lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
43590c17780e267112566deb0da255bab64f945a
hpr-knowledge-base/hpr_transcripts/hpr1127.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

297 lines
24 KiB
Plaintext
Raw Blame History

Episode: 1127
Title: HPR1127: AFP file share on a Linux server
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1127/hpr1127.mp3
Transcribed: 2025-10-17 19:28:03
---
You're listening to Hacker Public Radio, my name's Klaatu.
Hello.
This is another entry into my mini-series called Networking Basics.
In the past, we've covered network protocols, how packets get identified on the network,
what routers and switches do, and then we did some exercises on setting up networking
devices, things like DHCP servers, caching DNS servers, and most recently, a Samba share.
In this episode, we're going to talk about setting up an AFP share.
AFP is a file sharing protocol designed by Apple historically.
It was the Apple Talk file protocol.
Now it is simply the Apple file protocol.
It is an ugly, ugly thing that I hope you never have to deal with.
However, I'm doing an episode on it because, well, I use it in the place that I work,
so I happen to know a little something about it, so I might as well.
It is, after all, a networking protocol, so it does qualify for the mini-series on
networking basics.
And there are lots and lots of catches to it.
There are things that just don't work the way that they're supposed to work, at least
from the Linux side of things.
So it's really something that I guarantee you you don't want to go down this path if
you don't have to, however, it does have a couple of advantages, such as if all of your
clients, all the client computers on your network are Mac OS 10 computers, then AFP is the
default and certainly very, very native sharing, file sharing protocol.
So there's a graphical, very easy kind of like if people need to do an internet search
on how do I connect to my server, then it'll, you know, all the screenshots will tell
them exactly the right thing to do.
So it is very sort of integrated into that operating system, so that's one advantage.
Assemble comes as a close second, however, because it's just three letters away, but they
do have to explicitly type those three letters.
So it's not quite as user friendly as AFP, in the Mac OS 10 world there's also a couple
of conventions that are probably pretty foreign to Linux and Windows users, a lot of Mac users
will literally identify very, very important information by color coding, file names, or
by giving folders different icons to denote that, yes, this is a vitally important folder.
If you do not, you know, don't misplace it, it's, they'll bring attention to it just
by icons.
Assemble share will not respect those icons, whereas the AFP protocol certainly will.
It can get those fancy little icons just fine.
So there are some things that AFP does for Mac users that kind of makes it a logical
choice, and I say logical begrudgingly, but it does work on a Mac only network.
Fairly well, but I'm warning you right now that if you go down the AFP path, you will
regret it at some point, maybe not all the time, but there will be times where you regret
it.
Some of those times will be when there is a Linux or a Windows computer on your network
that wants to access those files.
There are no, there is no way to do that natively on any other OS other than Mac OS 10.
There have been some third party applications that have attempted to make that something
that you could do, but as far as I know none of those are actually maintained anymore,
and certainly none of them are going to feel it all native on those other platforms.
So it's not that even on Linux where Neta Talk exists, there's no, as far as I know,
no GUI front end to the AFP file share.
You would still have to go in on the command line.
So it's not going to feel at all integrated on either Linux or Windows.
The way that Samba can kind of feel mostly integrated on all three platforms.
AFP also in proper Apple fashion is ever changing.
They change the protocol all the time.
They forget to tell people that they changed it.
So if there is anything happening, if there are frequent updates on your client machines,
you might find that your AFP setup has ceased to work strangely.
So the AFP Reimplementation on Linux is called Neta Talk in ETA-TALK, and it is technically
speaking fairly simple to setup, but again there are a lot of little catches that we're
going to discover along the way.
So I don't know if I'm getting it across to you clearly, but you probably want to avoid
using this if at all possible.
Sometimes it's not possible, so we'll talk about it.
Again, installing it is pretty simple.
Yum install Neta Talk or aptitude install Neta Talk.
On my previous episode on Samba, I was doing everything on Red Hat or a Fedora server.
