-
Notifications
You must be signed in to change notification settings - Fork 85
/
configuration.xml
1941 lines (1543 loc) · 80.7 KB
/
configuration.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<chapter id="configuration">
<title>Setting up Netatalk</title>
<sect1>
<title>File Services<indexterm>
<primary>File Services</primary>
<secondary>Netatalk's File Services</secondary>
</indexterm></title>
<para>Netatalk supplies two different transport protocols for
AFP<indexterm>
<primary>AFP</primary>
<secondary>Apple Filing Protocol</secondary>
</indexterm> services and both can run at the same time. Classic AFP
over AppleTalk requires the <command>afpd</command> and
<command>atalkd</command> daemons. AFP over IP only requires
<command>afpd</command>.</para>
<sect2>
<title>Setting up the AFP file server</title>
<para>AFP (the Apple Filing Protocol) is the protocol Apple Macintoshes
use for file services up until OS X Mountain Lion (10.8). The protocol
has evolved over the years. The
latest change to the protocol, AFP 3.4, was introduced with
the release of OS X Mountain Lion<indexterm>
<primary>Mountain Lion</primary>
<secondary>Mac OS X 10.8</secondary>
</indexterm>. Netatalk 2 supports up to AFP 3.3.</para>
<para>AFP3 brought some big changes. For the first time, AFP3 supports
pathnames up to 65535 characters. It is virtually unlimited. Netatalk
2 supports filenames up to 255 characters because Mac OS X 10.4 and
earlier can use it up to 255 characters (actually 255 bytes leading to
85-255 chars depending on the glyphs used), Decomposed UTF-8 (UTF8-MAC)
is used on the wire and large files (>4GB) are supported.</para>
<para>The afpd daemon offers the fileservices to Apple Clients. It's
configured using the <filename>afpd.conf</filename> and the
<filename>AppleVolumes.*</filename> files.</para>
<para>Mac OS X 10.5 (Leopard) added support for Time Machine backups
over AFP. Two new functions ensure that backups are written to spinning
disk, not just in the server's cache. Different host operating systems
honour this cache flushing differently. To make a volume a Time Machine
target use the <citerefentry>
<refentrytitle>AppleVolumes.default</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> volume option <option>tm</option>.</para>
<para>Starting with Netatalk 2.1 UNIX symlinks<indexterm>
<primary>symlink</primary>
<secondary>UNIX symlink</secondary>
</indexterm> can be used on the server. Semantics are the same as for
eg NFS, i.e. they are not resolved on the server side but instead it's
completely up to the client to resolve them, resulting in links that
point somewhere inside the clients filesystem view.</para>
<sect3>
<title>afpd.conf</title>
<para>afpd.conf is the configuration file used by afpd to determine
the behaviour and configuration of the different virtual file servers
that it provides. Any line not prefixed with <keycode>'#</keycode>' is
interpreted.</para>
<para>If afpd switches set on the command line are in conflict with
afpd.conf settings, the latter will have higher priority.</para>
<para>Format: - [options] to specify options for the default server
and/or "Server name" [options] to specify an additional server.</para>
<para>Leaving the afpd.conf file empty equals to the following
configuration:</para>
<para><programlisting>- -transall -uamlist uams_dhx2.so</programlisting></para>
<para>For a more detailed explanation of the available options, please
refer to the <citerefentry>
<refentrytitle>afpd.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> man page.</para>
</sect3>
<sect3>
<title>AppleVolumes.default</title>
<para>The AppleVolumes.default file is used to define volumes that
will by default be shown to all users, including users logged in as
guest. A volume will not be presented in the chooser, if the user has
no read access to the specified volume path.</para>
<para>You can limit access to a specific volume by using the
<option>allow</option> and <option>deny</option> options.</para>
<para>For a more detailed explanation of the available options, please
refer to the <citerefentry>
<refentrytitle>AppleVolumes.default</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> man page.</para>
</sect3>
</sect2>
<sect2 id="CNID-backends">
<title>CNID<indexterm>
<primary>CNID</primary>
<secondary>Catalog Node ID</secondary>
</indexterm> backends<indexterm>
<primary>Backend</primary>
