Let’s Talk Netatalk and Storage
Picking up from where I left off on my last post, “Entertainment, Backups and a Whole Lot More,”
you now should have a great place to store all your media but you have no way of getting it all there.
Well, that’s where Netatalk comes in. In the Mac world, AppleTalk is the protocol that allows Macs to see each other with zero configuration. The available machines show up in the Side Bar automatically, this works for SMB or Windows machines, as well. Netatalk is an open source project that will turn your simple Linux box into an AppleTalk file server.
Here’s How:
The first step is to install Netatalk.
From the command line type in the following command: sudo apt-get install netatalk
Wow, wasn’t that simple? Oh wait, there’s configuration, right,? Well, yes, but not much. In our last episode, we created folders to store your media. You’ll need to have the full path of your new folders handy so we can make them available on the network.
Next, we’ll need to edit the AppleVolumes.default file.
Use the command below to launch nano and start editing: sudo nano /etc/netatalk/AppleVolumes.default
Here’s where everything comes together.
Now, navigate down to the end of the file.
By default users have access to their home directory. Wait, what was that about users? Don’t worry, we’ll cover users soon.
Here is the syntax you’ll need to use when adding share locations: /full/file/path/location“Name of Share” Options:options options:
Let’s break this down into something that makes a little more sense. If you created folders under the /opt/ folder, as I explained in the last post, here’s how the syntax for the multimedia folder would look:
/opt/multimedia “Multimedia” cnidscheme:dbd options:usedots,upriv
Please note that the “options:usedots,upriv,tm” are my personal choices. Within the default AppleVolumes.default file, you’ll see a list of the available options. Take a look and decide what options you’ll want to use. Feel free to copy my options as they work well for this deployment.
Add all the folder locations you want to share.
At this point, it’s a good idea to decide if you’ll be using this server for multimedia only or if you have grander plans to use this server as a full-blown file server extraordinaire. If you plan on doing more than multimedia, you’ll want to create some public folders for all your users to access.
I know I haven’t covered this users thing yet so lets get right to the point. Just like every other Operating System, Ubuntu is a Multi-User Operating System. What does this mean for you? It means that every individual using the shares either needs to login with one username (the one you created to administer the Ubuntu box originally) or you’ll need to create some users so they can all use their own username and password.
Let’s talk scenario.
In the typical household or office you have multiple users. A typical atomic family = 2 parents and 2.5 kids. (I still haven’t figured out how to get half a kid, but let’s just round up to 3 for argument’s sake.) That means 5 users, and now-a-days that could mean 15 devices! Are you surprised? Those devices add up quick! The good thing here is unless each person is using five aliases, we’re still only talking about five users. I had you scared didn’t I? So, each person in the household has a username that was created on their computer when it was setup. They may not remember it, but they’re pretty easy to find. Also, each username has a password associated with it, which you’ll probably want to collect when you’re setting up the server. Once you have all the usernames and passwords, it’s time to create the users!
Here’s How to Create the Users:
Step #1: We’ll first need to create one user before all others, and I don’t mean yours. Run this command first, just make sure you substitute “PASSWORD” with a real one:
useradd timemachine –p PASSWORD
We haven’t covered this part yet, but if you’re using Mac computers you probably want a way to back them up and if so TimeMachine is your best friend. TimeMachine is an Apple technology that regularly runs a backup of your machine without you doing anything. Even better it will only backup changes so after the first long backup each new one will go very quickly. I interject this here because if you add “-G timemachine” to your useradd command above this switch adds the user to the timemachine group in addition to creating a group just for them. I know it doesn’t make much sense now, but adding the users to this group now will save a headache later.
Our users are created and it’s time to show you a couple of special tricks when sharing files.
First off, let’s cover this TimeMachine thing.
Here’s how to enable TimeMachine backup services on your server:
Create a TimeMachine backup location: sudo mkdir /opt/timemachine
Set user permissions on this folder to the timemachine user and group: sudo chown timemachine:timemachine /opt/timemachine
Set user and group permission level on this folder to drwxrwxr-x
sudo chmod 775 /opt/timemachine
So, now we’ve created a folder and allowed anyone who has a user account on the system and is part of the timemachine group to read, write or execute files within the folder.
The next step is to add this share location to the AppleVolumes.default file:
Open the AppleVolumes.default file for editing: sudo nano /etc/netatalk/AppleVolumes.default
Add the following line at the end of the file: /opt/timemachine “timemachine” cnidscheme:dbd options:usedots,upriv,tm volsizelimit:256000
You’ll notice a couple of key changes to this line. First, the options have an added switch “tm”. This switch tells Netatalk to turn on TimeMachine support for this share. Without this switch, the share would be just another file store location and not a TimeMachine backup location. Second is the “volsizelimit:256000” addition. This one is a bit more involved. TimeMachine has a fatal flaw in that it will use all available space on whatever device you’re using as a TimeMachine volume. This is a huge concern in our scenario. We want this server to do everything and thus we really need to limit the size available for TimeMachine backups to use. The 256000 limitation translates to around 256 GB. Use your discretion when setting the size limitation. If you have 5 machines backing up to this you’ll want to make sure you have plenty of disk space available for TimeMachine because it will fill up fast.
