How to: Install Netatalk (AFP) on Ubuntu with Encrypted Authentication

Purpose: Install Netatalk (AFP) on Ubuntu with encrypted authentication (using OpenSSL), which is not enabled by default with the Ubuntu netatalk package. By default, the package installed from the Ubuntu universal repositories will transmit your password via clear text (you’ll know this because Mac OS X Tiger will throw a warning and Leopard won’t do anything useful at all).

This is because, apparently, OpenSSL has a license that is incompatible with Debian’s GPL. Regardless: clear text is bad; encryption is good. And since Ubuntu doesn’t package netatalk with the appropriate encryption support, one must do it oneself.

Updated 05.08.09: Just tested this with Jaunty (09.04) and the package in the repositories works with no extra steps. If you are using an older version of Ubuntu, however, you will want to follow these instructions. Tested with Intrepid Ibex (8.10) as well as: 6.06, 7.04, 7.10, and 8.06.

about this guide

When I first found that Ubuntu’s netatalk package didn’t support encrypted authentication, I tried to compile netatalk from the source. I didn’t get very far. Throwing up my hands in frustration, I spent some more time on google and found some ideas at the Ubuntu Forums. Pulling it all together, with ideas and fixes from comments (below), this is what I came up with (which I think is a lot easier than building from source).

steps to follow

NOTE: If you have already installed netatalk you should remove it before proceeding with a sudo aptitude purge netatalk before you get going.

  • sudo aptitude update
  • mkdir -p ~/src/netatalk
  • cd ~/src/netatalk
  • sudo aptitude install cracklib2-dev libssl-dev
  • apt-get source netatalk
  • sudo apt-get build-dep netatalk
  • cd netatalk-2.0.3
  • sudo DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -us -uc
  • sudo debi
  • echo "netatalk hold" | sudo dpkg --set-selections

The basic trend of this set of operations is to: create a directory where all the messy files can be stored, download necessary packages, get the netatalk source, compile the source with the ssl option, install the package, then tell Ubuntu never to update the package (because if it did, it would break).

Settings for the netatalk service can be found on your Ubuntu machine at /etc/netatalk/. There are a couple configuration files in there with instructions. Good luck.

configuration files

One of the first changes I make after installing netatalk is to disable some of the services that I don’t need running (and start those that I do). To do this, I edit: /etc/default/netatalk, changing the daemons that run so that it ends up looking like this (which allows netatlk to restart a lot quicker without the atalkd daemon — which is a holdover from pre-OS X times):

# Set which daemons to run (papd is dependent upon atalkd):

These are the settings I am using since I only need the afp file server — one thing to note, however, is that if you want to use the dbd databashe scheme rather than cdb, you need to set CNID_METAD_RUN to yescdb is supposed to be faster, while dbd is supposed to be “corruption-proof”.  You can read it about in the docs.

After you’ve saved changes to this configuration file, run the following to restart netatalk:

  • sudo /etc/init.d/netatalk restart

other tips and tricks

Here are a couple other thoughts and pointers that I’ve picked up over the years …

multiple afp servers running on the same network

I never thought much of it, but I did notice: if you have two different servers on your network running netatalk, you are unable to login to both of them at the same time. JET posted a solution to this and it works flawlessly. It has changed my life.

multiple network interfaces causing errors

Update (9/24/07 & 10/22/07): I’ve noticed a few people mentioning they get an error when compiling and/or starting netatalk (from as well). Folks with more than one available network adapter (like eth1 and eth2, or virtual adapters created by vmware) seem to run an error when they compile and during runtime . During compile time you might have have an error that ends in:

  • dpkg: error processing netatalk (--install):
  • subprocess post-installation script returned error exit status 1
  • Errors were encountered while processing:
  • netatalk
  • debi: debpkg -i failed

After this, you would probably get an error at runtime that looked like:

  • Starting Netatalk services (this will take a while): nbp_rgstr: Connection timed out

Tim Pope wrote a suggested fix in the comments below that should eliminate the conflict between the multiple adapters. I only have one adapter myself (and don’t use vmware) so I haven’t had a chance to try it yet myself. Let me know if this works for you as well.