<secondary>CNID backend</secondary>
</indexterm></title>
<para>Unlike other protocols like SMB or NFS, the AFP protocol mostly
refers to files and directories by ID and not by a path (the IDs are
also called CNID, that means Catalog Node ID). A typical AFP request
uses a directory ID<indexterm>
<primary>DID</primary>
<secondary>Directory ID</secondary>
</indexterm> and a filename, something like <phrase>"server, please
open the file named 'Test' in the directory with id 167"</phrase>. For
example "Aliases" on the Mac basically work by ID (with a fallback to
the absolute path in more recent AFP clients. But this applies only to
Finder, not to applications).</para>
<para>Every file in an AFP volume has to have a unique file ID<indexterm>
<primary>FID</primary>
<secondary>File ID</secondary>
</indexterm>, IDs must, according to the specs, never be reused, and
IDs are 32 bit numbers (Directory IDs use the same ID pool). So, after
~4 billion files/folders have been written to an AFP volume, the ID pool
is depleted and no new file can be written to the volume. No whining
please :-)</para>
<para>Netatalk needs to map IDs to files and folders in the host
filesystem. To achieve this, several different CNID backends<indexterm>
<primary>CNID backend</primary>
</indexterm> are available and can be selected with the
<option>cnidscheme</option><indexterm>
<primary>cnidscheme</primary>
<secondary>specifying a CNID backend</secondary>
</indexterm> option in the <citerefentry>
<refentrytitle>AppleVolumes.default</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> configuration file. A CNID backend is basically a
database storing ID <-> name mappings.</para>
<para>The CNID Databases are by default located in the
.AppleDB<indexterm>
<primary>AppleDB</primary>
<secondary>CNID database folder</secondary>
</indexterm> folder in every afpd volume root. With the new
ADv2<indexterm>
<primary>ADv2</primary>
<secondary>AppleDouble v2</secondary>
</indexterm> format, afpd stores the files/directories ID in the
corresponding .AppleDouble file as well.</para>
<para>Starting with Netatalk 2.1 there is a command line utility called
<command>dbd</command> available which can be used to verify, repair and
rebuild the CNID database.</para>
<note>
<para>There are some CNID related things you should keep in mind when
working with netatalk:</para>
<itemizedlist>
<listitem>
<para>Don't nest volumes<indexterm>
<primary>Nested volumes</primary>
</indexterm>.</para>
</listitem>
<listitem>
<para>CNID backends are databases, so they turn afpd into a file
server/database mix. Keep this in mind, killing an afpd process
with <command>kill -9</command> will likely leave the database
unusable.</para>
</listitem>
<listitem>
<para>If there's no more space on the filesystem left, the
database will get corrupted. You can work around this by either
using the -dbpath option and put the database files into another
location or, if you use quotas, make sure the .AppleDB folder is
owned by a user/group without a quota<indexterm>
<primary>Quotas</primary>
<secondary>Disk usage quotas</secondary>
</indexterm>.</para>
</listitem>
<listitem>
<para>Be careful with CNID databases for volumes that are mounted
via NFS. That is a pretty audacious decision to make anyway, but
putting a database there as well is really asking for trouble,
i.e. database corruption. Use the dbpath: directive in the
<filename>AppleVolumes.*</filename> configuration files to put the
databases onto a local disk if you must use NFS<indexterm>
<primary>NFS</primary>
<secondary>Network File System</secondary>
</indexterm> mounted volumes.</para>
</listitem>
</itemizedlist>
</note>
<sect3>
<title>dbd<indexterm>
<primary>DBD</primary>
<secondary>"dbd" CNID backend</secondary>
</indexterm></title>
<para>The "Database Daemon" backend is built on Berkeley DB.
Access to the CNID database is restricted to the cnid_dbd daemon
process. afpd processes communicate with the daemon for database reads
and updates. The probability for database corruption is practically
zero.</para>
<para>This is the default backend since Netatalk 2.1.</para>
</sect3>
<sect3>
<title>last<indexterm>
<primary>Last</primary>
<secondary>"last" CNID backend</secondary>
</indexterm></title>
<para>The last backend is a semi-persistent backend. IDs will be
reused and, what is much worse, you can get duplicate IDs.
