pfuentes69
Well-known member
Hi @slipperygrey
Do you keep embedding the latest builds of Netatalk in PISCSI?
Do you keep embedding the latest builds of Netatalk in PISCSI?
-
Updated 2023-07-12: Hello, Guest! Welcome back, and be sure to check out this follow-up post about our outage a week or so ago.
Netatalk 2.2.9 Released
- Thread starter slipperygrey
- Start date
slipperygrey
Well-known member
Yes netatalk 2.x works with any macOS version to date. Apple has thankfully kept the AFP client alive and backwards compatible so far.
One key difference is that netatalk 2.x is compliant with the AFP spec up through 3.3, while netatalk 3.x is compliant with AFP 3.4. The only difference between the two AFP revisions is a more granular handling of a single POSIX error code in the later one.
AFP Version Differences
Describes high-level concepts for Apple Filing Protocol commands.
developer.apple.com
Well, they won't do any harm per se, since EA metadata are all dot files that are ignored by netatalk 2.x anyways (unless you configure it to share dot files). Up to you if you want to remove them or not.
Last edited:
slipperygrey
Well-known member
Yes I do!
Or to be specific: I ship a script with piscsi that builds the latest version of my own netatalk fork. At some point I plan to switch over to upstream netatalk 2.2.x proper. Probably as soon as I figure out how to make a deb package and publish it somewhere.
akator70
Well-known member
Thank you for your help and answering questions @slipperygrey, you did a great job explaining everything clearly and it's much appreciated.
pfuentes69
Well-known member
Thanks!
slipperygrey
Well-known member
I wanted to leave this note that I'm not planning to announce dot releases of Netatalk in these forums anymore, unless there's a new killer feature that got added, or something. 
There is a new 2.2.10 release available over at GitHub, which I tagged a few days ago. It consists of a handful of incremental improvements and upgrading is recommended if you're running an earlier 2.2.x version.
However, this release is a stepping stone for one thing that I've been working on recently: Debian deb packaging for netatalk2. I spent the last week getting a Debian dev environment set up and familiarizing myself with debuild and dpkg. If someone would like to test a package shoot me a message -- I have my own home made debs for Bullseye and Bookworm locally that *should* work everywhere.
In the long run my goal, as I think I've mentioned elsewhere, is to get netatalk2 reintroduced at least into Debian unstable (Sid) repos.
There is a new 2.2.10 release available over at GitHub, which I tagged a few days ago. It consists of a handful of incremental improvements and upgrading is recommended if you're running an earlier 2.2.x version.
However, this release is a stepping stone for one thing that I've been working on recently: Debian deb packaging for netatalk2. I spent the last week getting a Debian dev environment set up and familiarizing myself with debuild and dpkg. If someone would like to test a package shoot me a message -- I have my own home made debs for Bullseye and Bookworm locally that *should* work everywhere.
In the long run my goal, as I think I've mentioned elsewhere, is to get netatalk2 reintroduced at least into Debian unstable (Sid) repos.
slipperygrey
Well-known member
Thanks, I just updated pkgsrc net/netatalk22.
An issue that I noticed recently: It looks like openssl 1.1 (on NetBSD 10, at least) has deprecated either algorithms or ciphers to the point where a System 9 client will not be able to set up an encrypted connection.
When I disable all UAMs for afpd, OTOH, MacOS X clients (10.13 here) will refuse to connect, because they will not work over an insecure link. Kind of a fix.
Have you seen this, and what would you suggest?
slipperygrey
Well-known member
@hauke Oh interesting, so the NetBSD folks must have backported the key length mandates from openssl3 to openssl1? In openssl3 at least the news is that 128 bit long keys in DHX / DHCAST128 are now considered insecure and not allowed. Too bad for OS9 and early OSX. See the discussion in https://github.com/Netatalk/netatalk/issues/358
The workaround is to use randnum and clrtxt UAMs, while disabling DHX. Would this work for you?
Other potentials options include linking with libressl or wolfssl which still support 128 bit keys, AFAIK.
The workaround is to use randnum and clrtxt UAMs, while disabling DHX. Would this work for you?
Other potentials options include linking with libressl or wolfssl which still support 128 bit keys, AFAIK.
Interesting - if there have been any local changes to the netbsd-10 openssl 1.1, they went past me.
What worked for me in the end is
Code:
-uamlist uams_clrtxt.so,uams_dhx2.sowhich allows Mac OS X 10.13 to create an encrypted connection, while System 7-9 Macs will use plain text authentication. Since this is a local LAN, that's fine with me.
slipperygrey
Well-known member
This is usually the UAM combination that I use as well.
