Netatalk 2.2.2 updates UAM naming convention

Posted: July 3rd, 2012 | Author: | Filed under: Debian, Linux Mint, netatalk, Time Machine, Ubuntu | Tags: , , , | No Comments »

After one had upgraded to Netatalk 2.2.3 from a previous version, people who were using DHX method of authentication will experience uam: uam not found (status=-1) on the Netatalk server. On the MacOSX side, when one try to log in, it will display “The version of the server you are trying to connect to is not supported…” error messages. Before you mess with the settings etc, check your uams directory! The Netatalk team have renamed the uams dhx modules.The DHX2 and DHX modules now have _pam.so (which logs authentication information to auth.log) or _passwd.so suffixes. Check the files first in your uams directory, before you pull out your hair or try to reinstall etc. (The default directory is /usr/local/etc/netatalk/uams) Most of the instructions on the web have not been updated to reflect the name change. I have -uamlist uams_dhx2_pam.so,uams_dhx_pam.so in my afpd.conf (as a reminder no spaces between the commas!).

DHX2 is probably the best password authentication scheme to use for modern MacOSX right now. So if you are concerned about security, it is a good idea to use it.

uam: uam not found


More Netatalk Debugging and Solutions

Posted: August 24th, 2011 | Author: | Filed under: Mac, netatalk, Time Machine, Ubuntu | Tags: , , , , , , , | No Comments »

I had to reinstall my Ubuntu system because my Seagate drive died of a horrible and quick death. I replaced the drives with WD Greens. Since the Seagate had a SMART error, bad sectors were growing every second, basically the data on the OS drive was spinning to pieces.

When I reinstalled netatalk; I installed the self compiled netatalk package (that was mentioned previous). However I encounter the following error:

afpd {cnid_dbd.c:314} (E:CNID): dbd_rpc: Error reading header from fd (db_dir /var/dbd/AppleDB/tm): Connection reset by peer
afpd {cnid_dbd.c:400} (E:CNID): transmit: Request to dbd daemon (db_dir /var/dbd/AppleDB/tm) timed out.

That is relatively simple. I just had to make sure the dbpath in AppleVolumes.default exists.

Another error message I got:

afpd {volume.c:1907} (W:AFPDaemon): volume "usr" does not support Extended Attributes, using ea:ad instead

Solution:
I made sure cnidscheme is set to dbd and ea is set to sys in AppleVolume.default.

:DEFAULT: cnidscheme:dbd ea:sys

Reference:
Netatalk manual’s coverage on AppleTalk.default.


Netatalk debugging and logging tips and tricks

Posted: November 26th, 2010 | Author: | Filed under: netatalk, Ubuntu | Tags: , , , , , , | No Comments »

Lately I have been having problems logging into my TimeMachine disc. My iMac works, but my macbook doesn’t, even though they run the exact same OS (10.6.5). I looked it up and here are the instructions to seperate the netatalk messages from the general message logs.

In /etc/netatalk/afpd.conf
add -setuplog “default log_info /var/log/afpd.log” to the long line of setup parameters.

If you run CNID server:
In /etc/default/netatalk
add CNID_CONFIG=”-l log_info -f /var/log/cnid.log”

You then run /etc/init.d/netatalk restart in your terminal.

Add the log files in Log File Viewer (under System -> Administration). Use File -> Open and select the log files in the appropriate place. Now whenever the logs are updated the log files will be in bold.

Now I get error messages when my macbook tries to log onto the Time Machine disc:
afpd[2081] {uams_dhx2_pam.c:350} (I:UAMSDaemon): DHX2 login: useruser
afpd[2081] {uams_dhx2_pam.c:228} (I:UAMSDaemon): PAM DHX2: PAM Success
afpd[2081] {uams_dhx2_pam.c:647} (I:UAMSDaemon): DHX2: PAM_Error: Authentication failure

However my iMac works fine:
afpd[2280] {uams_dhx2_pam.c:350} (I:UAMSDaemon): DHX2 login: useruser
afpd[2280] {uams_dhx2_pam.c:228} (I:UAMSDaemon): PAM DHX2: PAM Success
afpd[2280] {uams_dhx2_pam.c:684} (I:UAMSDaemon): DHX2: PAM Auth OK!


Netatalk fixes after Ubuntu 10.10 upgrade from Ubuntu 10.04

Posted: October 11th, 2010 | Author: | Filed under: netatalk, Ubuntu | Tags: , , , , | No Comments »

If you had followed the previous instructions and have just upgraded from 10.04 to 10.10 aka Maverick Meerkat; you might have noticed that Netatalk has ceased to function. Basically it won’t let you login and in the System Log Viewer you see error messages like below.