You should use it for sharing read-only volumes only.
<emphasis>Don't</emphasis> use it for sharing normal volumes.</para>
</sect3>
</sect2>
<sect2 id="charsets">
<title>Charsets<indexterm>
<primary>Charset</primary>
<secondary>character set</secondary>
</indexterm>/Unicode<indexterm>
<primary>Unicode</primary>
</indexterm></title>
<para></para>
<sect3>
<title>Why Unicode?</title>
<para>Internally, computers don't know anything about characters and
texts, they only know numbers. Therefore, each letter is assigned a
number. A character set, often referred to as
<emphasis>charset</emphasis> or
<emphasis>codepage</emphasis><indexterm>
<primary>Codepage</primary>
</indexterm>, defines the mappings between numbers and
letters.</para>
<para>If two or more computer systems need to communicate with each
other, the have to use the same character set. In the 1960s the
ASCII<indexterm>
<primary>ASCII</primary>
<secondary>American Standard Code for Information
Interchange</secondary>
</indexterm> (American Standard Code for Information Interchange)
character set was defined by the American Standards Association. The
original form of ASCII represented 128 characters, more than enough to
cover the English alphabet and numerals. Up to date, ASCII has been
the normative character scheme used by computers.</para>
<para>Later versions defined 256 characters to produce a more
international fluency and to include some slightly esoteric graphical
characters. Using this mode of encoding each character takes exactly
one byte. Obviously, 256 characters still wasn't enough to map all the
characters used in the various languages into one character
set.</para>
<para>As a result localized character sets were defined later, e.g the
ISO-8859 character sets. Most operating system vendors introduced
their own characters sets to satisfy their needs, e.g. IBM defined the
<emphasis>codepage 437 (DOSLatinUS)</emphasis>, Apple introduced the
<emphasis>MacRoman</emphasis><indexterm>
<primary>MacRoman</primary>
<secondary>MacRoman charset</secondary>
</indexterm> codepage and so on. The characters that were assigned
number larger than 127 were referred to as
<emphasis>extended</emphasis> characters. These character sets
conflict with another, as they use the same number for different
characters, or vice versa.</para>
<para>Almost all of those characters sets defined 256 characters,
where the first 128 (0-127) character mappings are identical to ASCII.
As a result, communication between systems using different codepages
was effectively limited to the ASCII charset.</para>
<para>To solve this problem new, larger character sets were defined.
To make room for more character mappings, these character sets use at
least 2 bytes to store a character. They are therefore referred to as
<emphasis>multibyte</emphasis> character sets.</para>
<para>One standardized multibyte charset encoding scheme is known as
<ulink url="https://www.unicode.org/">Unicode</ulink>. A big advantage
of using a multibyte charset is that you only need one. There is no
need to make sure two computers use the same charset when they are
communicating.</para>
</sect3>
<sect3>
<title>character sets used by Apple</title>
<para>In the past, Apple clients used single-byte charsets to
communicate over the network. Over the years Apple defined a number of
codepages, western users will most likely be using the
<emphasis>MacRoman</emphasis> codepage.</para>
<para>Codepages defined by Apple include:</para>
<itemizedlist>
<listitem>
<para>MacArabic, MacFarsi</para>
</listitem>
<listitem>
<para>MacCentralEurope</para>
</listitem>
<listitem>
<para>MacChineseSimple</para>
</listitem>
<listitem>
<para>MacChineseTraditional</para>
</listitem>
<listitem>
<para>MacCroatian</para>
</listitem>
<listitem>
<para>MacCyrillic</para>
</listitem>
<listitem>
<para>MacDevanagari</para>
</listitem>
<listitem>
<para>MacGreek</para>
</listitem>
<listitem>
<para>MacHebrew</para>
</listitem>
<listitem>
<para>MacIcelandic</para>
</listitem>
<listitem>
<para>MacJapanese</para>
</listitem>
