Subscribe via RSS
administration c# cocoa coding EasyTAG linux Mac OS X opensolaris OpenVPN Time Machine virtualization windows xcode zfs

Let (Open)solaris (neta)talk to Lion about TimeMachine

After having (of course) upgraded to Mac OS 10.7 alias Lion on the first day available – and after having set up my machine the way I wanted it – I thought it would be a good idea to turn on TimeMachine to save my precious new installation to my ZFS / Opensolaris server.

Unfortunately Time Machine told me that I could not do so, because my Time Machine / AFP server didn't have all necessary capabilities. Humm it worked fine with Snow Leopard …

Then I tried to connect to the server via AFP – and that didn't work either :
After inputting my password in the authentication dialog Finder told me that "The version of the server you are trying to connect to is not supported. Please contact your system administrator to resolve the problem."

That would be me …

So I fired up Google and the problem seemed well known :

For security reasons apple disabled "DHCAST128", which is an asymmetrical encryption algorithm used for the password authentication, as allowed for the AFP Protocol in Lion. Now the minimum requirement is "DHX2" – the successor of DHCAST128.

Unfortunatly the provided solutions did not work for me … :

They suggested adding the following line to afpd.conf

-uamlist uams_randnum.so,uams_dhx.so,uams_dhx2.so

But hey I already had this line there. hmmm. I searched around for other stuff but couldn't find the error.

Then I decided to try out the newest beta version of netatalk (2.2-beta4) but ended up the same. I thought it was "correctly" configured and indeed all the configuration options in the configuration file were correct.
The problem was that "uams_dhx2.so" did not exist in /usr/local/etc/netatalk/uams/ .
Weird – I looked through the build scripts and the build log and there it hit me :
libgcrypt was checked for CAST5 support which it did not find

If I would have paid more attention at build time I would have obviously noted that :

* Solaris specific configuration
checking if we can build Solaris kernel module... no
checking for libgcrypt-config... /usr/bin/libgcrypt-config
checking for LIBGCRYPT - version >= 1.2.3... yes (1.4.4)
checking libgcrypt API version... okay
checking libgcrypt hast CAST5 API... no
*** Detected libgcryt without CAST5 ***

*** Please install/build another one and point to it with ***
*** --with-libgcrypt-dir=

uh ah,

the configure summary too listed that the dhx2 module was not build :

Configure summary:
...
UAMS:
DHX ( SHADOW)
RANDNUM ( SHADOW)
passwd ( SHADOW)
guest

The reason for this is as stated in the configure log, that the installed libgcrypt does not support the CAST5 algorithm. And why ? Because of patent issues … (Opensolaris "Bug" 15527)

I can't relate to that because as far as I could research, Cast5 (also known as CAST-128) which is described in IETF RFC2144 is even though (partly) patented, has been granted for use for any purpose by anyone royalty and license free (1, 2).

So in case you want Lion support and are sure that you are not affected by any patent issues (in doubt you should probably contact a lawyer), then compile libgcrypt yourself with CAST5 support and then your AFP auth should work …

Instructions :

wget ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.9.tar.gz
/usr/gnu/bin/tar xvfz libgpg-error-1.9.tar.gz
./configure && make && make install

wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.0.tar.gz
/usr/gnu/bin/tar xvfz libgcrypt-1.5.0.tar.gz
./configure --with-gpg-error-prefix=/usr/local
make && make install

wget http://sourceforge.net/projects/netatalk/files/netatalk/2.2/netatalk-2.2.0.tar.bz2/download
/usr/gnu/bin/tar xvfj netatalk-2.2.0.tar.bz2
./configure --disable-ddp --disable-zeroconf --without-pam --with-libgcrypt-dir=/usr/local
make && make install

 

Please note that I am disabling zeroconf (aka bonjour), because I want to set it up manually like described in my previous post –>here.
Someday I may combine everything into a single instruction set for current OpenIndiana / Solaris 11 Express / Nexentastor.

 

* Solaris specific configuration
checking if we can build Solaris kernel module... no
checking for libgcrypt-config... /usr/local/bin/libgcrypt-config
checking for LIBGCRYPT - version >= 1.2.3... yes (1.5.0)
checking libgcrypt API version... okay
checking libgcrypt hast CAST5 API... yes
configure: Enabling DHX2 UAM

UAMS:
DHX ( SHADOW)
DHX2 ( SHADOW)
RANDNUM ( SHADOW)
passwd ( SHADOW)
guest

 

Everything is working again and I am happy ๐Ÿ™‚

6 Responses to “Let (Open)solaris (neta)talk to Lion about TimeMachine”

  • Thanks for posting this. If anyone is trying to get netatalk working on OmniOS, this will do the trick. Obviously you’ll want to use newer versions.

  • Thanks for the feedback. It’s great to know it still works ๐Ÿ™‚

  • Just thought I’d let you know, your instructions work fine still with os x 10.8 and OpenIndiana 151a4.

    Thanks for your efforts!

  • We resolved dirk’s problem in private Email conversation. He was using an old libgcrypt version. So make sure you use the latest ๐Ÿ™‚

  • thx man, saved me from figuring out what was wrong, great guide

  • I followed your instructions to the letter.
    But on osx lion when I want to mount my volume from opensolaris.
    the pwd is not accepted in the connect dialog.
    just looked in secure.log on osx lion.
    pam-sm-setcred: kr5 user myname doesn’t have a principal

    any ideas on how to proceed.
    btw, thanks for the page,
    Dirk



Your comment :
Name *

Email*
(will not be published)

Website