Hallo zusammen,
ich habe Probleme damit, auf meinem Linux-Server die Backup-Möglichkeit für Apple Time Machine einzurichten. Das Share ist in Time Machine bereits sichtbar, bei der Eingabe der Zugangsdaten bekomme ich allerdings immer eine Fehlermeldung mit dem Hinweis, ich solle mich an den Systemadministrator wenden.
Die Einrichtung:
netatalk-Version
atalkd -v atalkd (version 2.2.2)
/etc/netatalk/afpd.conf
#
# CONFIGURATION FOR AFPD
#
# Each single line defines a virtual server that should be available.
# Though, using "\" character, newline escaping is supported.
# Empty lines and lines beginning with `#' are ignored.
# Options in this file will override both compiled-in defaults
# and command line options.
#
#
# Format:
# - [options] to specify options for the default server
# "Server name" [options] to specify an additional server
#
#
# The following options are available:
# Transport Protocols:
# -[no]tcp Make "AFP over TCP" [not] available
# -[no]ddp Make "AFP over AppleTalk" [not] available.
# If you have -proxy specified, specify -uamlist "" to
# prevent ddp connections from working.
#
# -transall Make both available
#
# Transport Options:
# -ipaddr <ipaddress> Specifies the IP address that the server should
# advertise and listens to. The default is advertise
# the first IP address of the system, but to listen
# for any incoming request. The network address may
# be specified either in dotted-decimal format for
# IPv4 or in hexadecimal format for IPv6.
# This option also allows to use one machine to
# advertise the AFP-over-TCP/IP settings of another
# machine via NBP when used together with the -proxy
# option.
# -server_quantum <number>
# Specifies the DSI server quantum. The minimum
# value is 1MB. The max value is 0xFFFFFFFF. If you
# specify a value that is out of range, you'll get
# the default value (currently the minimum).
# -admingroup <groupname>
# Specifies the group of administrators who should
# all be seen as the superuser when they log in.
# Default is disabled.
# -ddpaddr x.y Specifies the DDP address of the server.
# the default is to auto-assign an address (0.0).
# this is only useful if you're running on
# a multihomed host.
# -port <number> Specifies the TCP port the server should respond
# to (default is 548)
# -fqdn <name:port> specify a fully-qualified domain name (+optional
# port). this gets discarded if the server can't
# resolve it. this is not honored by appleshare
# clients <= 3.8.3 (default: none)
# -hostname <name> Use this instead of the result from calling
# hostname for dertermening which IP address to
# advertise, therfore the hostname is resolved to
# an IP which is the advertised. This is NOT used for
# listening and it is also overwritten by -ipaddr.
# -proxy Run an AppleTalk proxy server for specified
# AFP/TCP server (if address/port aren't given,
# then first IP address of the system/548 will
# be used).
# if you don't want the proxy server to act as
# a ddp server as well, set -uamlist to an empty
# string.
# -dsireadbuf [number]
# Scale factor that determines the size of the
# DSI/TCP readahead buffer, default is 12. This is
# multiplies with the DSI server quantum (default
# ~300k) to give the size of the buffer. Increasing
# this value might increase throughput in fast local
# networks for volume to volume copies. Note: This
# buffer is allocated per afpd child process, so
# specifying large values will eat up large amount of
# memory (buffer size * number of clients).
# -tcprcvbuf [number]
# Try to set TCP receive buffer using setsockpt().
# Often OSes impose restrictions on the applications
# ability to set this value.
# -tcpsndbuf [number]
# Try to set TCP send buffer using setsockpt().
# Often OSes impose restrictions on the applications
# ability to set this value.
# -slp Register this server with the Service Location
# Protocol (if SLP support was compiled in).
# -nozeroconf Don't register this server with the Multicats
# DNS Protocol.
# -advertise_ssh Allows Mac OS X clients (10.3.3-10.4) to
# automagically establish a tunneled AFP connection
# through SSH. This option is not so significant
# for the recent Mac OS X. See the Netatalk Manual
# in detail.
#
#
# Authentication Methods:
# -uampath <path> Use this path to look for User Authentication Modules.
# (default: /usr/lib/netatalk)
# -uamlist <a,b,c> Comma-separated list of UAMs.