On this one I'm actually doing it on Debian.
It just kind of worked out this way that a lot of my AFP file servers are PowerPC boxes,
so Debian is kind of the only game in town.
But that means that for this episode if you're on something else, then you will need to
adjust your paths accordingly for the config files.
On Debian however, you've got Etsy slash Neta Talk for most of the files, and there's
an Etsy default Neta Talk as well, so be aware of that extra little file there.
So if you go into the default folder or wherever the Neta Talk configuration file itself is
located, then you will find a really simple little configuration file that simply defines
what runs when you say to start Neta Talk.
So open that up in a text editor or something and look at it, and you'll see that there's
you can limit how many clients are connected.
I do that just because I find that the servers that I'm running the file share on isn't
really, aren't they're not the fastest boxes around, they don't have all that much RAM,
so I do try to get a max client number of 20, and that works for me, but you can certainly
increase it or not define that, that's fine as well, just depends on what you need.
The next important thing I guess would be whether you want to allow guests, AFPD, underscore
guest, what you want to call them when they log in, I think the default is nobody.
And then you need to define what you want to run when you start the Neta Talk service.
There are a couple of different aspects to Neta Talk.
One is the legacy support for Apple Talk, or as they call it A Talk, or A Talk D in Neta
Talk terms.
I don't use Apple Talk, you probably won't be using Apple Talk either, so the answer or
the value for A Talk D underscore run will probably be no for you.
But you can't, because it's dependent on Apple Talk, so all of that stuff, the A2 boot
underscore run, you can just set all that stuff to know, the ones that you want to leave
on are C in ID underscore Meta D underscore run, you want to set that to equals yes, and
AFPD underscore run would be yes as well.
In other words, that's AFP over TCP, and I guarantee you that's going to be your usage,
unless you are using this in a legacy environment where you're running nothing but MacOS9.2.2.
So yes, AFPD underscore run and C in ID underscore Meta D underscore run would equal yes.
In all seriousness, I could see you actually utilizing the Apple Talk support if you've
got like a bank of old Apple printers that only spoke over Apple Talk, which does exist,
and I could see someone using this solely for that purpose, and that actually might be
something that I do end up trying it out for, because we might be getting an old laser
printer donated, but I'm not even sure if they're going to be able to utilize it because
of the ink issues.
And anyway, Neta Talk, usually you'll be turning off the Apple Talk stuff and just leaving
on the AFPD and the C in ID Meta stuff, so that's what Neta Talk configuration gets.
After that, you really get to go down into the deeper levels of the configuration files
of which there are really two that you need to be concerned over somewhat.
One is the AFPD.conf, which again, this is at least on Debian, and I'm pretty sure if
memory serves it's on Red Hat as well, Etsy, Sush Neta Talk is the folder, so it's pretty
easy to find.
So there's the AFPD.conf file, and that would be, there's literally probably one line that
you want to look at in that file, it's all the way down at the bottom, it's the default
line, you don't even need to uncomment it actually, because it's just the default,
it tells it to run over TCP and use the UAM list, or UAM list, I don't really even know
what that is, I did at one point, I've forgotten since, it's really just, it's completely
sensible, normal defaults, I do not even bother uncommenting it, it's fine, but be aware
that that file exists anyway, because it does, and at some point you may have to go in
there and add something, or disable something, whatever, that, I did actually have to do that
once way back, way back last year, because Apple Talk had changed, or not Apple Talk, AFP
had changed, and there was some new library that you had to use, or something like that,
and you had to add it to that line, so that was something historically that I've done,
but not recently.