153 Comments (newest first)

  1. Max Newbie says:

    Trying to set up my first Debian NAS.
    I get hung up here:
    apt-get source netatalk
    results in
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    E: Unable to find a source package for netatalk

    Is the source no longer available?

    • Damon says:

      Are you using Debian Squeeze or Lenny ? I don’t think you need this guide if you are using Squeeze – but it is in the repository, either way. Not sure why your machine isn’t finding it ..

  2. […] web, but neither was up-to-date or did everything that I wanted. But thanks for to Kremalicious and damontimm for getting me […]

  3. rj says:

    Hi, great how-to. I followed your instructions and the Macs at home are able to connect to my ubuntu and browse their respective folders. I would like to know how do I connect to a mac from my ubuntu and view/edit their files using their login credentials.

    My wife uses MS Excel workbooks and shares them across the local network. Other macs can access the workbooks and edits them without any problem. My ubuntu can access the file but do not have the permission to edit them simultaneously even though my username is inlcuded in the allowed list. I’m thinking it’s a permission issue. How do I use netatalk to get the right permissions?

    Thanks for this great info.

    • Damon says:

      Well – Netatalk is a piece of linux software for the machine serving the files over AFP on a network … so, it won’t help you when you are retrieving the files that are being served from a mac (which doesn’t use netatalk). You’ll need something else …

      How are you connecting to your mac from Ubuntu? My guess is, the mac probably has Windows File Sharing enabled and you are connecting via SAMBA from Ubuntu … there are some FUSE bindings which allow you to connect via AFP from Ubuntu (I use afpfs-ng with success) … it’s not as pretty and requires the command line but it works for me.

      Hope that helps.

  4. Great guide Damon!
    I’ve been looking for this for a long time.
    Big thanks to you!

  5. […] que las Mac puedan acceder ficheros, las mejores instrucciones que he encontrado están en el blog originalmente publicada hace un par de […]

  6. […] is very well described here: How to: Install Netatalk (AFP) on Ubuntu with Encrypted Authentication. Thanks […]

  7. matt says:

    Dude. You rock. Thanks for the article, nice to have AFP working.

  8. David C. Menges says:

    Would like to hire someone (money, beer, Starbucks, iTunes) to remotely configure (or step me through configuring) my Ubuntu 9.04 box to be a Time Machine-like backup server for our family’s Macs. I’ve tried the above and other instructions, but always end up stuck on Ubuntu errors. Please send bids to

    • Damon says:

      Hey – I actually never had luck with Time Machine over netatalk myself … I only played with it a little, because I mainly use netatalk to serve all my files from a central file server … rather than as a backup for my Macs. Would be interested in seeing it implemented, though. But sorry: I don’t think I have what it takes, yet. Smile.

  9. darthpenguin says:

    WOW!!! AWESOME!!!

    I have tried other tutorials for Netatalk but this is the only one that let Netatalk start aotumaticaly when I log on to Ubuntu. I don’t need to start it from the command line any more!!! SWEET!!!

    With this tutorial and the one posted at (specifically the part on Avahi) I now have a near-perfect setup to share files from mac to Ubuntu and visa-versa.

    Indecently, if anyone reading this is running Leopard and wants to connect from Ubuntu to Leopard you can turn on “Remote Login” under the “Sharing” preferences which allows ssh and sftp. The nice thig is that Ubuntu’s network browser sees the mac servers (like bonjor sees other macs) so there is no mucking about with “Connect to Server” or Samba.

    Thanks again man, you are a life saver.

  10. john says:

    Has anyone had in luck making this work with 9.04?