# (default: uams_dhx.so,uams_dhx2.so)
#
# some commonly available UAMs:
# uams_guest.so: Allow guest logins
#
# uams_clrtxt.so: (uams_pam.so or uams_passwd.so)
# Allow logins with passwords
# transmitted in the clear.
#
# uams_randnum.so: Allow Random Number and Two-Way
# Random Number exchange for
# authentication.
#
# uams_dhx.so: (uams_dhx_pam.so or uams_dhx_passwd.so)
# Allow Diffie-Hellman eXchange
# (DHX) for authentication.
#
# uams_dhx2.so: (uams_dhx2_pam.so or uams_dhx2_passwd.so)
# Allow Diffie-Hellman eXchange 2
# (DHX2) for authentication.
#
# Password Options:
# -[no]savepassword [Don't] Allow clients to save password locally
# -passwdfile <path> Use this path to store Randnum passwords.
# (Default: /etc/netatalk/afppasswd. The only other
# useful value is ~/.passwd. See 'man afppasswd'
# for details.)
# -passwdminlen <#> minimum password length. may be ignored.
# -[no]setpassword [Don't] Allow clients to change their passwords.
# -loginmaxfail <#> maximum number of failed logins. this may be
# ignored if the uam can't handle it.
#
# AppleVolumes files:
# -defaultvol <path> Specifies path to AppleVolumes.default file
# (default /etc/netatalk/AppleVolumes.default,
# same as -f on command line)
# -systemvol <path> Specifies path to AppleVolumes.system file
# (default /etc/netatalk/AppleVolumes.system,
# same as -s on command line)
# -[no]uservolfirst [Don't] read the user's ~/AppleVolumes or
# ~/.AppleVolumes before reading
# /etc/netatalk/AppleVolumes.default
# (same as -u on command line)
# -[no]uservol [Don't] Read the user's volume file
# -closevol Immediately unmount volumes removed from
# AppleVolumes files on SIGHUP sent to the afp
# master process.
#
# Miscellaneous:
# -authprintdir <path> Specifies the path to be used (per server) to
# store the files required to do CAP-style
# print authentication which papd will examine
# to determine if a print job should be allowed.
# These files are created at login and if they
# are to be properly removed, this directory
# probably needs to be umode 1777
# -guestname "user" Specifies the user name for the guest login
# (default "nobody", same as -g on command line)
# -loginmesg "Message" Client will display "Message" upon logging in
# (no default, same as -l "Message" on commandline)
# -nodebug Switch off debugging
# -client_polling With this switch enabled, afpd won't advertise
# that it is capable of server notifications, so that
# connected clients poll the server every 10 seconds
# to detect changes in opened server windows.
# Note: Depending on the number of simultaneously
# connected clients and the network's speed, this can
# lead to a significant higher load on your network!
# -sleep <number> AFP 3.x wait number hours before disconnecting
# clients in sleep mode. Default 10 hours
# -tickleval <number> Specify the tickle timeout interval (in seconds).
# Note, this defaults to 30 seconds, and really
# shouldn't be changed. If you want to control
# the server idle timeout, use the -timeout option.
# -timeout <number> Specify the number of tickles to send before
# timing out a connection.
# The default is 4, therefore a connection will
# timeout in 2 minutes.
# -[no]icon [Don't] Use the platform-specific icon. Recent
# Mac OS don't display it any longer.
# -volnamelen <number>
# Max length of UTF8-MAC volume name for Mac OS X.
# Note that Hangul is especially sensitive to this.
# 255: limit of spec
# 80: limit of generic Mac OS X (default)
# 73: limit of Mac OS X 10.1, if >= 74
# Finder crashed and restart repeatedly.
# Mac OS 9 and earlier is not influenced by this,
# Maccharset volume names are always limitted to 27.
# -[un]setuplog "<logtype> <loglevel> [<filename>]"
# Specify that any message of a loglevel up to the
# given loglevel should be logged to the given file.
# If the filename is ommited the loglevel applies to
# messages passed to syslog.
#
# By default (no explicit -setuplog and no buildtime
# configure flag --with-logfile) afpd logs to syslog
# with a default logging setup equivalent to
# "-setuplog default log_info".