<listitem>
<para>MacKorean</para>
</listitem>
<listitem>
<para>MacRoman</para>
</listitem>
<listitem>
<para>MacRomanian</para>
</listitem>
<listitem>
<para>MacThai</para>
</listitem>
<listitem>
<para>MacTurkish</para>
</listitem>
</itemizedlist>
<para>Starting with Mac OS X and AFP3, <ulink
url="https://www.utf-8.com/">UTF-8</ulink> is used. UTF-8 encodes
Unicode characters in an ASCII compatible way, each Unicode character
is encoded into 1-6 ASCII characters. UTF-8 is therefore not really a
charset itself, it's an encoding of the Unicode charset.</para>
<para>To complicate things, Unicode defines several <emphasis> <ulink
url="http://www.unicode.org/reports/tr15/index.html">normalization</ulink>
</emphasis> forms. While <ulink
url="https://www.samba.org">Samba</ulink><indexterm>
<primary>Samba</primary>
</indexterm> uses <emphasis>precomposed</emphasis><indexterm>
<primary>Precomposed</primary>
<secondary>Precomposed Unicode normalization</secondary>
</indexterm> Unicode, which most Unix tools prefer as well, Apple
decided to use the <emphasis>decomposed</emphasis><indexterm>
<primary>Decomposed</primary>
<secondary>Decomposed Unicode normalization</secondary>
</indexterm> normalization.</para>
<para>For example lets take the German character
'<keycode>ä</keycode>'. Using the precomposed normalization, Unicode
maps this character to 0xE4. In decomposed normalization, 'ä' is
actually mapped to two characters, 0x61 and 0x308. 0x61 is the mapping
for an 'a', 0x308 is the mapping for a <emphasis>COMBINING
DIAERESIS</emphasis>.</para>
<para>Netatalk refers to precomposed UTF-8 as
<emphasis>UTF8</emphasis><indexterm>
<primary>UTF8</primary>
<secondary>Netatalk's precomposed UTF-8 encoding</secondary>
</indexterm> and to decomposed UTF-8 as
<emphasis>UTF8-MAC</emphasis><indexterm>
<primary>UTF8-MAC</primary>
<secondary>Netatalk's decomposed UTF-8 encoding</secondary>
</indexterm>.</para>
</sect3>
<sect3>
<title>afpd and character sets</title>
<para>To support new AFP 3.x and older AFP 2.x clients at the same
time, afpd needs to be able to convert between the various charsets
used. AFP 3.x clients always use UTF8-MAC, AFP 2.x clients use one of
the Apple codepages.</para>
<para>At the time of this writing, netatalk supports the following
Apple codepages:</para>
<itemizedlist>
<listitem>
<para>MAC_CENTRALEUROPE</para>
</listitem>
<listitem>
<para>MAC_CHINESE_SIMP</para>
</listitem>
<listitem>
<para>MAC_CHINESE_TRAD</para>
</listitem>
<listitem>
<para>MAC_CYRILLIC</para>
</listitem>
<listitem>
<para>MAC_GREEK</para>
</listitem>
<listitem>
<para>MAC_HEBREW</para>
</listitem>
<listitem>
<para>MAC_JAPANESE</para>
</listitem>
<listitem>
<para>MAC_KOREAN</para>
</listitem>
<listitem>
<para>MAC_ROMAN</para>
</listitem>
<listitem>
<para>MAC_TURKISH</para>
</listitem>
</itemizedlist>
<para>afpd handles three different character set options:</para>
<variablelist>
<varlistentry>
<term>unixcodepage<indexterm>
<primary>unixcodepage</primary>
<secondary>afpd's unixcodepage setting</secondary>
</indexterm></term>
<listitem>
<para>This is the codepage used internally by your operating
system. If not specified and your system support Unix locales,
afpd tries to detect the codepage, otherwise it defaults to
ASCII<indexterm>
<primary>ASCII</primary>
<secondary>afpd's unixcodepage setting</secondary>
</indexterm>. afpd uses this codepage to read its
configuration files, so you can use extended characters for
volume names, login messages, etc. see <citerefentry>
<refentrytitle>afpd.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>maccodepage<indexterm>
<primary>maccodepage</primary>
<secondary>afpd's maccodepage setting</secondary>
</indexterm></term>
<listitem>
<para>As already mentioned, older MacOS clients (up to AFP 2.2)
use codepages to communicate with afpd. However, there is no
support for negotiating the codepage used by the client in the
AFP protocol. If not specified otherwise, afpd assumes the
<emphasis>MacRoman</emphasis> codepage is used. In case you're
clients use another codepage, e.g.