So the next file to change, and again this is all, it's surprisingly simple to be honest,
it's not, it's not really that hard, which is nice, the next, next config file that you
need to open up though, and you will probably need to change stuff in, is applevolumes.default,
and that's capital A and capital V, applevolumes all on string, dot default, again at the,
it's a very verbose file, you can read and read and read and read, all the different possible
attributes that you could change, that you could add to these files, but down at the bottom
you have about three, well six I guess lines that you might want to take a look at. So the line,
the first line sets the defaults sort of globally, and that is colon default, colon options,
colon you-priv, comma use dots. The use dots option is telling the server how to translate,
or rather not translate files that start with a dot in their file name, and the you-priv
option is telling the server to use unix privileges by default. Now don't let that fool you,
it's not quite as nice and tidy as all that, but it's a good starting point you-priv.
So that's the default line for sort of the global configuration. The next line you'll see
will be the fact that by default all users have access to their own home directories.
On the AFP servers that I run, I actually don't use that option, so last episode I was talking
about how on Samba I did use that option and how great it was, well that's because I use that
for one thing an AFP for something else, so I don't give users access to their own home directories
via AFP, so I have that comment that out. But if you want to give them their, you know, access to
to Samba that way, or to their home directory via AFP, then uncomment that line, and it will,
it will look at the Unix user name of the person logging into the server, and it will provide them
a home directory so that they can stash stuff in their own little storage space, might be nice.
And then finally, this is actually the final thing that you have to set for this. I mean,
like I said, it's not really that hard. You tell the config file, the Unix path of where this
shared folder exists, the human readable from the client side name of the user of this path
of this shared directory, and then who is allowed to log in, and then a couple of other things that
will go over in a minute. For instance, on this particular box that I'm looking at right now,
the first thing that I would give is the Unix path. So that's slash home slash instructor.
So this is an instructor's folder that people want to have access to. So slash home slash instructor.
Again, you could put it in slash var, you could put it somewhere else. I have been doing this
this way because it's just, like I say, it's kind of the way that I started out. But slash home
slash instructor is the Unix path of the directory on the server that people will be logging into.
And then we do a space. And then in this case, I put classroom share, no spaces. So classroom
share is the name of the volume that when people start logging into this, that's what it's
going to show up on their desktop, where if they drag it into their dock for storage for quick
access later, when they roll over it, that's what it will show up. It's not going to show slash
home slash instructor. It'll show classroom share. So that's the client name of your volume,
of the shared volume. And then we do space allow a LLOW colon. And then the name of the people
that are allowed to log into this. Now, again, this is all very flexible. You could be using a
different authentication method. But if you're just doing it straight, sort of pure Unix kind of
stuff, then what you would do is have a user on this server called clatu. And then you would add
clatu to this list of allowed users. So I have allow colon clatu, comma, students, maybe,
comma instructor, maybe, and so on. Unlike Samba, you do not have to set a specific password for
these users. Their Unix password on your server will be the same as for their AFP password.
So there's no special Samba password or AFP password command. It's just, they exist on this server,
clatu. Whatever his password is on the server, that's what he will use when he's logging in via AFP
from the Mac that he shouldn't be using. Space options, colon, you-priv, comma, use dots.
That's actually just redundant. I was having problems with some of the privileges being retained.
So I reiterated here. I doubt it's doing any good. But I'm not going to change it now because it's
working. Space f-perm colon 0775, space d-perm colon 0775, comma, space, you mask colon 0, 0, 0.
This is all very strange and it's all related to a hack that just today it needed to be this way,
whether it's going to need to be that way, the next release of the next OS-10,
or it could even just be an update. It could be a random OS update. It could break everything at any
moment. So this is something that has changed a lot over the course of a mere two years. It's been
different a couple of times. But here's what's happening. So the default permission value
for a directory that someone creates on this shared volume in this share, in this file share.
So I'm just setting it to a permission value. The f-perm is the file permissions. And the
UMask, of course, is a mask unlike what I was saying about Samba in the previous episode. UMask
is colon 0, 0, 0, 0, meaning that it inherits 777. So that really shouldn't be something that I'm
using. I think, but like I say, it's kind of a hack that was necessary for things to function
the way that I need them to function. Either way, that's actually all you need to do to configure
NetaTalk. So it's literally at the most four lines of work, which you have to admit is kind of nice.
