Netatalk

Summary:

• Installation
• Setting Up File And Printer Sharing
• Restricting Access

'Netatalk' is an implementation of the ~AppleTalk Protocol Suite for Unix systems –– it allows a Linux system to act as a file & print server for a network of Macs. Netatalk provides support for routing ~AppleTalk, serving Unix and AFS file systems over AFP (~AppleShare), serving Linux printers, and accessing ~AppleTalk printers over PAP. A number of other printing and debugging utilities are also included.

This article discusses the basic setup of Netatalk on a Linux machine to make a file and print server for pre-X Mac OS clients.
The current version of Netatalk (1.5) does not support file sharing with Mac OS X clients, use NFS instead. Printer sharing works, though.

Installation

Neither the PPC nor the x86 releases of Mandrake Linux contain netatalk RPMs. PPC users should give the netatalk RPM from Stew Benedict's Mandrake Linux PPC page a try, reports have been positive. x86 users can get a Mandrake RPM from the netatalk project download page at Sourceforge. Notice that these RPMs are not supported by Mandrakesoft. Of course you can also get the sources from there and compile it yourself.
The same page lists a configuration module for the 'Webmin' system administration tool which comes with Mandrake Linux. According to reports it works quite well and might be a good choice for configuring Netatalk. PPC users might also use the old and unmaintained ~AppleTalk Configurator (RPMs) which still seems to do its job.

Install the RPM as 'root' with

urpmi {RPM}

I do not recommend using 'pure' RPM with the RPM package from Sourceforge, since it triggers some odd dependencies. 'urpmi' will handle them for you.

section index

Setting Up File And Printer Sharing

By default every user on a Mac client with a valid account name / password pair on a Linux machine can log into his 'home' directory on the Linux machine.
Additional 'Guest' shares (i.e. shares for users who don't have an account on the Linux machine) can be created by just adding the shares which should be available to the Mac clients to '/etc/atalk/~AppleVolumes.default' (just below the '~' which makes the home directories available):

/tmp tmp

The first entry specifies the directory to be shared on the Linux machine and the second the name under which this share will appear on the Mac clients.

Now start the service as 'root' with

service atalk start

It takes about twenty seconds for atalkd to start up. If you start the atalk service at boot time this delay might be annoying. Edit '/etc/atalk/netatalk.conf' as 'root' and change

ATALK_BGROUND=no

to

ATALK_BGROUND=yes

This puts the atalk startup process into the background.

If your Linux machine has more than one external network interface, it is a good idea to tell atalk which network interface it should cover. Add it to '/etc/atalk/atalkd.conf' (as 'root'), e.g.

eth0

for the first Ethernet interface.

Now let's test: On the Mac client open the 'Chooser' from the Mac system menu and click on '~AppleShare'. The hostname of your Linux machine should now appear in the 'file server' list. Double click on it. You should now get a dialog field from which you can log in either as a 'user' or as a 'guest'. To log in as a user, you have to provide your Linux user name / password pair. Do not forget to edit the 'user name' field, since your Mac OS user name is most likely to be different from that on the Linux machine.
Alternatively, choose the 'tmp' share, choose 'Guest', confirm and the 'tmp' share should now appear on your Mac desktop.

Pitfalls:

• Be very careful which directories you export. The Apple Filing Protocol Daemon will create some files in each directory you export. Use the 'noadouble' option to shares exported via '~AppleVolumes.default'.
• File names containing more than 32 characters on the Netatalk shares will not show up on the Mac clients.
• Netatalk uses tcpwrappers for access control. If you want access control and are using 'xinetd', you have to provide scripts to go into '/etc/xinetd.d' by yourself. Read the article on xinetd for an introduction.
• A comment in '/etc/rc.d/rc3.d/S91atalk' states:

I have experienced no difficulties with starting 'atalkd' in the background during boot, though, but your mileage may vary. (Thanks to John Haywood for making me aware of this comment)

To share a printer which is connected to the Linux machine with the Mac clients, you'll have to edit '/etc/atalk/papd.conf'. Assuming the printer's name is 'Printer' and runs under the standard CUPS system, you would have to add these lines as 'root':

Linuxprinter:\
:pr=|/usr/bin/lp -d Printer:\
:op=daemon:\
:pd=/etc/cups/ppd/Printer.ppd:

The first line defines the name of the printer on the Mac clients. 'pr' specifies the printer name, 'op' the spooling operator on the Linux machine and 'pd' the location of the PPD (~PostScript Printer Definition) file.

Restart the atalk service with:

service atalk restart

Now go back to the chooser and click on the '~LaserWriter 8' icon. In the right hand field should now appear the string 'Linuxprinter'. Double-click on it and choose the correct PPD file (the same you use in Mac OS). On your Mac desktop appears a new printer icon with the text 'Linuxprinter'. You can now print to that printer from every Mac OS application.

Pitfalls:

• Mac OS makes the new network printer the default printer. You can change this via the context menu of the respective printer icons.
• The above method works for ~QuickDraw and ~PostScript capable printers. I'm not sure if it works for printers which do not offer these capabilities.
  Mandrake Linux Tom Loscheider comments: > I have tons of experience with non postscript and non Mac printers using cups & netatalk with Mac clients. I can say from experience, that if you get the printer working correctly in Linux, you will be able to print to it from a Mac. :-)- Yes, even ~WinPrinters.
  
  

section index

Restricting Access

(This section added on Oct. 31)

Netatalk offers you several possibilities to restrict access to ~AppleTalk services.

• Via share options in '/etc/atalk/~AppleVolumes.default'
  Several per share options can restrict access:
• 'allow {user, group}' and 'deny {user, group}'. Note that 'allow'ing one group or user will deny access for all other user or groups. Group names have to be prefixed with '@'.
• 'options:ro' exports the share read-only (read-write is default).
• 'password' allows you to set an eight character maximum password for accessing the share.
• 'rolist:{user, group}', 'rwlist:{user, group}' Allows you to split read-only and read-write access by users or groups.
• Via a '.~AppleVolumes' file in the user's home directory
  If such a file exists, only the directories listed in this file are shared via ~AppleTalk. The format is the one used in '~AppleVolumes.default'.
• Via '/etc/atalk/papd.conf'
  By specifying the 'am=' option, you can restrict access to the printers connected to the Linux machines:
  

  am=uams_guest.so

  
  requires the printer user to supply a valid user name on the Linux machine.
  

  am=uams_pam.so

  
  requires the printer user to supply a valid user name / password pair on the Linux machine.
  Per printer authentication is not possible.

• Mac clients do not accept passwords longer than eight characters, even if it is a password to a valid account on the Linux machine.

Related Resources:

Richard Parry: Netatalk, Linux and the Macintosh
netatalk Project Site
Linux Netatalk HOWTO
CUPS SAM 8.4

man ~AppleVolumes.default

Revision / Modified: Oct. 25, 2001 / May 14, 2002
Author: Tom Berger

Legal: This page is covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.