    • Damon says:

      I just tried this quick on my eee-pc and it worked directly from the repositories — no need to use the instructions (above). I will put a note in the body of this. I believe the package was finally updated for ubuntu.

      • jim says:

        2.04 beta 1 and 2 in the Jaunty repositories did not work for me, I had to use the above instructions, which worked fine in both cases.

  11. […] highly usefull, but has to basically be built from scratch to be usable with Leopard. I found this guide to be incredibly helpful and pretty straight forward. Only thing really not talked about is adding […]

  12. Tommy says:

    For the folks having trouble getting netatalk to start on boot, have a look at this bug:

    If disabling “roaming mode” doesn’t help on your system, feel free to add your experience to the bug report. (Note this is separate from the issue affecting multiple network adapters.)

  13. Nathaniel McInnes says:

    Hey, me again. Really need help on this one. Ive decided to purchase a VPS and use it as a off site storage backup. I tried out a few vps’s with various other providers and got it to work fine. But ive come into an error now.

    When i run the command:

    sudo debi     i get this error:
    root@chostwales:~/src/netatalk/netatalk-2.0.3# sudo debi
    (Reading database ... 15625 files and directories currently installed.)
    Preparing to replace netatalk 2.0.3-9 (using netatalk_2.0.3-9_i386.deb) ...
    Stopping Netatalk Daemons: afpd cnid_metad papd timelord atalkd.
    Unpacking replacement netatalk ...
    Setting up netatalk (2.0.3-9) ...
    Starting Netatalk services (this will take a while): socket: Address family not supported by protocol
    socket: Address family not supported by protocol
    atalkd: can't get interfaces, exiting.
    invoke-rc.d: initscript netatalk, action "start" failed.
    dpkg: error processing netatalk (--install):
     subprocess post-installation script returned error exit status 1
    Errors were encountered while processing:
    debi: debpkg -i failed

    Now, ive tried to follow the modifications that others have suggested and have so far had no luck. Here is my ifconfig -a data:

    lo        Link encap:Local Loopback  
              inet addr:  Mask:
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
              inet addr:  P-t-P:  Bcast:  Mask:
              RX packets:655 errors:0 dropped:0 overruns:0 frame:0
              TX packets:506 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:50571 (49.3 KB)  TX bytes:61775 (60.3 KB)
    venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
              inet addr:XX.XX.XXX.XXX  P-t-P:XX.XX.XXX.XXX  Bcast:  Mask:

    I have hidden my VPS IP with XX.XX.XXX.XXX.

    What do i do? I have tried everything i can think of. Ive put just venet0 in my atalkd.conf file and didnt work. I then put venet0 -dontroute and venet0:0 – dontroute and still didnt work.

    What am i doing wrong here?


    • Damon says:

      Am away from home now but, I suspect, I may not be able to offer much help for you. I can say that I do have netatalk and vmware server running successfully on my machine … when I get back and I can look at my afpd.conf file and see what it says … let me know if you find the solution.

  14. Nathaniel says:

    Hey Damon, Great script!!! Thank you so much. However, i do have one question and i dont no if this is effecting everybody or just me, but. what code in the afpd file (if that is the file i need to do this with), set it so, Mac finder will automatically see the server. Im currently having to goto Finder > Connect to server then type in its IP address. How do i make it appear when my mac searchs for networks locations and also appears on the left in shared?


    • Damon says:

      You will need the avahi-daemon (sp?) running; I don’t use it, myself, but there are some other how to’s around that should get that happening. Good luck!

      • Nathaniel McInnes says:

        Yer, got it figured. I work for a medium film editing company in Wales, UK and im their IT dude. Originally we editing off XRaids which is proving to be EXTREMELY expensive and looking into afp over on linux and i will tell you now, we could have saved thousands if i new about this earlier, but oh well got it now. Its working like a charm. No dropped frames, no lagging, perfectly running fine. Ontop of that, we are also looking at using AFP on linux as our time machine backup location rather than afp rather than hard drives.

