AFP Netatalk share configuration (aka Apple Time Machine).

Netatalk is an OpenSource software package, that can be used to turn a *NIX machine into an extremely high-performance and reliable file server for Macintosh computers. Using Netatalk's AFP 3.3 compliant file-server leads to significantly higher transmission speeds compared with Macs accessing a server via SaMBa/NFS while providing clients with the best possible user experience (full support for Macintosh metadata, flawlessly supporting mixed environments of classic Mac OS and OS X clients)

This guide will walk you though the steps of installing the required packages and settings up linux users on the LEDE device so your Mac(s) can securely connect over the network to your Time Machine server.

In order for this guide to work you will need to meet the following prerequisites:

Package Installation

opkg update && opkg install avahi-utils netatalk

Optional Package Installation

These packages are optional although recommend. nano will make editing text files super easy and the shadow packages make user and group managment a breeze, otherwise you'll have to manually edit user, group and password files by hand. The downside these packages will use precious space on your root partition. If your working with limited space consider using extroot.

opkg update && opkg install nano shadow-groupadd shadow-groupmod shadow-useradd shadow-usermod

Available Netatalk Features

Many of the Netatalk goodies such as Spotlight search, Zeroconfig, ACL and LDAP support have been disabled. That was probably a wise decision to save space and provide a broader range of hardware support. The good news Time Machine support is available. With a simple command afpd -V we can check what features have been compiled into Netatalk.

 afpd 3.1.10 - Apple Filing Protocol (AFP) daemon of Netatalk
  
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version. Please see the file COPYING for further information and details.
  
afpd has been compiled with support for these features:

        AFP versions:	2.2 3.0 3.1 3.2 3.3 3.4 
       CNID backends:	dbd last tdb 
    Zeroconf support:	No
TCP wrappers support:	No
       Quota support:	No
 Admin group support:	Yes
  Valid shell checks:	No
    cracklib support:	No
          EA support:	ad | sys
         ACL support:	No
        LDAP support:	No
       D-Bus support:	No
   Spotlight support:	No
       DTrace probes:	No

            afp.conf:	/etc/afp.conf
         extmap.conf:	/etc/extmap.conf
     state directory:	/var/netatalk/
  afp_signature.conf:	/var/netatalk/afp_signature.conf
    afp_voluuid.conf:	/var/netatalk/afp_voluuid.conf
     UAM search path:	/usr/lib/uams//
Server messages path:	/var/netatalk/msg/

Basic File Share Configuration (Time Machine Server)

The current Netatalk package (netatalk - 3.1.10-1) has minor posix permission issues.

Use the following chmod commands to fix this bug.

chmod 644 /etc/afp.conf
chmod 644 /etc/extmap.conf

The afp.conf file contains all AFP specific configurations and AFP volume definitions. Let's edit ours with nano /etc/afp.conf and setup our Time Machine Server; we'll be using the nano text editor in this tutorial. Netatalk has a lot of great features not covered in this guide. Make sure to checkout the documentation for more Time Machine options and other possible AFP uses. http://netatalk.sourceforge.net/3.0/htmldocs/afp.conf.5.html

;
; Netatalk 3.x configuration file
;

[Backups]
     path = /mnt/sdb1/Backups
     time machine = yes
     vol size limit = 250000
     valid users = @users

Avahi-daemon Configuration

The default avahi-daemon configuration /etc/avahi/avahi-daemon.conf works perfect with stable LEDE 17.01.0+ and no chages are required.

[server]
#host-name=LEDE
#domain-name=local
use-ipv4=yes
use-ipv6=yes
check-response-ttl=no
use-iff-running=no

[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes

[reflector]
enable-reflector=no
reflect-ipv=no

[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3

:!: Learn about other configuration options here https://github.com/lathiat/avahi

Zeroconf Advertising

The LEDE implementation of Netatalk was not compiled with Zeroconf support; so we must advertise the required afpovertcp, device-info, and adisk text-record properties manually. We previously installed avahi-daemon (via avahi-utils) for exactly this purpose. Let's create a service file nano /etc/avahi/services/afp.service using the template below.