<emphasis>MacCyrillic</emphasis>, you'll <emphasis
role="bold">have</emphasis> to explicitly configure this. see
<citerefentry>
<refentrytitle>afpd.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>volcharset<indexterm>
<primary>volcharset</primary>
<secondary>afpd's volcharset setting</secondary>
</indexterm></term>
<listitem>
<para>This defines the charset afpd should use for filenames on
disk. The default is UTF8. If you have <ulink
url="http://www.gnu.org/software/libiconv/">iconv</ulink><indexterm>
<primary>Iconv</primary>
<secondary>iconv encoding conversion engine</secondary>
</indexterm> installed, you can use any iconv provided charset
as well.</para>
<para>afpd needs a way to preserve extended macintosh
characters, or characters illegal in unix filenames, when saving
files on a unix filesystem. Earlier versions used the the so
called CAP encoding<indexterm>
<primary>CAP encoding</primary>
<secondary>CAP style character encoding</secondary>
</indexterm>. An extended character (>0x7F) would be
converted to a :xx hex sequence, e.g. the Apple Logo (MacRoman:
0XF0) was saved as :f0. Some special characters will be
converted as to :xx notation as well. '/' will be encoded to
:2f, if -usedots is not specified, a leading dot '.' will be
encoded as :2e. Even though this version now uses UTF-8 as the
default encoding for filenames, special characters, like '/' and
a leading '.' will still be CAP style encoded. For western users
another useful setting could be <emphasis>-volcharset
ISO-8859-15</emphasis>.</para>
<para>If a character cannot be converted from the mac codepage
to the selected volcharset, afpd will save it as a CAP encoded
character. For AFP3 clients, afpd will convert the UTF-8
character to <emphasis>maccodepage</emphasis> first. If this
conversion fails, you'll receive a -50 error on the mac.
<emphasis>Note</emphasis>: Whenever you can, please stick with
the default UTF-8 volume format. See <citerefentry>
<refentrytitle>AppleVolumes.default</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>.</para>
</listitem>
</varlistentry>
</variablelist>
</sect3>
</sect2>
<sect2 id="authentication">
<title>Authentication<indexterm>
<primary>Authentication</primary>
<secondary>between AFP client and server</secondary>
</indexterm></title>
<sect3>
<title>AFP authentication basics</title>
<para>Apple chose a flexible model called "User Authentication
Modules"<indexterm>
<primary>UAM</primary>
<secondary>User Authentication Module</secondary>
</indexterm> (UAMs) for authentication purposes between AFP client
and server. An AFP client initially connecting to an AFP server will
ask for the list of UAMs which the server provides, and will choose
the one with strongest encryption that the client supports.</para>
<para>Several UAMs have been developed by Apple over the time, some by
3rd-party developers.</para>
</sect3>
<sect3>
<title>UAMs supported by Netatalk</title>
<para>Netatalk supports the following ones by default:</para>
<itemizedlist>
<listitem>
<para>"No User Authent"<indexterm>
<primary>No User Authent</primary>
<secondary>"No User Authent" UAM (guest access)</secondary>
</indexterm> UAM (guest access without authentication)</para>
</listitem>
<listitem>
<para>"Cleartxt Passwrd"<indexterm>
<primary>Cleartxt Passwrd</primary>
<secondary>"Cleartxt Passwrd" UAM</secondary>
</indexterm> UAM (no password encryption)</para>
</listitem>
<listitem>
<para>"Randnum exchange"<indexterm>
<primary>Randnum exchange</primary>
<secondary>"Randnum exchange" UAM</secondary>
</indexterm>/"2-Way Randnum exchange"<indexterm>
<primary>2-Way Randnum exchange</primary>
<secondary>"2-Way Randnum exchange" UAM</secondary>
</indexterm> UAMs (weak password encryption, separate password
