Building netatalk on OpenSolaris 2009.06

For a few months now, basically since the Drobo started supporting third party applications, I have been using my Drobo, via a DroboShare, as a Time Machine backup for my MacBook Pro. I used the BackMyFruitUp toolkit to set up the DroboShare as an AFP server, so the Mac saw it as an Apple-compatible network file share. One particularly fun step in that process was migrating my existing Time Machine volume over to the Drobo, but that’s another story. This story is about how I replaced the Drobo and DroboShare with a server running OpenSolaris.

Installing OpenSolaris

To start with, I took the old web/file server I had sitting around since last year and installed OpenSolaris 2009.06. Why OpenSolaris you may ask, considering I had been a Linux user for over a decade? Well, I have one word for you: ZFS. If you don’t think ZFS is the most impressive file system on the planet, then you haven’t watched the three hour presention. But I can’t give ZFS all of the credit for prompting the switch to OpenSolaris. There are plenty of very good reasons to use OpenSolaris and ZFS is just one of them.

Okay, so once OpenSolaris was on the system disk, what next? Well, you should update the installed packages and reboot into the new boot environment. Next we’ll need the C compiler and related packages: pfexec pkg install gcc-dev

The system is now capable of compiling software from source, in particular netatalk. Be sure to get the latest stable release (at least 2.0.4) in order to get around weird permissions issues introduced in Leopard. Before installing netatalk we must first install a compatible version of Berkeley DB.

Installing Berkeley DB

The one prerequisite of netatalk is Berkeley DB. I found that netatalk 2.1.1 would not detect Berkeley DB 5.0 or higher so I had to use the previous stable release, 4.8.30 (on the Berkeley DB web site look for the previous releases link). Compiling it is pretty straightforward. Start by adding /usr/local/lib to the library load path (pfexec crle -u -l /usr/local/lib). Then compile and install Berkeley DB like so (consult their build instructions for details, but it basically goes like this):

  1. cd build_unix
  2. ../dist/configure --prefix=/usr/local
  3. make
  4. pfexec make install

Installing netatalk

Once Berkeley DB is installed we’re ready to build netatalk. I’m skipping the PAM option here because it’s more work to set it up and I’m generally looking for the fastest setup time I can find.

  1. ./configure --without-pam
  2. make
  3. pfexec make install

Now comes the configuration stage. The setup described below suits my own needs, so if you want additional services then check out the netatalk documentation for more information. In general though, you will probably want to make similar changes to the default configuration, so I’ll detail what I’ve done for my environment.

  • Edit /usr/local/etc/netatalk/afpd.conf, adding the following line at the end of the file (this sets up the encrypted password authentication method and tells clients not to save the password, although that seems to be ignored on OS X):
- -transall -uamlist uams_dhx.so -nosavepassword
  • Edit /usr/local/etc/netatalk/AppleVolumes.default, adding the following (changing the default ~ line as well):
~ cnidscheme:dbd options:usedots,invisibledots,upriv perm:0770
/tank/shared "Shared" allow:@staff cnidscheme:dbd options:usedots,invisibledots,upriv perm:0770
/tank/nathan_backup "Nathan Backup" allow:nfiedler cnidscheme:dbd options:usedots,invisibledots,upriv perm:0770
/tank/antonia_backup "Antonia Backup" allow:akwok cnidscheme:dbd options:usedots,invisibledots,upriv perm:0770

Without the cnidscheme parameter, warnings will be issued by afpd, so just set it to something reasonable (with version 2.1.1 the cdb module could not be found so I used dbd instead). The usedots option tells netatalk to use dots instead of “:2e” for encoding dot files, while invisibledots says to make the dot files invisible by default. Now about the permissions issue alluded to above (see this discussion for details). With Tiger, newly created files would be writable by others, but in Leopard the permissions are wacky, so the latest netatalk has a work around for that. Add the upriv option and perm:0770 to force the permissions for new files to allow others to read and write to them. After all, this is a shared volume, it’s silly if no one else can access the files.