#
# If build with --with-logfile[=somefile]
# (default logfile /var/log/netatalk.log) afpd
# defaults to a setup that is equivalent to
# "-setuplog default log_info [netatalk.log|somefile]"
#
# logtypes: Default, AFPDaemon, Logger, UAMSDaemon
# loglevels: LOG_SEVERE, LOG_ERROR, LOG_WARN,
# LOG_NOTE, LOG_INFO, LOG_DEBUG,
# LOG_DEBUG6, LOG_DEBUG7, LOG_DEBUG8,
# LOG_DEBUG9, LOG_MAXDEBUG
#
# Example: Useful default config
# -setuplog "default log_info /var/log/afpd.log"
#
# Debugging config
# -setuplog "default log_maxdebug /var/log/afpd.log"
#
# -signature { user:<text> | auto }
# Specify a server signature. This option is useful
# while running multiple independent instances of
# afpd on one machine (eg. in clustered environments,
# to provide fault isolation etc.).
# Default is "auto".
# "auto" signature type allows afpd generating
# signature and saving it to afp_signature.conf
# automatically (based on random number).
# "host" signature type switches back to "auto"
# because it is obsoleted.
# "user" signature type allows administrator to
# set up a signature string manually.
# Examples: three servers running on one machine:
# first -signature user:USERS
# second -signature user:USERS
# third -signature user:ADMINS
# First two servers will act as one logical AFP
# service. If user logs in to first one and then
# connects to second one, session will be
# automatically redirected to the first one. But if
# client connects to first and then to third,
# will be asked for password twice and will see
# resources of both servers.
# Traditional method of signature generation causes
# two independent afpd instances to have the same
# signature and thus cause clients to be redirected
# automatically to server (s)he logged in first.
# -k5keytab <path>
# -k5service <service>
# -k5realm <realm>
# These are required if the server supports
# Kerberos 5 authentication
# -ntdomain
# -ntseparator
# Use for eg. winbind authentication, prepends
# both strings before the username from login and
# then tries to authenticate with the result
# through the availabel and active UAM authentication
# modules.
# -dircachesize entries
# Maximum possible entries in the directory cache.
# The cache stores directories and files. It is used
# to cache the full path to directories and CNIDs
# which considerably speeds up directory enumeration.
# Default size is 8192, maximum size is 131072. Given
# value is rounded up to nearest power of 2. Each
# entry takes about 100 bytes, which is not much, but
# remember that every afpd child process for every
# connected user has its cache.
# -fcelistener host[:port]
# Enables sending FCE events to the specified host,
# default port is 12250 if not specified. Specifying
# mutliple listeners is done by having this option
# once for each of them.
# -fceevents fmod,fdel,ddel,fcre,dcre,tmsz
# Speficies which FCE events are active, default is
# fmod,fdel,ddel,fcre,dcre.
# -fcecoalesce all|delete|create
# Coalesce FCE events.
# -fceholdfmod seconds
# This determines the time delay in seconds which is
# always waited if another file modification for the
# same file is done by a client before sending an FCE
# file modification event (fmod). For example saving
# a file in Photoshop would generate multiple events
# by itself because the application is opening,
# modifying and closing a file mutliple times for
# every "save". Defautl: 60 seconds.
# -keepsessions Enable "Continuous AFP Service". This means the
# ability to stop the master afpd process with a
# SIGQUIT signal, possibly install an afpd update and
# start the afpd process. Existing AFP sessions afpd
# processes will remain unaffected. Technically they
# will be notified of the master afpd shutdown, sleep
# 15-20 seconds and then try to reconnect their IPC
# channel to the master afpd process. If this
# reconnect fails, the sessions are in an undefined
# state. Therefor it's absolutely critical to restart
# the master process in time!
# -noacl2maccess Don't map filesystem ACLs to effective permissions.
#
# Codepage Options:
# -unixcodepage <CODEPAGE> Specifies the servers unix codepage,
# e.g. "ISO-8859-15" or "UTF8".
# This is used to convert strings to/from
# the systems locale, e.g. for authenthication.
# Defaults to LOCALE if your system supports it,
# otherwise ASCII will be used.
#
# -maccodepage <CODEPAGE> Specifies the legacy clients (<= Mac OS 9)
# codepage, e.g. "MAC_ROMAN".
# This is used to convert strings to the
# systems locale, e.g. for authenthication
# and SIGUSR2 messaging. This will also be
# the default for volumes maccharset.
#
# CNID related options:
# -cnidserver <ipaddress:port>
# Specifies the IP address and port of a
# cnid_metad server, required for CNID dbd
# backend. Defaults to localhost:4700.