I got the following error messages in daemon.log.

1
2
3
4
afpd[3523]: Setting uid/gid to 1000/1000
afpd[3523]: CNID DB initialized using Berkeley DB 4.8.30: (April  9, 2010)
afpd[3523]: cnid_open: dbenv->open (rw) of /storage/dirname/.AppleDB failed: DB_VERSION_MISMATCH: Database environment version mismatch
afpd[3523]: Fatal error: cannot open CNID or invalid CNID backend for /storage/dirname: cdb

What I come to realize that Netatalk 2.1.2 (that is now default in the Meerkat software repository), doesn’t support the cdb option in the cnidscheme. It only supports last, dbd and tdb.

Steps to uninstall Netatalk (if you had followed the previous instructions)
Remember to backup your copies of your conf files in your /etc/netatalk directory first.

1
2
3
echo "netatalk purge" | sudo dpkg --set-selections
sudo apt-get remove netatalk
sudo apt-get autoremove

You can then follow the same instructions in the previous post and compile the latest version (2.1.2) with the proper authentication modules built in from the Maverick Meerkat repository.

Once you have started the dpkg installation of the new netatalk. You will be asked if you want the new conf files to be installed. I selected No and changed the cnidscheme manually.

Remember to change the cnidscheme setting from cdb to either dbd or tdb in your AppleVolumes.default files. For more information on selecting / changing please refer to here.


Netatalk authentication gotchas and diagnostic steps for Ubuntu 10.04

Posted: September 11th, 2010 | Author: | Filed under: netatalk, Ubuntu | Tags: , , , , , , , , , , | No Comments »

For some reason the netatalk package that is in the Ubuntu repository doesn’t come with any password authentication packages. So unless you want a fully non password appletalk setup on your Ubuntu server. DO NOT apt-get install netatalk!

I followed Mr. Kretschmann’s handy HowTo for installing Netatalk on Ubuntu. It seems to work for Ubuntu 10.04 (actually it should work with all linux distributions). However when I try login, I kept getting unknown username / password problem.

Here are my installation steps:

1
2
3
4
5
6
7
8
sudo apt-get source netatalk
sudo apt-get build-dep netatalk
sudo apt-get install cracklib2-dev
sudo apt-get install libssl-dev
cd netatalk-2*
sudo DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -rfakeroot
sudo dpkg -i ../netatalk-2*.deb
echo "netatalk hold" | sudo dpkg --set-selections

Here are my diagnostic steps:

  1. Check your afpd.conf and AppleVolumes.default files for any typos, especially when you are cutting and pasting!
  2. If you want to let each user to access his/her own directory, you should put
    1
    ~/ "$u" allow:$u cnidscheme:cdb

    in AppleVolumes.default; $u is the variable for username; instead of username1/username2 combination as listed in the HowTo. The list of variable names is in the comment section of the file or here.

  3. Open Log File Viewer under System -> Administration. What this does is whenever there is any updates in any of the log files, the updated log file on the left will appear bold.
  4. What I encountered was my installation steps above only created the uams_dhx2*.so authentication libraries. My syslog file has these entries
    1
    2
    3
    4
    5
    6
    afpd[17919]: ASIP started on 192.168.168.121:548(5) (2.0.5)
    afpd[17919]: uam: loading (/usr/lib/netatalk/uams_randnum.so)
    afpd[17919]: uam: uam not found (status=-1)
    afpd[17919]: uam: loading (/usr/lib/netatalk/uams_dhx.so)
    afpd[17919]: uam: uam not found (status=-1)
    afpd[17919]: Finished parsing Config File
  5. Go to /usr/lib/netatalk directory and verify which authentication modules you have. Update your afpd.conf appropriately. Mine is:
    1
    - -transall -uamlist uams_dhx2.so -savepassword -advertise_ssh

    dhx2 authentication is only supported by MacOSX machines, if you have OS9 or earlier you will have to have the others fall back to. I think it is much easier to use a normal MacOSX machine to do Appletalk though.

  6. I also noticed in with Netatalk 2.0.5 (vs 2.0.3 in the HowTo), there is a Time Machine support option in the AppleVolumes.default file. So an entry like this:
    1
    ~/TimeMachine "$u" allow:$u cnidscheme:cdb options:usedots,upriv,tm

    would allow a per user login to have their own TimeMachine backup. or you can do it by ip via the $c variable. With that option enabled, I can run TimeMachine without having to create my own sparsebundle etc. You still have to issue the Defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1 command in a terminal of the Mac you want to start TimeMachine though.

  7. Oh after each change, remember to run:
    1
    2
    /etc/init.d/netatalk stop
    /etc/init.d/netatalk start

    I find 2 commands work better than one command using the restart flag.