This is because, apparently, OpenSSL has a license that is incompatible with Debian’s GPL. Regardless: clear text is bad; encryption is good. And since Ubuntu doesn’t package netatalk with the appropriate encryption support, one must do it oneself.

Updated 05.08.09: Just tested this with Jaunty (09.04) and the package in the repositories works with no extra steps. If you are using an older version of Ubuntu, however, you will want to follow these instructions. Tested with Intrepid Ibex (8.10) as well as: 6.06, 7.04, 7.10, and 8.06.

about this guide

When I first found that Ubuntu’s netatalk package didn’t support encrypted authentication, I tried to compile netatalk from the source. I didn’t get very far. Throwing up my hands in frustration, I spent some more time on google and found some ideas at the Ubuntu Forums. Pulling it all together, with ideas and fixes from comments (below), this is what I came up with (which I think is a lot easier than building from source).

steps to follow

NOTE: If you have already installed netatalk you should remove it before proceeding with a sudo aptitude purge netatalk before you get going.

• sudo aptitude update
• mkdir -p ~/src/netatalk
• cd ~/src/netatalk
• sudo aptitude install cracklib2-dev libssl-dev
• apt-get source netatalk
• sudo apt-get build-dep netatalk
• cd netatalk-2.0.3
• sudo DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -us -uc
• sudo debi
• echo "netatalk hold" | sudo dpkg --set-selections

The basic trend of this set of operations is to: create a directory where all the messy files can be stored, download necessary packages, get the netatalk source, compile the source with the ssl option, install the package, then tell Ubuntu never to update the package (because if it did, it would break).

Settings for the netatalk service can be found on your Ubuntu machine at /etc/netatalk/. There are a couple configuration files in there with instructions. Good luck.

configuration files

One of the first changes I make after installing netatalk is to disable some of the services that I don’t need running (and start those that I do). To do this, I edit: /etc/default/netatalk, changing the daemons that run so that it ends up looking like this (which allows netatlk to restart a lot quicker without the atalkd daemon — which is a holdover from pre-OS X times):

# Set which daemons to run (papd is dependent upon atalkd):
ATALKD_RUN=no
PAPD_RUN=no
CNID_METAD_RUN=no
AFPD_RUN=yes
TIMELORD_RUN=no
A2BOOT_RUN=no

These are the settings I am using since I only need the afp file server — one thing to note, however, is that if you want to use the dbd databashe scheme rather than cdb, you need to set CNID_METAD_RUN to yes.  cdb is supposed to be faster, while dbd is supposed to be “corruption-proof”.  You can read it about in the docs.

After you’ve saved changes to this configuration file, run the following to restart netatalk:

• sudo /etc/init.d/netatalk restart

other tips and tricks

Here are a couple other thoughts and pointers that I’ve picked up over the years …

multiple afp servers running on the same network

I never thought much of it, but I did notice: if you have two different servers on your network running netatalk, you are unable to login to both of them at the same time. JET posted a solution to this and it works flawlessly. It has changed my life.

multiple network interfaces causing errors

Update (9/24/07 & 10/22/07): I’ve noticed a few people mentioning they get an error when compiling and/or starting netatalk (from ubuntuforums.org as well). Folks with more than one available network adapter (like eth1 and eth2, or virtual adapters created by vmware) seem to run an error when they compile and during runtime . During compile time you might have have an error that ends in:

• dpkg: error processing netatalk (--install):
• subprocess post-installation script returned error exit status 1
• Errors were encountered while processing:
• netatalk
• debi: debpkg -i failed

After this, you would probably get an error at runtime that looked like:

• Starting Netatalk services (this will take a while): nbp_rgstr: Connection timed out

Tim Pope wrote a suggested fix in the comments below that should eliminate the conflict between the multiple adapters. I only have one adapter myself (and don’t use vmware) so I haven’t had a chance to try it yet myself. Let me know if this works for you as well.