storage)</para>
</listitem>
<listitem>
<para>"DHCAST128"<indexterm>
<primary>DHCAST128</primary>
<secondary>"DHCAST128" UAM</secondary>
</indexterm> UAM (stronger password encryption)</para>
</listitem>
<listitem>
<para>"DHX2"<indexterm>
<primary>DHX2</primary>
<secondary>"DHX2" UAM</secondary>
</indexterm> UAM (successor of DHCAST128)</para>
</listitem>
</itemizedlist>
<para>There exist other optional UAMs as well:</para>
<itemizedlist>
<listitem>
<para>"PGPuam 1.0"<indexterm>
<primary>PGPuam 1.0</primary>
<secondary>"PGPuam 1.0" UAM</secondary>
</indexterm><indexterm>
<primary>uams_pgp.so</primary>
<secondary>"PGPuam 1.0" UAM</secondary>
</indexterm> UAM (PGP-based authentication for pre-Mac OS X
clients. You'll also need the <ulink
url="http://www.vmeng.com/vinnie/papers/pgpuam.html">PGPuam
client</ulink> to let this work)</para>
<para>You'll have to add <filename>"--enable-pgp-uam"</filename>
to your configure switches to have this UAM available.</para>
</listitem>
<listitem>
<para>"Client Krb v2"<indexterm>
<primary>Client Krb v2</primary>
<secondary>"Client Krb v2" UAM (Kerberos V)</secondary>
</indexterm> UAM (Kerberos V, suitable for "Single Sign On"
Scenarios with Mac OS X clients -- see below)</para>
<para><filename>"--enable-krbV-uam"</filename> will provide you
with the ability to use this UAM.</para>
</listitem>
</itemizedlist>
<para>You can configure which UAMs should be activated by defining
<filename>$AFPD_UAM_LIST</filename> in <citerefentry>
<refentrytitle>netatalk.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>. <command>afpd</command> will log which UAMs it's
using and if problems occur while activating them in either
<filename>netatalk.log</filename> or syslog at startup time.
<citerefentry>
<refentrytitle>asip-status</refentrytitle>
<manvolnum>1</manvolnum>
</citerefentry> can be used to query the available UAMs of AFP
servers as well.</para>
<para>Having a specific UAM available at the server does not
automatically mean that a client can use it. Client-side support is
also necessary. Fortunately this isn't such a problem these days since
Mac OS X' AFP-client supports DHCAST128 from the beginning on. For
older Macintoshes running Mac OS < X DHCAST128 support exists since
AppleShare client 3.8.x.</para>
<para>On Mac OS X, there exist some client-side techniques to make the
AFP-client more verbose, so one can have a look what's happening while
negotiating the UAMs to use. Compare with this <ulink
url="https://web.archive.org/web/20080312054723/http://article.gmane.org/gmane.network.netatalk.devel/7383/">hint</ulink>.</para>
</sect3>
<sect3>
<title>Which UAMs to activate?</title>
<para>It depends primarily on your needs and on the kind of Mac OS
versions you have to support. Basically one should try to use
DHCAST128 and DHX2 where possible because of its strength of password
encryption.</para>
<itemizedlist>
<listitem>
<para>Unless you really have to supply guest access to your
server's volumes ensure that you disable "No User Authent" since
it might lead accidentally to unauthorized access. In case you
must enable guest access take care that you enforce this on a per
volume base using the access controls the <citerefentry>
<refentrytitle>AppleVolumes.default</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> config file supplies or think about setting up
an own server definition serving these public shares in
<citerefentry>
<refentrytitle>afpd.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>.</para>
</listitem>
<listitem>
<para>The "ClearTxt Passwrd" UAM is as bad as it sounds since
passwords go unencrypted over the wire. Try to avoid it at both
the server's side as well as on the client's. Note: If you want to
