Monday, September 7, 2009

Accessing a Linux File Server from OS X using AFP

I keep most of my data on a low-power Ubuntu server that sits underneath my TV.  The data isn't much good to me if I can't access it, so I've mounted the server as a network drive on OS X.  This post will show you how to do the same.

I first discovered how to set up AFP from this article on kermalicious.com.  It's slightly out-dated but feel free to go there if you want info direct from the source, especially if you run into issues with these instructions.

Step 1: Set up Netatalk on the Server

I'm using a server running Ubuntu 9.04 for these instructions.

Netatalk is the open source version of Apple's AFP (AppleTalk Filing Protocol), which provides remote filesystem access similar to NFS, Samba etc.  I've found AFP to integrate a little better with OS X.  sshfs is faster, and more secure, but I had trouble getting it to reliably automount.

First install Netatalk. It comes out-of-the-box with encrypted authentication these days, so no need to compile your own.
sudo apt-get install netatalk

Now configure AFP services by editing /etc/default/netatalk to contain only the necessary daemons (CNID_METAD and AFPD):
ATALKD_RUN=no
PAPD_RUN=no
CNID_METAD_RUN=yes
AFPD_RUN=yes
TIMELORD_RUN=no
A2BOOT_RUN=no
the rest of the defaults should be fine.

The last bit of Netatalk configuration is in /etc/netatalk/afpd.conf.  Set the last line of the file to the following:
- -transall -uamlist uams_dhx2.so -nosavepassword

This ensures that we only use Diffie-Hellman key exchange (DHX) for authentication, rather than plaintext passwords or something silly like that.

Step 2: Set up Shared Volumes

Did I say that was the last bit of configuration?  I lied, kinda.  We need to configure the volumes we wish to share via AFP - right now our server speaks AFP, but it doesn't have anything to share.  This is done by editing the file /etc/netatalk/AppleVolumes.default.

Each volume you wish to share goes on a line at the bottom of this file.  By default all users will be able to access their own home directories (~/  "Home Directory"), but you can change that to the following:
~/        "$u"        options:usedots,upriv

The "$u" will call Bob's home directory "Bob" rather than "Home Directory".  The usedots option is necessary if you want to use "invisible" dot files (such as .profile), and upriv adds support for unix privileges (but apparently has problems with OS X Tiger or older).

You can have other volumes shared - I have the following:
/home/cowling/TimeMachine TimeMachine allow:cowling options:usedots,upriv
/home/media Media allow:cowling,media options:usedots,upriv

Now restart netatalk and we should be set!
sudo /etc/init.d/netatalk restart

Step 3: Connect to the Remote Volume on OS X

This should be pretty straight-forward.  In Finder go to Go -> Connect to Server..., enter afp://servername, your username and password, and hopefully it all works!

If you want to access a volume from behind a NAT/firewall, you'll need to forward/open port 548.

If you don't want OS X putting .DS_Store files in every folder you access (you probably don't), you can turn these off for remote volumes by running the following in the OS X terminal:
defaults write com.apple.desktopservices DSDontWriteNetworkStores true

Optional: Automatic Discovery using Bonjour/Avahi

As in the last post on setting up music server, you need to set up Avahi if you want OS X to automatically detect shared volumes on your local network, and pop them up in the Finder side panel.

First install Zeroconf/Avahi if you haven't already:
sudo apt-get install avahi-daemon

Set up the AFP service by creating a file /etc/avahi/services/afpd.service containing:

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
</service-group>


and restart avahi:
sudo /etc/init.d/avahi-daemon restart

If you have a firewall that's blocking Avahi, you'll want to open port 5353.  There's not much point forwarding this port on a NAT, since Avahi only works within a local network.

If all went well, your server will show up in the panel on the left of the Finder window. Yay, we're done!  As always, let me know if you encounter any errors with these instructions.

Have fun.

James

9 comments:

  1. Leopard and later don't support AFP over SSH.
    -advertise_ssh option is not needed.

    ReplyDelete
  2. With a group shared volume, can you get netatalk setup, so that users can delete other users files when they belong to the same group?

    ReplyDelete
  3. @Anonymous:
    Thanks - I noticed this option was no longer available, just forgot to take out the option in afpd.conf. Updated accordingly now.

    @Mike Chan:
    I don't have any troubles deleting files from the 'media' group (for example), when connected to the AFP share from my own username. I added myself to the media group using:

    sudo adduser myusername media

    and then made sure that the files in /home/media are group writeable:

    sudo chmod -R g+w /home/media/

    Bear in mind that linux doesn't update group changes immediately, so you may have to log out and log back in before you have access to the group.

    (Also: you'll only be able to delete files if they belong to the particular group - ie. you can't delete files from /home/media if they're in the 'bob' group. You can use the chgrp command to change the files to the 'media' group etc.)

    ReplyDelete
  4. I have been going round in circles all day trying to get this to work :-( Ubuntu 9.04 and Leopard 10.5.8

    Installed and configured as detailed above. My Ubuntu PC appears under SHARED in the Finder sidebar. I Select it and click "Connect As..." after a few minutes it disappears, as if something either timed out or crashed.

    Restarting avahi-daemon on Ubuntu makes it show up again in Finder but the same thing happens when I try to connect.

    Any suggestions on a possible cause/fix or where to start looking i.e. which log for messages? (I don't see anything on the Leopard Console).

    Thanks,
    Mark

    ReplyDelete
  5. James, Thanks for your instructions.

    I’ve a problem with avahi. I can connect via cmd+K to my ubuntu machine and everythings works well. But after installing avahi it doesn’t turn up automatically in the finder, nor on my desktop. I rechecked the config files twice and restarted both boxes. On the ubuntu machine, ports 548 and 5353 are open. Any ideas?

    ReplyDelete
  6. Awesome blog post nice quality . Best VPN A good VPN provider will offer servers in a large range of different countries.

    ReplyDelete
  7. Thank you so much for taking the time for you personally to share such a nice info. I truly favor to reading your post

    _____________________
    coreldraw for Mac

    ReplyDelete