OmniOS: Netatalk with PAM Authentication

Use of the same passwords for AFP and local users

This article is part of a series focused on the building and setup of a home-NAS based on ZFS and OmniOS. The index is located here: An OmniOS ZFS Fileserver.

Using netatalk is possible to share folders from a server to OS X clients. The advantage over CIFS (the kernel implementation provided by illumos) is greater speed and less CPU usage on the client, since the SMB implementation by Apple is not optimised for the NT1 protocol and illumos provides only the NT1 protocol at the time being. Newer Macs may still have enough CPU power to saturate a gigabit connection, but my old Core 2 Duo couldn't and was limited to about 70 MiB/s per transfer.
I decided not to use Samba because I would have needed AFP anyway for Time Machine backups.

The installation of netatalk was straightforward, thanks to the very good repository uulm.mawi that offered the latest version and that gets updated frequently.

Often netatalk is used with a different set of passwords and usernames, but I wanted to reduce the risk of problems, so I decided to use PAM also for netatalk.

In /etc/pam.conf I added at the end:

# netatalk settings
netatalk auth requisite
netatalk auth required 
netatalk auth required 
netatalk auth required

and I updated the /etc/afp.conf with:

; Global server settings
; hostname = OmniOS-Xeon
; zeroconf = yes
;uam list =,
uam list =
; save password = no

that instructs netatalk to accept only the most secure authentication mechanism (uams_dhx2).

I also added some other settings to netatalk. The first two would generate automatically shares for each user. The first one would show all of them in the list of shares, the second one would show each user only his/her home:

;basedir regex = /export/home
;home name = $u

;path = /tank/home/$u

In my case I set my share manually and I hid from netatalk the fodler containing my mail (see OmniOS: Postfix And Stunnel), to avoid deletion and other potential problems.

path = /tank/home/olaf
veto files = Maildir/.zfs/
delete veto files = no
veto message = yes

I also set netatalk for Time Machine backups and I added some other shares:

path = /tank/Backups
time machine = yes
vol size limit = 700000

path = /tank/Temporary

Author: Olaf Marzocchi

First revision: 2015-02-02.
Last revision: 2015-04-20.