It's kind of that it could be a lot worse, right? So you just kind of look at afpd.conf
in slash etc slash default slash afpd.conf on devian. And it might just be in slash etc slash NetaTalk
on other systems. Look at that. Make sure that there's no default that you need to change.
And there probably isn't. It's been pretty good about just being the way that it needs to be
for me. And then have a look at slash etc slash NetaTalk slash applvolumes.default.
Make sure that your defaults there are saying you want options, you priv to inherit all your
units or you utilize all your units privileges and use dots because it works. And then whether or
or not you want their home directories to be visible. And then you define your share your shared
entities, meaning what they will see when they log in from their client machine. They don't obviously
see the Unix Path, but you define the Unix Path for the server and then you tell the server what
they're going to see in their little menu option when they're logging in. And you set
who's allowed to log in. You set any kind of other options that you want for that particular share.
And you set any kind of permissions and creation masks that you want for that to work.
Okay, so what that does then is it shares slash home slash instructor in this case because that's
what I have it set to. And it does that quite well. And when people, if they're in the allowed user
list, when they log in, they can create files, they can create directories. And it pretty much does
exactly what it's supposed to. And like I say, that's the, if there is beauty here, that would be
the beauty of AFP. And that is that once you've got it set up, it works quite well on Mac OS 10.
And that's all it works on. So again, be aware of that. But it works exactly like people would
expect it to work. They can color code things. If they have permission to do so, they can change
icons. And those icons will be retained. They won't go away or anything. Well, in as much as they
don't go away, anyway, on OS 10. But, you know, it will act exactly like an OS 10 user expects
their, their, their finder and their file manager to, to function. So that's a good thing.
One of the weird things about, at least the, the latest implementation of AFP
from Apple is, and the, a difference between that and NetaTalk is that the permissions just,
they're not, they're not only looking at the, the Unix user permissions. So I can set Unix
permissions in the server config file all I want. And they may or may not be respected over on the
Mac side. So, for instance, in slash home instructor, I've got a couple of folders that are shared.
There's a pickup folder where students pick up their work, which has the permissions
of 755 and the owner of instructor and the group of staff, let's say. And then I've got a drop-off
folder, which has the students being able to drop files into the folder, but not get them back out.
So this is obviously for homework assignments, for tests and quizzes, where you want the,
the classroom, the student to be able to give you a file, but not go in and look at other people's
work and cheat and stuff like that. So, you would, you would normally, you would think you would
set that to something like, I don't know, seven, so that the instructor can do whatever they want.
And then the, the, the group and the others would only have right and maybe execute permissions.
So it would be like the very uncommon, what would that be? Something like seven, three, three,
something weird like that. And that would, in theory, be it a drop-off folder, right? The,
the, the students could write into a folder, but they couldn't actually read what was in the folder.
Kind of weird, but that, that is what you would do. Now there used to be a drop box
feature in NetaTalk, but it, it was always marked a clue, and it has always warned you that it
might not work the way you think it's going to work and all these other caveats apply.
So there's just some stuff that you literally can't configure in the server.