        Thanks :)

  15. Austin says:

    I’m really frustrated, and I’m hoping you could help (and maybe add it to troubleshooting, for the others). I keep getting this error:

    /root/src/netatalk/netatalk-2.0.3/./configure: line 23286: _LT_CMD_GLOBAL_SYMBOLS: command not found
    checking for _ prefix in compiled symbols... no
    /root/src/netatalk/netatalk-2.0.3/./configure: line 23345: syntax error near unexpected token `newline'
    /root/src/netatalk/netatalk-2.0.3/./configure: line 23345: `	  _LT_TRY_DLOPEN_SELF('
    make: *** [config.status] Error 2
    dpkg-buildpackage: failure: debian/rules build gave error exit status 2

    anyone know how to fix this?

    • Damon says:

      Hi Austin – sorry it isn’t working. I’m not sure, exactly, what the error is … but I do notice that you are running everything as root (your are in your /root/ directory). Did you intend to do that ? My only thought is you maybe deviated from “the plan” (above) and that’s why your src folder ended up in root somehow …

  16. Full Decent says:

    On your first code listing, you may want to add:

    sudo aptitude install build-essential

    • Damon says:

      Did it not work for you without it ? I thought build-essential was included in the call apt-get build-dep netatalk … at least, it has been on my systems. I left it out just to save typing. Was looking on google but am having a hard time finding a list of what is installed with build-dep for a given package … hmm. Am curious if it didn’t work.

  17. Jon says:

    Hi, I’m having the same issue as Fernando. The netatalk service doesn’t seem to be starting when the Ubuntu computer is booted. I have to go into the terminal and type the command: “sudo /etc/init.d/netatalk restart”. Then I, just like Fernando, can access the server. I’m also running Intrepid Ibex (8.10). Any help would be appreciated.

  18. Fernando says:

    Hi, thanks for the detailed guide. Everything seems to be working ok, but until I restart Ubuntu 8.10. After restart, Leopard can’t connect to the server via afp (either CMD+K and the IP address, or by clicking on the share drive. What am I doing wrong?

    If i restart netatalk service (sudo /etc/init.d/netatalk restart) , I can instantly connect again. But sure I shouldn’t have to do that at all.

    • Damon says:

      Hi there – interesting. So, you are restarting the Ubuntu machine with Leopard still connected ? Or do you disconnect Leopard, then restart it, then try to connect again? What error do you get when it tries to connect ? Does Ubuntu have a static IP address ?

  19. darkblue_b says:

    thx very much for this post. I have my two AFP servers running now.. a few gotchas though… GUTSY on AMD64 on both machines
    * cracklib2-dev wanted the Master CD?? I re-ran that one line at it worked
    * sudo DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -us -uc didnt work for me.. I used
    env DEB_BUILD_OPTIONS=ssl sudo dpkg-buildpackage -us -uc
    * copyright hints.. I got that same behavior
    mv debian/copyright_newhints debian/copyright_hints
    * debi not found
    sudo apt-get install devscripts
    * afpd.conf, per the suggestion
    -noddp -signature user:USERS
    * AppleVolumes.default, added another volume..
    /home/shared/ “$s Shared”

    • Damon says:

      Hi – thanks for the tips. I haven’t tried this on a 64 bit system but hope to (shortly). We’ll be good to have your tips nearby. Appreciate it.

  20. KP says:

    Damon, thanks for the great post!

