantime while I´m waiting for the delivery of my hardware components I alienate my netbook to prepare some addons like Mediatomb, unMenu and Avahi.

 

However for the Time Machine backup I also need AFP. So I looked into you AFP How-To and tried to implement as much as I can. So allow me a couple of questions:

 

1.) Am I right, that we don´t need xz-4.999.8beta-i486-1.tgz & pkgtools-13.0-noarch-2.tgz anymore because we have a Netatalk 2.05 package for slackware?

 

2.) I don´t have the /boot/config/afp/ directory. That´s why I´m getting error messages. Any ideas?

 

3.) Can you confirm that these are the only only changes regards your description if my intention is to use Netatalk 2.05:

 

# Avahi (Bonjour)

echo "Installing Avahi dependencies..."

installpkg /boot/packages/libcap-2.14-i486-1.tgz >null

installpkg /boot/packages/dbus-1.2.6-i486-1.tgz >null

installpkg /boot/packages/gcc-4.2.4-i486-1.tgz >null

installpkg /boot/packages/avahi-0.6.25-i486-1as.tgz >null

#

# Netatalk

echo "Installing netatalk..."

# installpkg /boot/packages/xz-4.999.8beta-i486-1.tgz >null

# installpkg /boot/packages/pkgtools-13.0-noarch-2.tgz >null

installpkg /boot/packages/netatalk-2.0.5-i486-1pur.txz >null

# cp /boot/config/afp/netatalk/* /etc/netatalk/

# cp /boot/config/afp/avahi/* /etc/avahi/services/

# cp /boot/config/afp/etc/* /etc/

echo "Starting AFP daemon..."

/usr/sbin/afpd

 

echo "Starting Avahi daemon..."

cp /boot/configfiles/samba.service /etc/avahi/services/

/usr/bin/dbus-daemon --system

/etc/rc.d/rc.avahidaemon restart >null

 

Thank you very much.

 

I'm glad I could help you with my tutorial :)

 

1: Since unRAID 4.5 (beta/final) the installpkg package has been updated to support the newer .txz packages. This is the reason you do not require those packages.

 

2: the

/boot/config/afp

folder isn't there by default, I created it to have my config files for AFP in a easy to find location. You can store your config files anywhere on the USB stick, but you'll have to update the command lines in you GO script accordingly. This is important because unRAID loads from a image, so all custom configuration has to be done on every start up to replace the default config files.

 

3: Yes, but don't forget to copy the config files for Netatalk, Avahi and the password files to load your custom config!!!!

Link to comment

Alright - got it - nearly  ;) - still waiting for the hardware - so wasn´t able to setup users, set permissions of shares to the right owner and group.

 

I see tower.afp and tower.smb in my Finder - great.

 

I was setting up the folders:

/boot/config/afp/avahi

/boot/config/afp/etc

/boot/config/afp/netatalk

/boot/configfiles (here is the samba.service....from the samba over avahi guide)

 

I do understand that these files need to be copied (via GO file) after each start:

1: /etc/passwd (copied from /boot/config/afp/etc)

2: /etc/shadow (copied from /boot/config/afp/etc)

3: /etc/netatalk/afpd.conf (copied from /boot/config/afp/netatalk)

4: /etc/netatalk/netatalk.conf (copied from /boot/config/afp/netatalk)

5: /etc/netatalk/AppleVolumes.default (copied from /boot/config/afp/netatalk)

6: /etc/avahi/services/samba.service (copied from /boot/configfiles)

7: /etc/avahi/services/afpd.service (copied from /boot/config/afp/avahi)

 

...and here is the GO file:

#!/bin/bash

# Start the Management Utility

/usr/local/sbin/emhttp &

cd /boot/mediatomb

echo "./mediatomb.sh" | at now + 1 minute

echo "/boot/unmenu/uu" | at now + 1 minute

echo "/sbin/powerdown" | at 23:00

cd /boot/packages && find . -name '*.auto_install' -type f -print | sort | xargs -n1 sh -c

#

# Avahi (Bonjour)

echo "Installing Avahi dependencies..."

installpkg /boot/packages/libcap-2.14-i486-1.tgz >null

installpkg /boot/packages/dbus-1.2.6-i486-1.tgz >null

installpkg /boot/packages/gcc-4.2.4-i486-1.tgz >null

installpkg /boot/packages/avahi-0.6.25-i486-1as.tgz >null

#

# Netatalk

echo "Installing netatalk..."

installpkg /boot/packages/netatalk-2.0.5-i486-1pur.txz >null

cp /boot/config/afp/netatalk/* /etc/netatalk/

cp /boot/config/afp/avahi/* /etc/avahi/services/

cp /boot/config/afp/etc/* /etc/

echo "Starting AFP daemon..."

/usr/sbin/afpd

 

echo "Starting Avahi daemon..."

cp /boot/configfiles/samba.service /etc/avahi/services/

/usr/bin/dbus-daemon --system

/etc/rc.d/rc.avahidaemon restart >null

 

Is that all correct - so far?

 

Best regards

Oliver

Link to comment

Alright - got it - nearly  ;) - still waiting for the hardware - so wasn´t able to setup users, set permissions of shares to the right owner and group.

 

I see tower.afp and tower.smb in my Finder - great.

 

....

 

Is that all correct - so far?

 

Best regards

Oliver

 

Yes, you're 100% correct.

 

David

Link to comment

Hello from a new UNraid user.

I have been trying to get this to work for over a week now.

Followed your steps to the letter. Both shares show up. AFP and SMB.

Can connect top SMB, but to AFP I get a login failed. Tried with a whole list of users. None of them are working.

What am i missing?

I am using UNraid 4.5.3 with netatalk 2.05

Link to comment

Hello from a new UNraid user.

I have been trying to get this to work for over a week now.

Followed your steps to the letter. Both shares show up. AFP and SMB.

Can connect top SMB, but to AFP I get a login failed. Tried with a whole list of users. None of them are working.

What am i missing?

I am using UNraid 4.5.3 with netatalk 2.05

 

Please attach the syslog after trying to connect to the server.

Link to comment

You have got pm

 

The log only shows the login attempt with user jurgman (uid:1001) from group users (guid:100), but no error. Could you post the log 10 minutes after login (failed)? And try with different users (and guest) to gather as much info as possible.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.