With the configuration complete, you can start the netatalk services. I’m assuming that it’s not running already, in which case you can just run this command: pfexec /etc/init.d/netatalk start

Connecting and Permissions

Now at this point you should be able to connect to the server from your Mac, using the Connect to Server feature in Finder (you can use the Cmd+K shortcut). Type in something like “afp://myserver” in the dialog, replacing myserver with the name of your server, and you will be prompted for a name and password. Use whatever you have for your user accounts on the OpenSolaris server. You could configure netatalk to use PAM, allowing authentication against LDAP or some other service, but for simplicity I just use the system accounts. Once you’ve authenticated, you will be prompted to select an available shared volume. It doesn’t seem to matter which one you pick since the server will be added to the Finder sidebar, and from there you can browse to any of the shared volumes. As for accessing the files on the server, make sure the ownership and permissions are set up such that the user you connect as can read and write to those areas. For instance, the nfiedler user has read/write permission to /tank/nathan_backup, and that same user is a member of the staff group, and the /tank/shared area is owned by the staff group and is group writable. So far this seems to be working for us, but if you have better ideas then by all means please leave a comment.

I can’t take the credit for uncovering this information. In fact, this entry is just pulling together the different bits of information into a single, concise set of instructions. The original blog that I encountered was written by Marc Haisenko, and for step-by-step instructions on configuring netatalk on Linux, I found the kremalicious blog by Matthias Kretschmann.

[Updated June 16, 2010 with new software versions and instructions.]

About these ads
This entry was posted in Computing, HowTo, Networking and tagged , , . Bookmark the permalink.

12 Responses to Building netatalk on OpenSolaris 2009.06

  1. Pingback: Making netatalk discoverable in OpenSolaris « Caffeinated

  2. James says:

    Note that BDB is now available from the contrib repository, which is a lot easier.

    Neatatalk 2.0.4 appears to have resolved some issues, I only needed:

    ./configure –without-pam

    I tried it with PAM (default) and configure completed with a bunch or warnings about PAM not being there.

    Would someone with more SMF experience than I care to look at converting the init.d script to the required XML and shell so that SMF will restart the deamons in case of problem?

  3. andres says:

    You might want to suggest people set up a stand-alone setup of BDB, so if the shared BDB on the system is updated, your Netatalk installation isn’t affected. Another thing that I have found useful is to put the BDB databases on a different volume than the Natatalk share, that way if your share runs out of space, your BDB doesn’t become corrupted. The Netatalk manual is a bit tedious to read, but it contains a ton of very useful info.

  4. Pingback: Netatalk on OpenSolaris (incl. Service Discovery) | blog/shl@INTERDOSE

  5. Pingback: links for 2010-02-22 « About My Days

  6. Building and authenticating with PAM isn’t a problem now, it seems. This worked fine for me:

    $ cd work/netatalk/
    $ wget http://hivelocity.dl.sourceforge.net/project/netatalk/netatalk/2.0.5/netatalk-2.0.5.tar.bz2
    $ tar xjf netatalk-2.0.5.tar.bz2
    $ cd netatalk-2.0.5
    $ ./configure –with-pam=/usr/lib/security
    $ make -j4
    $ pfexec make install

    I verified that PAM was being used via:

    Verified PAM used this way:

    add “auth.debug/var/adm/authlog” to /etc/syslog.conf

    # touch /etc/pam_debug
    # touch /var/adm/authlog
    # svcadm restart system-log

    Mount AFP volume

    Look at /var/adm/authlog

  7. Pingback: OpenSolaris + TimeMachine backup + network discovery « Matt Connolly’s Blog

  8. Pingback: Using OpenSolaris and ZFS with Time Machine « Caffeinated

  9. Pingback: Adding AFP support to Nexenta Core 3.0 | Technical Ramblings

  10. Pingback: Tutorial: How to install netatalk on OpenSolaris (2009.06) « klein2

  11. Pingback: S├Ątt upp TimeMachine mot ditt NAS med netatalk

  12. Rudy says:

    To make afp work with osx 10.7, you must support dhx2 as well for the password encryption in afpd.conf as well:

    - -transall -uamlist uams_dhx.so,uams_dhx2.so -nosavepassword

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s