    I had the exact behavior described by CB above on 5/18/2008 (copyright issue) trying to install on ubuntu 8.10. I solved that with by copying debian/copyright_newhints to debian/copyright_hints with these lines:

    • $ sudo mv copyright_hints copyright_hints~
    • $ sudo mv copyright_newhints copyright_hints

    as described here:

    That revealed my next problem which is a version conflict with Berkeley DB. I get these lines at the console when running dpkg-buildpackage:

    checking /usr/include//db.h version >= 4.1.0... 4.7.25, yes
    checking for Berkeley DB link (-ldb-4.6)... yes
    checking Berkeley DB library version >= 4.1.0... header/library version mismatch (4.7.25/4.6.21), no
    Make sure you have the required Berkeley DB libraries AND headers installed.
    You can download the latest version from
    If you have installed BDB in a non standard location use the
    --with-bdb=/path/to/bdb configure option and make sure
    your linker is configured to check for libraries there.
    configure: error: Berkeley DB library required but not found!
    make: *** [config.status] Error 1
    dpkg-buildpackage: failure: debian/rules build gave error exit status 2

    I believe this is because my system has both versions 4.7.25 and 4.6.21 on it. I’m not clear on how to provide the configure option described (–with-bdb). Can anyone help?

    • Damon says:

      Hmm … I wonder why that happened on your system? I didn’t have the same problem, with 8.10 … so, not sure how to go about troubleshooting it, to be honest.

      Are you able to find out which locations bdb is stored in? If so, maybe you could pass that before you ran the buildpackage? I am not sure of the details … but that would seem to be the way to go … Sorry!

    • Robert says:

      I had a similar problem which was remedied with a:

      $ sudo apt-get remove libdb4.6

  21. […] Netatalk ile “AFP Sharing” yapilmasi fikri dogdu. Kisa bir Google arastirmasi sonucunda adresindeki blogda guzel bir dokumantasyon buldum. Ben de az once evdeki Mac Mini uzerindeki Mac OS […]

  22. […] how-to-install-netatalk-afp-on-ubuntu-with-encrypted-authentication […]

  23. The command “DEB_BUILD_OPTIONS=ssl sudo dpkg-buildpackage -us -uc” is unfortunately wrong. This command passes the variable to the ‘user’ and not to the root. This means the variables are not passed to dpkg!!

    The correct is: sudo DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -us -uc
    Here first sudo is invoked, and only then the variable is set.

    There is no need to edit the debian/rules file !

    • Damon says:

      @ Christophe Vandeplas: Holy Cow! You are right! I just removed my netatalk install and tried this out and it seems that having that sudo thrown in the middle of everything really got it all mixed up! Here is what I did (which doesn’t even require you to go it su either) and it worked for me:

      sudo apt-get build-dep netatalk
      cd netatalk-2.0.3/
      sudo DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -us -uc
      sudo debi

      I will fix the instructions up top soon to reflect this — because you are right: sure don’t need a patch!

  24. BenL says:

    My Ubuntu Intrepid 8.10 (which I managed to get working a few weeks ago with this and other similar great posts) stopped working… who knows why.

    I removed netatalk and re-run per the install above and it was all go…!! So +1 for 8.10…


    • Damon says:

      @ BenL: did you run the final echo "netatalk hold" | sudo dpkg --set-selections? I find that’s what most often gets me in trouble because it will auto-update and then stop working and then I have to start over …

  25. Niko says:

    Hi, I finally got netatalk working with SSL thanks to you howto & patch. The only thing Ubuntu was complaining during compiling the code that the patch was not certified? I deleted the file because I already applied the patch, restarted compiling and it worked perfectly. Thank you!

    • Damon says:

      @ Niko: when you say you “deleted the file”, which file do you mean ? The patch isn’t signed, so am interested to see what had happened.

  26. […] Hier gibt es die beste und funktionierende Anleitung um Netatalk auf einer Ubuntu Kiste zum laufen zu bringen. Beschlagwortet mit:afp, apple, Linux, netatalk « Die blaue Stunde Are you addicted to Apple? » […]

  27. Jay says:

    Hi Damon,

    Thank you very much!

    It works on my Ubuntu 8.10 very well.


  28. JET says:

    Ben’s modifications for the debian/rules worked for me on a fresh 8.10 install. Before those changes I was getting the “invalid username or password” error from Leopard (10.5.5).