# The network address may be specified either
# in dotted-decimal format for IPv4 or in
# hexadecimal format for IPv6.
#
# Avahi (Bonjour) related options:
# -mimicmodel <model>
# Specifies the icon model that appears on
# clients. Defaults to off. Examples: RackMac
# (same as Xserve), PowerBook, PowerMac, Macmini,
# iMac, MacBook, MacBookPro, MacBookAir, MacPro,
# AppleTV1,1, AirPort
#
#
# Some examples:
#
# The simplest case is to not have an afpd.conf.
#
# 4 servers w/ names server1-3 and one w/ the hostname. servers
# 1-3 get routed to different ports with server 3 being bound
# specifically to address 192.168.1.3
#
# -
# server1 -port 12000
# server2 -port 12001
# server3 -port 12002 -ipaddr 192.168.1.3
#
# a dedicated guest server, a user server, and a special
# AppleTalk-only server:
#
# "Guest Server" -uamlist uams_guest.so \
# -loginmesg "Welcome guest! I'm a public server."
# "User Server" -uamlist uams_dhx2.so -port 12000
# "special" -ddp -notcp -defaultvol <path> -systemvol <path>
#
# default:
- -tcp -noddp -uamlist uams_dhx.so,uams_dhx2.so -nosavepassword/etc/netatalk/AppleVolumes.default
# volume format: # :DEFAULT: [all of the default options except volume name] # path [name] [casefold:x] [options:z,l,j] \ # [allow:a,@b,c,d] [deny:a,@b,c,d] [dbpath:path] [password:p] \ # [rwlist:a,@b,c,d] [rolist:a,@b,c,d] [limitsize:value in bytes] \ # [preexec:cmd] [root_preexec:cmd] [postexec:cmd] [root_postexec:cmd] \ # [allowed_hosts:IPv4 address[/IPv4 netmask bits]] \ # [denied_hosts:IPv4 address[/IPv4 netmask bits]] \ # ... more, see below ... # # name: volume name. it can't include the ':' character # # # variable substitutions: # you can use variables for both <path> and <name> now. here are the # rules: # 1) if you specify an unknown variable, it will not get converted. # 2) if you specify a known variable, but that variable doesn't have # a value, it will get ignored. # # the variables: # $b -> basename of path # $c -> client's ip or appletalk address # $d -> volume pathname on server # $f -> full name (whatever's in the gecos field) # $g -> group # $h -> hostname # $i -> client ip without tcp port or appletalk network # $s -> server name (can be the hostname) # $u -> username (if guest, it's whatever user guest is running as) # $v -> volume name (either ADEID_NAME or basename of path) # $z -> zone (may not exist) # $$ -> $ # # # casefold options [syntax: casefold:option]: # tolower -> lowercases names in both directions # toupper -> uppercases names in both directions # xlatelower -> client sees lowercase, server sees uppercase # xlateupper -> client sees uppercase, server sees lowercase # # allow/deny/rwlist/rolist format [syntax: allow:user1,@group]: # user1,@group,user2 -> allows/denies access from listed users/groups # rwlist/rolist control whether or not the # volume is ro for those users. # allowed_hosts -> Only listed hosts and networks are allowed, # all others are rejected. Example: # allowed_hosts:10.1.0.0/16,10.2.1.100 # denied_hosts -> Listed hosts and nets are rejected, # all others are allowed. Example: # denied_hosts: 192.168.100/24,10.1.1.1 # preexec -> command to be run when the volume is mounted, # ignore for user defined volumes # root_preexec -> command to be run as root when the volume is mounted, # ignore for user defined volumes # postexec -> command to be run when the volume is closed, # ignore for user defined volumes # root_postexec -> command to be run as root when the volume is closed, # ignore for user defined volumes # veto -> hide files and directories,where the path matches # one of the "/" delimited vetoed names. Matches are # partial, e.g. path is /abc/def/file and veto:/abc/ # will hide the file. # adouble -> specify the format of the metadata files. # default is "v2". netatalk 1.x used "v1". # "osx" cannot be treated normally any longer. # volsizelimit -> size in MiB. Useful for TimeMachine: limits the # reported volume size, thus preventing TM from using # the whole real disk space for backup. # Example: "volsizelimit:1000" would limit the # reported disk space to 1 GB. # # codepage options [syntax: options:charsetname] # volcharset -> specifies the charset to be used # as the volume codepage # e.g. "UTF8", "UTF8-MAC", "ISO-8859-15" # maccharset -> specifies the charset to be used # as the legacy client (<=Mac OS 