<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
 <name replace-wildcards="yes">%h</name>
  <service>
   <type>_afpovertcp._tcp</type>
   <port>548</port>
  </service>
  <service>
   <type>_device-info._tcp</type>
   <port>0</port>
   <txt-record>model=TimeCapsule</txt-record>
  </service>
  <service>
   <type>_adisk._tcp</type>
   <port>9</port>
   <txt-record>sys=waMa=0,adVF=0x100,adVU=00000000-AAAA-BBBB-CCCC-111111111111</txt-record>
   <txt-record>dk0=adVN=Backups,adVF=0x81</txt-record>
  </service>
</service-group>

:!: model=TimeCapsule this determines the hardware icon that appear within macOS Finder. Some available options are Xserve, PowerBook, PowerMac, Macmini, iMac, MacBook, MacBookPro, MacBookAir, MacPro, MacPro6,1, TimeCapsule, AppleTV1,1 and AirPort.

:!: adVU=00000000-AAAA-BBBB-CCCC-111111111111 must be changed to a uniquely generated UUID. You can create a UUID in LEDE by writing cat /proc/sys/kernel/random/uuid (each time generating and displaying a new UUID).

:!: adVN=Backups should match the virtual volume name of your timemachine = YES share from /etc/afp.conf. If you used my example settings above; leave this set to Backups. Most online guides use “TimeMachine” however “Backups” is more traditional since it's the default when using macOS Server or Time Capsule; although it realy dosen't matter what you call it, as long as they both match.

Some helpful links

https://guidgenerator.com http://www.freeformatter.com/xml-formatter.html http://netatalk.sourceforge.net/wiki/index.php/Bonjour_record_adisk_adVF_values

User and Group Management

In this section we'll create two (2) new users on the LEDE system for file sharing purposes. Create as many or as little as you like, the principles are the same. We'll also accomplish the following:

  • create home folders for the new user(s)
  • create a group with the same name as the new user(s)
  • add new user(s) to a supplementary group named “users”

1. Create a place for the users home folder with mkdir /home/. The default location for most Linux distros.

2. Add the new user(s). In my example users anne & brian will be created. They will receive a home folder /home/username and become members of the group users and username.

useradd --create-home --groups users --user-group anne
useradd --create-home --groups users --user-group brian

3. Add passwords for the newly created user(s).

passwd anne
passwd brian

4. Change the permissions of the Backups directory. You will have to improvise and use your systems own mount and or backup location.

cd /mnt/sdb1/
mkdir Backups
chmod 775 Backups/
chgrp users Backups/

5. Verify the permission changes with ls -alF.

root@LEDE:/mnt/sdb1# ls -alF
drwxr-xr-x    5 root     root          4096 Apr 25 18:48 ./
drwxr-xr-x    1 root     root           224 Apr 25 21:49 ../
drwxrwxr-x    2 root     users         4096 Apr 25 21:01 Backups/
drwxr-xr-x    3 root     root          4096 Apr 25 18:48 Shared/
drwx------    2 root     root         16384 Apr 25 16:35 lost+found/

:!: The users group is very important because the valid users = @users option in the Netatalk configuration. All members in this group have access to Time Machine services. Lets check what members makeup the users group with grep users /etc/group. You should see somthing similar to my results.

root@LEDE:~# grep users /etc/group
users:x:100:mrengles,anne,brian

Preserving Configuration on Firmware Upgrade

FIXME I'm not sure if this section is required.

The default LEDE firmware upgrade procedure might not backup some of our configuration files. That would be a horrible waste of hard work.

Add them to the list of custom backup files at /etc/sysupgrade.conf with echo and the command line:

echo '/etc/afp.conf ' >> /etc/sysupgrade.conf
echo '/etc/avahi/ ' >> /etc/sysupgrade.conf
echo '/etc/extmap.conf ' >> /etc/sysupgrade.conf
echo '/home/ ' >> /etc/sysupgrade.conf
echo '/var/netatalk/ ' >> /etc/sysupgrade.conf

This can also be accomplished via LuCi > System > Backup / Flash Firmware > Configurations > Backup file list and simply append the following:

/etc/afp.conf
/etc/avahi/
/etc/extmap.conf
/home/
/var/netatalk/

For more information, please check the Upgrading LEDE from the Command Line

Setup Time Machine on macOS

Settting up Time Machine on the Mac is a very simple process:

  • Open System Preferences > Time Machine > Select Backup Disk.
  • Select “Backups on LEDE” (encrypted backups will also work).
  • Login with your username and password (from earlier in this guide).

Apple can explain how-to use Time Machine much better then myself, so I'll let them. If you completed this guide successfully, chances are you wont need help. https://support.apple.com/en-us/HT201250

:!: Depending on your storage requirements the initial backup could take several hours.

Final Thoughts

If you have questions, post them in the LEDE Project Forum so that myslef and others can respond. https://forum.lede-project.org

Please update this user guide if you have a better way of doing things or notice typos and errors. :-)