Monday, September 7, 2009

Accessing a Linux File Server from OS X using AFP

I keep most of my data on a low-power Ubuntu server that sits underneath my TV.  The data isn't much good to me if I can't access it, so I've mounted the server as a network drive on OS X.  This post will show you how to do the same.

I first discovered how to set up AFP from this article on kermalicious.com.  It's slightly out-dated but feel free to go there if you want info direct from the source, especially if you run into issues with these instructions.

Step 1: Set up Netatalk on the Server

I'm using a server running Ubuntu 9.04 for these instructions.

Netatalk is the open source version of Apple's AFP (AppleTalk Filing Protocol), which provides remote filesystem access similar to NFS, Samba etc.  I've found AFP to integrate a little better with OS X.  sshfs is faster, and more secure, but I had trouble getting it to reliably automount.

First install Netatalk. It comes out-of-the-box with encrypted authentication these days, so no need to compile your own.
sudo apt-get install netatalk

Now configure AFP services by editing /etc/default/netatalk to contain only the necessary daemons (CNID_METAD and AFPD):
ATALKD_RUN=no
PAPD_RUN=no
CNID_METAD_RUN=yes
AFPD_RUN=yes
TIMELORD_RUN=no
A2BOOT_RUN=no
the rest of the defaults should be fine.

The last bit of Netatalk configuration is in /etc/netatalk/afpd.conf.  Set the last line of the file to the following:
- -transall -uamlist uams_dhx2.so -nosavepassword

This ensures that we only use Diffie-Hellman key exchange (DHX) for authentication, rather than plaintext passwords or something silly like that.

Step 2: Set up Shared Volumes

Did I say that was the last bit of configuration?  I lied, kinda.  We need to configure the volumes we wish to share via AFP - right now our server speaks AFP, but it doesn't have anything to share.  This is done by editing the file /etc/netatalk/AppleVolumes.default.

Each volume you wish to share goes on a line at the bottom of this file.  By default all users will be able to access their own home directories (~/  "Home Directory"), but you can change that to the following:
~/        "$u"        options:usedots,upriv

The "$u" will call Bob's home directory "Bob" rather than "Home Directory".  The usedots option is necessary if you want to use "invisible" dot files (such as .profile), and upriv adds support for unix privileges (but apparently has problems with OS X Tiger or older).

You can have other volumes shared - I have the following:
/home/cowling/TimeMachine TimeMachine allow:cowling options:usedots,upriv
/home/media Media allow:cowling,media options:usedots,upriv

Now restart netatalk and we should be set!
sudo /etc/init.d/netatalk restart

Step 3: Connect to the Remote Volume on OS X

This should be pretty straight-forward.  In Finder go to Go -> Connect to Server..., enter afp://servername, your username and password, and hopefully it all works!

If you want to access a volume from behind a NAT/firewall, you'll need to forward/open port 548.

If you don't want OS X putting .DS_Store files in every folder you access (you probably don't), you can turn these off for remote volumes by running the following in the OS X terminal:
defaults write com.apple.desktopservices DSDontWriteNetworkStores true

Optional: Automatic Discovery using Bonjour/Avahi

As in the last post on setting up music server, you need to set up Avahi if you want OS X to automatically detect shared volumes on your local network, and pop them up in the Finder side panel.

First install Zeroconf/Avahi if you haven't already:
sudo apt-get install avahi-daemon

Set up the AFP service by creating a file /etc/avahi/services/afpd.service containing:

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
</service-group>


and restart avahi:
sudo /etc/init.d/avahi-daemon restart

If you have a firewall that's blocking Avahi, you'll want to open port 5353.  There's not much point forwarding this port on a NAT, since Avahi only works within a local network.

If all went well, your server will show up in the panel on the left of the Finder window. Yay, we're done!  As always, let me know if you encounter any errors with these instructions.

Have fun.

James