Time Machine Backups to AFP volume over SSH tunnel
Since I read that time machine works better over wireless now, I wanted to give it another try.
I ran into quite a few problems...
I didn't bother setting up avahi etc. for getting funky server icons on the mac as I didn't intend to open these ports anyway...
The only files to configure are:
I intend to create the tunnel, start the backup and tear it down when done...
Setting it up in time machine also worked:
sudo tmutil setdestination -p afp://tmuser@localhost:12345/tmb
You are prompted for the password (tmuser's password) and no errors are reported.
However, if you try to start a backup, it results in failure - time machine reports that backup disk could not be made available! In the Console logs, you can see the error:
I ran into quite a few problems...
Netatalk: AFP Daemon
Netatalk is easy to setup...I didn't bother setting up avahi etc. for getting funky server icons on the mac as I didn't intend to open these ports anyway...
The only files to configure are:
/etc/netatalk/afpd.conf:
- -tcp -noddp -uamlist uams_dhx2.so -nosavepassword -nozeroconf
/etc/netatalk/netatalk.conf
AFPD_UAMLIST="-U uams_dhx2.so"
/etc/netatalk/AppleVolumes.default
/mnt/tmdisk/tmb tmb allow:tmuser cnidscheme:dbd options:tm,usedots,upriv
- I created a new user: tmuser
- I only wanted to support DHX2 (Lion does not use DHX) and found to my annoyance that whenever I started the netatalk server through systemd, it passed in
"-U uams_dhx.so, uams_dhx2.so"
despite my setting the UAMs in afpd.conf!
Inspecting the service file: /lib/systemd/system/netatalk.service revealed the culprit to be the script /usr/libexec/netatalk/netatalk.sh - some kind of kludgy script to start/stop netatalk which looks at netatalk.conf to set the UAMs!
So, the change to netatalk.conf is listed above. - Make sure to use the DBD scheme which is supposed to be tolerant of network dropouts...
SSH Tunnel
AFP is quite insecure (as are other file sharing protocols such as SMB/NFS (?)) and I wanted to tunnel the connection over SSH. There are pages galore describing this one command setup in great detail ;-)!ssh -f -N -L 12345:localhost:548 karthik@netatalkserver
I intend to create the tunnel, start the backup and tear it down when done...
Time Machine Setup
Thereafter, mounting in finder worked like a charm:open afp://tmuser@localhost:12345/tmb
Setting it up in time machine also worked:
sudo tmutil setdestination -p afp://tmuser@localhost:12345/tmb
You are prompted for the password (tmuser's password) and no errors are reported.
However, if you try to start a backup, it results in failure - time machine reports that backup disk could not be made available! In the Console logs, you can see the error:
com.apple.backupd: NAConnectToServerSync failed with error: 80 for url: afp://tmuser@localhost:12345/tmb
I spent half the night trying to figure this out. Wireshark showed a similar sequence of 6 messages being exchanged in both cases - finder mount and time machine mount... However, the logs on the netatalk server indicate that the password was incorrect. Encryption of the password makes it hard to figure out what is going on...
The solution: modify the keychain record storing the password (open the keychain app and filter by "time") which is tripping up time machine:
When time machine is setup, it creates a record without the port number appended to the URL. Apparently, when it is time to do the backup, it somehow does not parse this record properly and sends the wrong password!
It took me forever to find this!
After that, starting the backup is a cinch:
The solution: modify the keychain record storing the password (open the keychain app and filter by "time") which is tripping up time machine:
When time machine is setup, it creates a record without the port number appended to the URL. Apparently, when it is time to do the backup, it somehow does not parse this record properly and sends the wrong password!
It took me forever to find this!
After that, starting the backup is a cinch:
sudo tmutil startbackup