slipperygrey
Well-known member
Why do you have to use the clrtext UAM? With macOS you really should be using DHX2 for security.
-
Updated 2023-07-12: Hello, Guest! Welcome back, and be sure to check out this follow-up post about our outage a week or so ago.
Netatalk 2.3.0 available
- Thread starter slipperygrey
- Start date
robin-fo
Well-known member
I tried connecting from Mac OS 9 and it selected cleartext, so I guess I don‘t have the dhx2 uam on Mac OS 9 or it is not properly enabled in my Netatalk build.
I still want to geit it running with cleartext as reference for my userspace AppleTalk variation of Netatalk which currently fails at the same point..
slipperygrey
Well-known member
Right, OS9 does not support DHX2. The latest UAM you can use with Classic Mac OS is DHX (DHCAST128).
The netatalk manual has a UAM compatibility matrix: https://netatalk.io/oldstable/htmldocs/configuration#authentication
You can also see on that manual page that the Clear Text UAM has to be explicitly enabled in "later Mac OS X versions". Not sure what this entails though!
One tip: you can inspect which UAMs that netatalk have loaded with the "asip-status" command.
The netatalk manual has a UAM compatibility matrix: https://netatalk.io/oldstable/htmldocs/configuration#authentication
You can also see on that manual page that the Clear Text UAM has to be explicitly enabled in "later Mac OS X versions". Not sure what this entails though!
One tip: you can inspect which UAMs that netatalk have loaded with the "asip-status" command.
robin-fo
Well-known member
Thanks for the clarification.
I guess however that the reference to cleartext authentication is about Mac OS X clients and not servers.. assuming that the usage of Netatalk on the Mac is a recent phenomenon since the earliest days of Mac OS X.
What experience do people here have with running netatalk2 on recent versions of macOS? How do you authenticate? From which OS do you connect?
How is guest access configured?
How could we do authentication from an incapable device like a 512k, assuming we can finally make AppleTalk work on macOS?
slipperygrey
Well-known member
You can configure netatalk with multiple UAMs and leave it up to the client to decide which one to use. If the 512k can use any AppleShare Client version it should be able to authenticate with at least Clear Text if not Random Number.
And I use netatalk2 with macOS Sonoma regularly. Always with the DXH2 UAM. Guest access (read-only) works too if you enable the Guest UAM.
I’m happy to assist with getting you to a working setup. What’s in your afpd.conf right now?
And I use netatalk2 with macOS Sonoma regularly. Always with the DXH2 UAM. Guest access (read-only) works too if you enable the Guest UAM.
I’m happy to assist with getting you to a working setup. What’s in your afpd.conf right now?
robin-fo
Well-known member
I currently run Netatalk like
My afpd.conf basically looks like
Many thanks for helping!
sudo ./sbin/afpd -F ~/usr/etc/netatalk/afpd.conf -f /Users/robin/usr/etc/netatalk/AppleVolumes.default -s /Users/robin/usr/etc/netatalk/AppleVolumes.system -U uams_guest.so,uams_clrtxt.so,uams_dhx2.soMy afpd.conf basically looks like
- -transall -uamlist uams_guest.so,uams_clrtxt.so,uams_dhx2.so -nosavepassword -iconSo are your clients Mac OS X systems only at the moment?
Many thanks for helping!
slipperygrey
Well-known member
What stands out here is that you're passing the UAM list twice -- once on the command line and once in afpd.conf. I suggest you remove the former (unless there's a good reason to do it like this that I'm overlooking.)
No, I'm happily using macOS / OSX / OS9 / System 7 / System 6 clients with the same netatalk2 server.So are your clients Mac OS X systems only at the moment?
Many thanks for helping!
I like to enable the whole shebang of UAMs, like so:
Code:
uams_dhx.so,uams_dhx.so,uams_dhx2.so,uams_guest.so,uams_randnum.so,uams_clrtxt.soNote that to use randnum you have to initialize your afppasswd file and create passwords for each user.