So what I did was I set the permissions and everything to, um, to 755, and then you go over to a
Mac and log in as one of these allowed users, preferably someone with all the administrative
capabilities possible. So in this case, it would be the instructor user. So you log in,
again, you go to the go menu, you connect a server or you just hit command K, if you're a
keyboard kind of person, and you log in as the instructor. And now you've got your drop-off and
your pickup folder, your pickup folder being 755, where you as the instructor can write into the
directory and students can take files out of the directory, and then the drop-off folder where
students can drop their work, which really you only want them to be able to drop off the work,
but since you can't actually set ACL flags the way that Mac wants to see them from the Linux
server, you need to do that on the Mac box. So you log in, you click on the drop-off folder,
in this case, you would hit command I for get info, and then in the GUI, I mean you could do this
with ACL settings in the terminal as well, but no one does it that way, including myself. So you
just go into get info, and you, again, this is really kind of a weird clue, but you need to set,
if you're doing it this way, a drop box function, you would set the everyone value to write only,
so that it is a drop box, the staff value, which is kind of the main user group on Mac OS 10,
to write only, so that's the drop box, and then there will probably be an unknown value there
for reading right, because Mac OS 10 for some reason can't quite identify who exactly it is who
has reading right, but it knows someone does, turns out it's instructor, which is just kind of a
weird thing about the way that you're interacting with with this. It's not really that big of a deal,
but that's how it's done. So whether or not you're doing a drop box or not, you may never have
that problem, but be aware that there are some weird file permission issues between your setup
and the way that Mac OS 10 actually sees them, and by the time you hear this, for all I know,
it will all have changed, so just kind of be aware that unfortunately any tutorial online that you
read about AFP is probably out of date, and this episode is probably included in that.
But now you know the theory, and you know sort of the idea behind it all, you can go in and set up
the config files, and then just test it and see what works and what doesn't work. I will say that
it seems to be, and this is almost time less until it isn't, it seems like once you get the thing
up and running, then do all the actual, like once you've defined, okay, this is the directory
that people will be logging into, don't create sub-directories and stuff like that from within Linux,
it just doesn't pay. Go over to the Mac computer that is going to be managing that volume,
log in, and do all of your kind of infrastructure work, and you're setting the file permissions
and stuff like that from a Mac, it will work. I have found that it has a lot more success
doing it from the Mac, from the Mac GUI, or if you know the ACL line commands, do it there on the Mac
because it sets flags differently than what you think you're doing by setting things in the Linux
command line. So it's almost not a problem, you just have to not do what you think you should be
doing, you know, you think you're doing it right, you're creating a folder, and you're setting the
file permissions, and it seems like it should work, but just don't think that way because that's not the case,
it's got a lot to do with the access control lists that Mac OS 10 imposes on top of the Unix file
permissions, so just be aware of that. Everything should be configured now, so then you would again,
however your distribution does the whole service on thing, whether it's service, neta talk,
start, or slash Etsy slash in it, the neta talk, start, whatever, do that, make it go on,
and then you can go into the Mac sign on and configure the file permissions, and that's really it.
Troubleshooting, there's not a whole lot of troubleshooting aside from like incompatibilities
between neta talk and the latest implementation of AFP that is included in some kind of update on
on the Mac that you didn't expect, but other than that, I have found that it pretty much works,
except again, make sure that your IP tables are allowing your neta talk or your AFP traffic,
make sure that SE Linux is aware that AFP exists and that it's approved, issue whatever kind
of rule you have to from SE Troubleshooter, or SE Linux Troubleshooter, whatever it's called,
and other than that, I think you should find that it works pretty well. The things that I have found
that sometimes cause me trouble will be I will try to add a user for getting that they need to be
a Unix user on that server, or I'll forget to set a Unix password for that user, and then when
they're trying to sign in via AFP, then their password doesn't exist, so it won't let them in,
little things like that, but mostly it's pretty straightforward, so that's how you can create an AFP
file share that will be accessible from Mac OS 10 boxes on your network. Enjoy!
You have been listening to Hacker Public Radio, as Hacker Public Radio does our.
We are a community podcast network that releases shows every weekday Monday through Friday.
Today's show, like all our shows, was contributed by a HPR listener like yourself.
If you ever consider recording a podcast, then visit our website to find out how easy it really is.
Hacker Public Radio was founded by the digital dot pound and new phenomenal computer cloud.
HPR is funded by the binary revolution at binref.com, or binref projects across the sponsored
by Luna pages. From shared hosting to custom private clouds, go to Luna pages.com for all your hosting
needs. Unless otherwise stasis, today's show is released on your creative commons,
attribution, share a lot, lead us our lives.
Reference in New Issue View Git Blame Copy Permalink