9) codepage # e.g. "MAC_ROMAN", "MAC_CYRILLIC" # # perm -> default permission value # OR with the client requested perm # Use with options:upriv # dperm -> default permission value for directories # OR with the client requested perm # Use with options:upriv # fperm -> default permission value for files # OR with the client requested perm # Use with options:upriv # umask -> set perm mask # Use with options:upriv # dbpath:path -> store the database stuff in the following path. # cnidserver:server[:port] # -> Query this servername or IP address # (default:localhost) and port (default: 4700) # for CNIDs. Only used with CNID backend "dbd". # This option here overrides any setting from # afpd.conf:cnidserver. # password:password -> set a volume password (8 characters max) # cnidscheme:scheme -> set the cnid scheme for the volume, # default is [dbd] # available schemes: [dbd last tdb] # ea -> none|auto|sys|ad # Specify how Extended Attributes are stores. default # is auto. # auto: try "sys" (by setting an EA on the shared # directory itself), fallback to "ad". Requires # writable volume for performing the test. # Note: options:ro overwrites "auto" with "none." # sys: Use filesystem EAs # ad: Use files in AppleDouble directories # none: No EA support # # # miscellaneous options [syntax: options:option1,option2]: # tm -> enable TimeMachine support # prodos -> make compatible with appleII clients. # crlf -> enable crlf translation for TEXT files. # noadouble -> don't create .AppleDouble unless a resource # fork needs to be created. # ro -> mount the volume as read-only. # mswindows -> enforce filename restrictions imposed by MS # Windows. this will also invoke a default # codepage (iso8859-1) if one isn't already # specified. # nohex -> don't do :hex translations for anything # except dot files. specify usedots as well if # you want that turned off. note: this option # makes the / character illegal. # usedots -> don't do :hex translation for dot files. note: when # this option gets set, certain file names # become illegal. these are .Parent and # anything that starts with .Apple. # invisibledots -> don't do :hex translation for dot files. note: when # this option gets set, certain file names # become illegal. these are .Parent and # anything that starts with .Apple. also, dot # files created on the unix side are marked invisible. # limitsize -> limit disk size reporting to 2GB. this is # here for older macintoshes using newer # appleshare clients. yucko. # nofileid -> don't advertise createfileid, resolveid, deleteid # calls # root_preexec_close -> a non-zero return code from root_preexec close the # volume being mounted. # preexec_close -> a non-zero return code from preexec close the # volume being mounted. # nostat -> don't stat volume path when enumerating volumes list # upriv -> use unix privilege. # illegalseq -> encode illegal sequence in filename asis, # ex "\217-", which is not a valid SHIFT-JIS char, # is encoded as U\217 - # nocnidcache -> Don't store and read CNID to/from AppleDouble file. # This should not be used as it also prevents a CNID # database rebuild with `dbd`! # caseinsensitive -> The underlying FS is case insensitive (only # test with JFS in OS2 mode) # dropbox -> Allows a volume to be declared as being a "dropbox." # Note that netatalk must be compiled with dropkludge # support for this to function. Warning: This option # is deprecated and might not work as expected. # dropkludge -> same as "dropbox" # nodev -> always use 0 for device number, helps when the # device number is not constant across a reboot, # cluster, ... # # The line below sets some DEFAULT, starting with Netatalk 2.1. :DEFAULT: options:upriv,usedots # By default all users have access to their home directories. #~/ "Home Directory" /mnt/volume1/timemachine "TimeMachine" allow:timemachine options:tm,usedots,upriv # End of File
Berechtigung des Ordners /mnt/volume1/timemachine
ls -lh /mnt/volume1 | grep timemachine drwxrwx--- 8 timemachine users 4,0K Jul 10 02:27 timemachine
Ich habe bereits das Internet durchstöbert und bin der Meinung, die dort dargestellten Vorgaben eigentlich umgesetzt zu haben. Wie bereits erwähnt wird das Volume auf dem Mac ja auch erkannt. Ich kann nur den Benutzer nicht verifizieren. Man muss dafür aber nicht separat noch ein Samba-Share anlegen, oder?
Ich wäre für Hilfe wirklich dankbar.
Beste Grüße AXEL