Also note that the DHX UAM currently relies on OpenSSL 1.1, or WolfSSL, or LibreSSL. You can't use OpenSSL 3.x with DHX for cryptographic reasons.
slipperygrey
Well-known member
Well this is basically it: Guest access means read-only access. So you would create a volume, and then populate it with files using a privileged user. Then the Guest user can access those files read-only.
slipperygrey
Well-known member
robin-fo
Well-known member
Many thanks, guys! I‘ll try this.
)
Good to know about this file, I was completely unaware of this !
Now I‘m really confused.. You have Netatalk, running on macOS Sonoma, acting as server for a System 6 machine? Is there a version of AppleShare Client which supports System 6 AND AppleShare over IP? (Or do you do have some secret way to run AppleTalk on macOS?
) Cool! This will probably my first step to try! Thanks for the indication!
slipperygrey
Well-known member
Whoops, I overlooked the fact that you were running netatalk itself on macOS! I think we need *your* help to achieve AppleTalk networking there. 
I bet you've read this already, but we have a wiki page about netatalk2 on macOS, which describes how to get the DHX UAM working with OpenSSL 1.1 etc. https://netatalk.io/docs/Installing-Netatalk-2-on-macOS
Actually, afppasswd is both a utility and a configuration file. It's confusing that the original developers gave them the same name. The man page has more details: https://netatalk.io/oldstable/htmldocs/afppasswd.1
I bet you've read this already, but we have a wiki page about netatalk2 on macOS, which describes how to get the DHX UAM working with OpenSSL 1.1 etc. https://netatalk.io/docs/Installing-Netatalk-2-on-macOS
Actually, afppasswd is both a utility and a configuration file. It's confusing that the original developers gave them the same name. The man page has more details: https://netatalk.io/oldstable/htmldocs/afppasswd.1
robin-fo
Well-known member
I tried your suggestions, but I‘m still stuck at the login phase. I‘ll keep you updated if I can find a solution. I tried with Mac OS 9 and Panther as clients.
So has anyone ever been able to get a working Netatalk 2 setup (using DSI/TCP, not AppleTalk) on a modern version of macOS? There are no obvious issues with compiling and running, it‘s just something wrong with login, authentication or volume setup…
slipperygrey
Well-known member
You know, I know for a fact that it worked on macOS in September 2023 because I tested it before releasing 2.2.10...
But now when I test it I see that the forked afpd process crashes the moment a client attempts to authenticate... Even if I go back and compile 2.2.10 code.
I wonder what changed? A homebrew package? macOS itself?
slipperygrey
Well-known member
I don’t think so. It used to work on this aarch64 MacBook and now it doesn’t work on the same aarch64 MacBook…
slipperygrey
Well-known member
We have a workaround now thanks to @dgsga – see https://github.com/Netatalk/netatalk/issues/755
And yes, it turns out this is Apple being obnoxious. TIL: they have been gradually tightening security around forking applications in macOS for years now. We were the latest victims.
TL;DR: you need to define an env variable to return to the old "insecure" OS behavior.
I have a tentative netatalkd init script in my work branch that you can try if you want. Hopefully it should "just work" for you, but please let me know how it goes.
And yes, it turns out this is Apple being obnoxious. TIL: they have been gradually tightening security around forking applications in macOS for years now. We were the latest victims.
TL;DR: you need to define an env variable to return to the old "insecure" OS behavior.
Code:
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YESI have a tentative netatalkd init script in my work branch that you can try if you want. Hopefully it should "just work" for you, but please let me know how it goes.
mathieutozer
Member
Hi, I'm trying to get the netatalk2 docker image running locally on macOS 14 but am getting the following Address family not supported by protocol error. Reading through this thread I think this might be because of Apple's security tightening? Would I need to run this on a real heroku server or something? I'm using the docker compose yaml from the documentation verbatim.
I am not that experienced with Docker yet but I was under the impression that it would emulate all that for me.
Code:
*** Starting AppleTalk services (this will take a minute)
socket: Address family not supported by protocol
socket: Address family not supported by protocol
atalkd: can't get interfaces, exiting.I am not that experienced with Docker yet but I was under the impression that it would emulate all that for me.