You do have the randnum UAM that still works fine with the latest openssl and has 56 bits encryption (very weak) but is at least a step up from clrtxt. The drawback is that you have to use afppasswd to manage users and passwords which is a bit of a pain.
You do have the randnum UAM that still works fine with the latest openssl and has 56 bits encryption (very weak) but is at least a step up from clrtxt. The drawback is that you have to use afppasswd to manage users and passwords which is a bit of a pain.
I just did a fresh install of Netatalk 2.2.10 on my Pi4. I can't find a thread on 2.2.10 so this seemed to be the next most active thread that is on topic. I have it successfully running apart from one issue that I probably an edge case. I can't get and Apple IIe to either boot or successfully log on to the server. I can log on from Macs via DDP or TCP and I can boot and log on from a IIgs. I get a wrong password error even though I have just used the same password with the Mac and logged in fine. The password I am using is the root passwords for the Pi.
Attachments
slipperygrey
Well-known member
I think A2SERVER adds a bunch of Apple II specific settings to AppleVolumes.default. Here's a snippet where casefolding is set in A2SERVER's setup script.
Not sure if this would resolve your error though. My IIe doesn't have a network card.
Code:
sudo sed -i 's/casefold:toupper //' /usr/local/etc/netatalk/AppleVolumes.default 2> /dev/null
sudo sed -i 's/^VOLCASEFOLD:.*/VOLCASEFOLD:/' /srv/A2SERVER/.a2files/.appledesktop/.volinfo 2> /dev/null
sudo sed -i 's|/media/A2SHARED/A2FILES|/srv/A2SERVER/A2FILES|' /srv/A2SERVER/.a2files/.appledesktop/.volinfo 2> /dev/nullNot sure if this would resolve your error though. My IIe doesn't have a network card.
slipperygrey
Well-known member
No you would be missing several earlier steps in the setup script. This is the one I am talking about https://github.com/RasppleII/a2server/blob/master/scripts/a2server-3-sharing.txt
If you don't want to mess around with the config files, I know for a fact that a refreshed a2boot release is in the works.
That is an OLD install. The old ones setup two shares. The A2FILES share was stuck with uppercase only files and existed to work with ProDOS 8 and net booting. There is a GSFILES share that had mixed case files.
Newer versions of A2SERVER uses ciopfs to convert the A2FILES shared directory to being case insensitive on the Linux side to avoid this problem. In theory you could do this with ext4 filesystems and newer kernels, but I haven't looked into it.
The "wrong password" error is likely because random number authentication UAM is setup, but the password file wasn't updated with the afppasswd utility.
Newer versions of A2SERVER uses ciopfs to convert the A2FILES shared directory to being case insensitive on the Linux side to avoid this problem. In theory you could do this with ext4 filesystems and newer kernels, but I haven't looked into it.
The "wrong password" error is likely because random number authentication UAM is setup, but the password file wasn't updated with the afppasswd utility.
OK, played with this more. Its likely the ATINIT file is missing from whatever user you are trying to login as. Check the USERS folder in the router directory of your AFP Share, there should be a folder named for your username with a folder called SETUP, this is where the ATINIT is.
Full path: AFPShareName/USERS/username/SETUP/ATINIT
Guest users have their ATINIT in the <ANY USER> folder.
Full path: AFPShareName/USERS/<ANY USER>/SETUP/ATINIT
Note that netatalk does NOT setup any of this and does not have the capability of building ATINIT files. All that is done by A2SERVER's netboot setup scripts. If using A2SERVER, by default, only the guest user can boot into BASIC.SYSTEM as the default "user1" login's ATINIT is set to load the Apple IIgs Finder.
Full path: AFPShareName/USERS/username/SETUP/ATINIT
Guest users have their ATINIT in the <ANY USER> folder.
Full path: AFPShareName/USERS/<ANY USER>/SETUP/ATINIT
Note that netatalk does NOT setup any of this and does not have the capability of building ATINIT files. All that is done by A2SERVER's netboot setup scripts. If using A2SERVER, by default, only the guest user can boot into BASIC.SYSTEM as the default "user1" login's ATINIT is set to load the Apple IIgs Finder.
Can you please elaborate on where this is "Full path: AFPShareName/USERS/username/SETUP/ATINIT". I can't find it. On my original A2SERVER setup I assume that AFPShareName is A2SERVER but I can't find it anywhere.