    Even then, the build threw out lots of warnings about various UAM symbols found in “none of the libraries”.

    Now just need to get it to advertise.

    • Damon says:

      I just updated this guide today to include the debian/rules patch file that I created using Ben’s suggestions (mentioned in JET and KB1IBT comments).

      I was able to get it all working in 8.10 pretty easily — hopefully the patch file makes it a cinch to do it all from the command line.

      Let me know if that’s working with 8.10.

      • JET says:

        Damon, thanks! I installed on a new system today with your patch and new instructions. Worked perfectly!

        A thing I learned this afternoon that might help someone else: if you install two Linux systems on your network with these instructions and try to mount shares from both at the same time, you’ll likely see some confusion: the second one you log into will show the same shares as the first, not its own.

        I don’t fully understand the details but apparently it uses the first IP address from /etc/hosts to generate the AFP server ID. So if the loopback address is listed first in both, then both will have the same server ID.

        You could probably fix this by editing /etc/hosts to put the real IP first, but since mine are both DHCP clients I used the other approach of editing /etc/netatalk/afpd.conf to set the ID via the “-signature” parameter. I added it to the final line in the config file with the “user” keyward and the hostname. Then I uncommented that line. My afpd.conf looks like (without the quotes):

        - -transall -uamlist, -nosavepassword -signature user:LAPTOP

        Just use a different “user:” parameter on each system.

        • Damon says:

          @ JET: that is an awesome suggestion that has completely changed my life (well, almost, anyway) — I will add it to the tips and tricks section about soon. I love it!

        • anderbubble says:

          I found this line in /etc/defaults/netatalk:

          ATALK_NAME=`/bin/hostname --short`

          This seems to be the original configuration for this value, and also demonstrates that the problem isn’t that the ip address is, but that the canonical hostname is “localhost”.

          in /etc/hosts, I had the line

 localhost realhostname

          This is incorrect, according to hosts(5) (localhost should be an alias for realhostname, not the other way around), and causes `hostname –short` to yield “localhost”. Changing it to

 realhostname localhost

          fixes everything!

          • Damon says:

            Hey – do you mean that prior to those changes that if you ran the command:

            • $ hostname --short

            The output was localhost? Interesting. My installations come up with (in /etc/hosts):


            Interesting. Thanks for the insight!

            • Christophe says:


              Many thanks to JET: I had the same problem with my two servers, and adding the signature solved it. I can now log to both systems at same time.

              I had the /etc/hosts correctly configured, with hostname –short giving the servers’s name. This was not the cause of the problem.

  29. Fisslefink says:

    Thanks Damon! Between this and I was able to get it working on Ubuntu Intrepid Ibex (8.10) with Leopard OS X.

    For me the stumbling block was running “debi” as you suggested. For whatever reason, that did not work to install the custom-built version of netatalk. Running the following command worked better:
    sudo dpkg -i ../netatalk*.deb

    (as suggested on the link above)

    NOTE: Making the .passwd files as suggested on the link above was not required. Also, no edits of /etc/netatalk/afpd.conf were needed.

    • Damon says:

      @ Fisslefink: I just gave this a run for the money on 8.10 this morning and ran into problems myself. The first, was that I was getting an error:

      nbp_rgstr: Connection timed out
      Can't register ibm-xubuntu:Workstation@*

      I tried your suggested method: sudo dpkg -i ../netatalk*.deb but got the same error.

      Turns out that was from having too many available network interfaces — I disabled wireless and then it work. But I am still having trouble connecting from my mac.

      I plan to try and troubleshoot it a bit later. Thanks for the heads up.

  30. Mike Kolcun says:

    Beautiful. Thanks very much!

  31. herman says:

    As I have been tinkering with Netatalk and a Leopard environment I also had to adjust the afpd.conf in order to get things going. Take a look at

    .. as Leopard refuses to connect to a non-encrypted server