Here’s another cool trick. Have files you want to keep private? There’s a switch for that too!
/opt/private “private” cnidscheme:dbd options:usedots,upriv allow:USERNAME
Above is an example of a private folder set to allow only the USERNAME specified. This is great in an office environment when you need to allow only specific users. Add as many users as you like, separated by commas, behind “allow:”.
The next step is to set the private folder to only allow USERNAME access.
sudo chown USERNAME:USERNAME /opt/private
Now about shared shares. This sounds a bit redundant so let’s define it a bit more. A shared share is a file share that will need to be accessed by multiple users. This is one of the more difficult options, but is usually extremely important in an office environment.
The first step is to create a folder on the system.
Let’s call this folder “sharedstuff”: sudo mkdir /opt/sharedstuff
Next, we’re going to need to create a group.
This group will be added to every user you want to share this folder with. This is where it all gets tricky. Who do you want to give access to? Will you be this group of users access to other shares? How many shares do you need, and thus how many groups will you need? See how this can get complicated??
It may be easier if we build everything from a scenario.
We’re all part of a small business called, “Amazing Mac Artists.” Within our company we have different groups of people:
Designers: Art people who design beautiful websites and print material
Software Engineers: Engineers who build the back end of websites
Human Resources: Every company needs an HR department
Management: I believe this one is self explanatory
Accounting: Those wonderful math people who keep us all in line
Now that we’ve defined our departments, we can define our groups.
First of all, we need a common share that encompasses the whole company: groupadd company
Next, let’s create groups for all the individual departments.
groupadd designers
groupadd softwareengineers
groupadd humanresources
groupadd management
groupadd accounting
We will probably need some special groups, as well. There will probably need to be folders that encompass the sensitive information that HR and Management will need to share. Also, Management may need access to Accounting resources, but not necessarily the Accounting share. So, let’s make this simple. Management will want access to everything. Let’s just give it to them from the beginning and simplify the whole process.
So here’s how we do it. We have users who are in each group, so let’s define them:
Designers: Mark, Tom and Travis
Software Engineers: John, Paul, George and Ringo
Human Resources: Mary Jane
Management: Peter, Norman
Accounting: Gwen
Now, let’s add the groups to these users:
usermod –a –G designers mark
usermod –a –G designers tom
and so on …
Here’s the key, we want to make sure to add Peter and Norman to every group so they have oversight.
usermod –a –G designers,softwareengineers,humanresources,management,accounting peter
and so on …
Now that the users are all part of the groups, let’s create some folders:
sudo mkdir /opt/designers
sudo mkdir /opt/softwareengineers
sudo mkdir /opt/humanresources
and so on …
Once all folders are created, it’s time to set the permissions:
sudo chown ADMINUSER:designers /opt/designers
sudo chown ADMINUSER:softwareengineers /opt/softwareengineers
sudo chown ADMINUSER:humanresources /opt/humanresources
I know you’re thinking, “Why did he use the ADMINUSER instead of one of the other users?!”
The reason all goes back to oversight. In every organization, the most powerful person or group of people is IT. Sounds strange but IT are the folks who have access to just about everything, and if they don’t they can get it. As an administrator over the system, you’ll need to be able to make whatever changes are necessary to the files within, and thus the ADMINUSER, whatever username that is represented by, will be the owner of each folder.
Once these tasks are created, you’ll need to edit the AppleVolumes.default file again with your new share locations:
sudo nano /etc/netatalk/AppleVolumes.default
Add the lines you’ll need for each share:
/opt/designers “designers” cnidscheme:dbd options:usedots,upriv allow:mark,tom,travis,peter,norman
and so on …
You’ll only need to add the “allow:” option if you want only those users with permission to see the share. If you don’t mind people seeing it then no need for the “allow:” option. Remember, just because they can see it doesn’t mean they have permissions over the files inside. If you haven’t set permissions for those users, they are denied.
So, we’ve created all the share locations, created all our users, added shares for the folders to Netatalk and even seen how we can scale this into a larger environment. What’s next? Well, you have to turn it all on. Until now. we’ve made modifications but no one can see the shares because Netatalk doesn’t really know about them yet.
You’ll need to restart the Netatalk service for the changes to take effect.
[Please keep in mind that if you make changes in the future you’ll have to restart Netatalk every time the AppleVolumes.default file is modified.]
To restart Netatalk, run the command: sudo service netatalk restart
Here are a few final notes:
Always make sure you’re saving the changes you’ve made to files. In nano, ctrl-x closes the file but you’ll need to answer, “Yes,” when it asks you to save changes. If you’re making a lot of modifications, you may want to save your work intermittently before closing the file. In nano, ctrl-o will write changes while keeping the file open.
This was a lot of information to cover but I think after reading this you should have a pretty good handle on some high-level concepts and also how to get things setup and working.
Until Next Time,
Jason
Leave a Reply
Want to join the discussion?Feel free to contribute!