Wednesday, 27 June 2012

Time Machine Backups to AFP volume over SSH tunnel

Since I read that time machine works better over wireless now, I wanted to give it another try.

I ran into quite a few problems...

Netatalk: AFP Daemon

Netatalk is easy to setup...
I didn't bother setting up avahi etc. for getting funky server icons on the mac  as I didn't intend to open these ports anyway...

The only files to configure are:



/etc/netatalk/afpd.conf:
   - -tcp -noddp -uamlist uams_dhx2.so -nosavepassword -nozeroconf

/etc/netatalk/netatalk.conf
   AFPD_UAMLIST="-U uams_dhx2.so"

/etc/netatalk/AppleVolumes.default
   /mnt/tmdisk/tmb tmb  allow:tmuser cnidscheme:dbd options:tm,usedots,upriv


  1. I created a new user: tmuser 
  2. I only wanted to support DHX2 (Lion does not use DHX) and found to my annoyance that whenever I started the netatalk server through systemd, it passed in
       "-U uams_dhx.so, uams_dhx2.so" 
    despite my setting the UAMs in afpd.conf!
    Inspecting the service file: /lib/systemd/system/netatalk.service revealed the culprit to be the script /usr/libexec/netatalk/netatalk.sh - some kind of kludgy script to start/stop netatalk which looks at netatalk.conf to set the UAMs!
    So, the change to netatalk.conf is listed above.
  3. Make sure to use the DBD scheme which is supposed to be tolerant of network dropouts...

SSH Tunnel

AFP is quite insecure (as are other file sharing protocols such as SMB/NFS (?)) and I wanted to tunnel the connection over SSH. There are pages galore describing this one command setup in great detail ;-)!

ssh -f -N -L 12345:localhost:548 karthik@netatalkserver

I intend to create the tunnel, start the backup and tear it down when done...

Time Machine Setup

Thereafter, mounting in finder worked like a charm:

    open afp://tmuser@localhost:12345/tmb

Setting it up in time machine also worked:
sudo tmutil setdestination -p afp://tmuser@localhost:12345/tmb

You are prompted for the password (tmuser's password) and no errors are reported.

However, if you try to start a backup, it results in failure - time machine reports that backup disk could not be made available! In the Console logs, you can see the error:

com.apple.backupd: NAConnectToServerSync failed with error: 80 for url: afp://tmuser@localhost:12345/tmb

I spent half the night trying to figure this out. Wireshark showed a similar sequence of 6 messages being exchanged in both cases - finder mount and time machine mount... However, the logs on the netatalk server indicate that the password was incorrect. Encryption of the password makes it hard to figure out what is going on...

The solution: modify the keychain record storing the password (open the keychain app and filter by "time") which is tripping up time machine:

When time machine is setup, it creates a record without the port number appended to the URL. Apparently, when it is time to do the backup, it somehow does not parse this record properly and sends the wrong password!

It took me forever to find this!

After that, starting the backup is a cinch:
   sudo tmutil startbackup


2 Comments:

At 29 March 2017 at 15:59 , Blogger Joel said...

This comment has been removed by the author.

 
At 17 May 2018 at 03:58 , Blogger Unknown said...

Do you have a spam problem on this website; I also am a blogger, and I was wanting to know your situation; we have created some nice practices and we are looking to swap methods with others, please shoot me an e-mail if interested. solve your afp problems

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home