provide Mac OS 8/9 clients with NetBoot-services then you need
uams_cleartext.so since the AFP-client integrated into the Mac's
firmware can only deal with this basic form of
authentication.</para>
</listitem>
<listitem>
<para>Since "Randnum exchange"/"2-Way Randnum exchange" uses only
56 bit DES for encryption it should be avoided as well. Another
disadvantage is the fact that the passwords have to be stored in
cleartext on the server and that it doesn't integrate into both
PAM scenarios or classic /etc/shadow (you have to administrate
passwords separately by using the <citerefentry>
<refentrytitle>afppasswd</refentrytitle>
<manvolnum>1</manvolnum>
</citerefentry> utility, if clients should use these
UAMs)</para>
</listitem>
<listitem>
<para>"DHCAST128" or "DHX2" should be a good compromise for most
people since it combines stronger encryption with PAM
integration.</para>
</listitem>
<listitem>
<para>Using the Kerberos V<indexterm>
<primary>Kerberos V</primary>
<secondary>"Client Krb v2" UAM</secondary>
</indexterm> ("Client Krb v2") UAM, it's possible to implement
real single sign on scenarios using Kerberos tickets. The password
is not sent over the network. Instead, the user password is used
to decrypt a service ticket for the appleshare server. The service
ticket contains an encryption key for the client and some
encrypted data (which only the appleshare server can decrypt). The
encrypted portion of the service ticket is sent to the server and
used to authenticate the user. Because of the way that the afpd
service principal detection is implemented, this authentication
method is vulnerable to man-in-the-middle attacks.</para>
</listitem>
</itemizedlist>
<para>For a more detailed overview over the technical implications of
the different UAMs, please have a look at Apple's <ulink
url="https://web.archive.org/web/20040916191641/http://developer.apple.com/documentation/Networking/Conceptual/AFP/Chapter_1/chapter_2_section_6.html">File
Server Security</ulink> pages.</para>
</sect3>
<sect3>
<title>Using different authentication sources with specific
UAMs</title>
<para>Some UAMs provide the ability to use different authentication
"backends", namely <filename>uams_cleartext.so</filename>,
<filename>uams_dhx.so</filename> and
<filename>uams_dhx2.so</filename>. They can use either classic Unix
passwords from <filename>/etc/passwd</filename>
(<filename>/etc/shadow</filename>) or PAM if the system supports that.
<filename>uams_cleartext.so</filename> can be symlinked to either
<filename>uams_passwd.so</filename> or
<filename>uams_pam.so</filename>, <filename>uams_dhx.so</filename> to
<filename>uams_dhx_passwd.so</filename> or
<filename>uams_dhx_pam.so</filename> and
<filename>uams_dhx2.so</filename> to
<filename>uams_dhx2_passwd.so</filename> or
<filename>uams_dhx2_pam.so</filename>.</para>
<para>So, if it looks like this in Netatalk's UAMs folder (per default
<filename>/etc/netatalk/uams/</filename>):<programlisting>uams_clrtxt.so -> uams_pam.so
uams_dhx.so -> uams_dhx_pam.so
uams_dhx2.so -> uams_dhx2_pam.so</programlisting> then you're using PAM,
otherwise classic Unix passwords. The main advantage of using PAM is
that one can integrate Netatalk in centralized authentication
scenarios, eg. via LDAP, NIS and the like. Please always keep in mind
that the protection of your user's login credentials in such scenarios
also depends on the strength of encryption that the UAM in question
supplies. So think about eliminating weak UAMs like "ClearTxt Passwrd"
and "Randnum exchange" completely from your network.</para>
</sect3>
<sect3>
<title>Netatalk UAM overview table</title>
<para>A small overview of the most common used UAMs.</para>
<table orient="land">
<title>Netatalk UAM overview</title>
<tgroup align="center" cols="7">
<colspec colname="col1" colnum="1" colwidth="0.5*" />
<colspec colname="uam_guest" colnum="2" colwidth="1*" />
<colspec colname="uam_clrtxt" colnum="3" colwidth="1*" />
<colspec colname="uam_randnum" colnum="4" colwidth="1*" />
<colspec colname="uam_dhx" colnum="5" colwidth="1*" />
<colspec colname="uam_dhx2" colnum="6" colwidth="1*" />
<colspec colname="uam_gss" colnum="7" colwidth="1*" />
<tbody>
<row>
<entry align="center" rotate="0" valign="middle">UAM</entry>
<entry>No User Authent<indexterm>
<primary>uams_guest.so</primary>
<secondary>"No User Authent" UAM (guest
access)</secondary>
</indexterm></entry>
<entry>Cleartxt Passwrd<indexterm>
<primary>uams_cleartxt.so</primary>
<secondary>"Cleartxt Passwrd" UAM</secondary>
</indexterm></entry>
<entry>(2-Way) Randnum exchange<indexterm>
<primary>uams_randnum.so</primary>
<secondary>"(2-Way) Randnum exchange" UAM</secondary>
</indexterm></entry>
<entry>DHCAST128<indexterm>
<primary>uams_dhx.so</primary>
<secondary>"DHCAST128" UAM</secondary>
</indexterm></entry>
<entry>DHX2<indexterm>
<primary>uams_dhx2.so</primary>
<secondary>"DHX2" UAM</secondary>
</indexterm></entry>
<entry>Client Krb v2<indexterm>
<primary>uams_gss.so</primary>
<secondary>"Client Krb v2" UAM (Kerberos V)</secondary>
</indexterm></entry>
</row>
<row>
<entry align="center" rotate="0" valign="middle">Password
length</entry>
<entry>guest access</entry>
<entry>max. 8 characters</entry>
<entry>max. 8 characters</entry>
<entry>max. 64 characters</entry>
<entry>max. 256 characters</entry>
<entry>Kerberos tickets</entry>
</row>
<row>
<entry align="center" rotate="0" valign="middle">Client
support</entry>
<entry>built-in into all Mac OS versions</entry>
<entry>built-in in all Mac OS versions except 10.0. Has to be
activated explicitly in recent Mac OS X versions</entry>
<entry>built-in into almost all Mac OS versions</entry>
<entry>built-in since AppleShare client 3.8.4, available as a
plug-in for 3.8.3, integrated in Mac OS X' AFP client</entry>
<entry>built-in since MacOS X 10.2</entry>
<entry>built-in since MacOS X 10.2</entry>
</row>
<row>
<entry align="center" rotate="0"
valign="middle">Encryption</entry>
<entry>Enables guest access without authentication between
client and server.</entry>
<entry>Password will be sent in cleartext over the wire. Just
as bad as it sounds, therefore avoid at all if possible (note:
providing NetBoot services requires the ClearTxt UAM)</entry>
<entry>8-byte random numbers are sent over the wire,
comparable with DES, 56 bits. Vulnerable to offline dictionary
attack. Requires passwords in clear on the server.</entry>
<entry>Password will be encrypted with 128 bit SSL, user will
be authenticated against the server but not vice versa.
Therefore weak against man-in-the-middle attacks.</entry>
<entry>Password will be encrypted using libgcrypt with CAST
128 in CBC mode. User will be authenticated against the server
but not vice versa. Therefore weak against man-in-the-middle
attacks.</entry>
<entry>Password is not sent over the network. Due to the
service principal detection method, this authentication method
is vulnerable to man-in-the-middle attacks.</entry>
</row>
<row>
<entry align="center" rotate="0" valign="middle">Server
support</entry>
<entry align="center" valign="middle">uams_guest.so</entry>
<entry align="center" valign="middle">uams_cleartxt.so</entry>
<entry align="center" valign="middle">uams_randnum.so</entry>
<entry align="center" valign="middle">uams_dhx.so</entry>
<entry align="center" valign="middle">uams_dhx2.so</entry>
<entry align="center" valign="middle">uams_gss.so</entry>
</row>
<row>