AFP broken for Linux-based NAS in Mac OS X Lion 10.7

AFP network connections to many Linux-based NAS units aren’t working in Mac OS X Lion 10.7 developer preview. After hitting the connect button a message pops up saying:

The version of the server you are trying to connect to is not supported. Please contact your system administrator to resolve the problem.

The Time Machine backup feature present in many NAS obviously isn’t working as well because it’s based on AFP too.

You may say that this is a developer preview, things will change for the final release. That’s obviously true. But my source also says that this connection problem most likely has to do with Apple discontinuing support for DHCAST128 (or DHX) authentication in Lion because it was considered insecure. Instead, the successor of DHCAST128 should be used: the more secure DHX2 user authentication module. DHX2 is supported since Mac OS X 10.2 and supports up to 256 characters for passwords (hell yeah, that should be enough). It relies on CAST-128 in cipher block chaining mode for encryption.

I checked my QNAP NAS for available afpd/netatalk UAMs and DHX2 isn’t present, so it most likely wouldn’t work with Lion. Well, if it weren’t for Time Machine, I could always resort to SMB.

[/usr/local/etc/netatalk/uams] # ls -la
drwxr-xr-x      1024 Jan 31 23:08 ./
drwxr-xr-x      1024 Feb 25 20:14 ../
lrwxrwxrwx        14 Feb 25  2011 uams_clrtxt.so -> uams_passwd.so*
lrwxrwxrwx        18 Feb 25  2011 uams_dhx.so -> uams_dhx_passwd.so*
-rwxr-xr-x     10959 Jan 31 23:08 uams_dhx_passwd.so*
-rwxr-xr-x      5304 Jan 31 23:08 uams_guest.so*
-rwxr-xr-x      6996 Jan 31 23:08 uams_passwd.so*

AFP authentication might work if a uams_dhx_2_passwd.so authentication module was present and configured. It may not be a bad idea to raise this issue with your NAS vendor if you plan to use Lion in the near future.

Rumor has it that some NAS vendors intentionally disable DHX2 in netatalk because it’s a lot more CPU intensive. This could lead to longer login times when accessing AFP shares on NAS’ units with slow CPUs.

Update 2-26-2011: It has been verified that Lion is able to connect to a Linux host running netatalk 2.1.2 supporting the DHX2 UAM in afpd.

Update 7-15-2011: Check out this post for a status update on Time Machine support in OS X Lion 10.7.

18 thoughts on “AFP broken for Linux-based NAS in Mac OS X Lion 10.7

  1. Could you tell me how you verified if DHX2 was enabled on your qnap nas? I am running the 809U-RP so I would assume if any nas has the CPU capabilities it would be this one. If we see DHX2 is not present then it’s a pretty good bet none of the others will have it. I already contacted support at qnap to make them aware.

  2. David, it’s not enabled on my TS-439 nor is the required UAM present. SSH into your QNAP NAS and have a look at end of the afpd.conf file in /usr/local/etc/netatalk.
    The last line reads:
    - -transall -uamlist uams_dhx.so,uams_guest.so,uams_clrtxt.so -nosavepassword

    -> no dhx2 UAM present.

    Btw. QNAP uses netatalk 2.1 on my TS-439 PRO II+.

    Cheers,
    Jan

  3. thanks.

    I see dhx2 as an option in the qnap config so I assume it’s just up to them to enable it. Maybe they will get back to me quickly.

  4. It would seem that Time Machine is using new AFP features that arent in Netatalk currently…. it wont work.

  5. Yes the DHX2 module is required to get AFP working. As for Time Machine, apparently server reply cache is required. This is in Netatalk 2.2 (currently in beta), so hopefully Netatalk 2.2 works with Time Machine in Lion. Anyone able to try Netatalk 2.2 out?

  6. The new version for Qnap Nas 3.4.3 has the uams_dhx2_passwd.so.

    While now Time Machine login dialog passes through, I get an error saying “The network backup disk does not support the required AFP features”…

    So – logging in via AFP = fine, but Time Machine is still not supported :(

  7. Thanks for the heads up, Peconi. QNAP may have to upgrade the netatalk version as well in order to make it compatible with Lion’s Time Machine. The latest netatalk 2.2 is still in beta though.

    Cheers,
    Jan

  8. everyone one wants to complain about it to there server manufactures Im sorry but the blame belongs to apple as it is their snobbish elitist self that decided to remove the functionality in the first place.

  9. Patrick,

    If apple implements security improvements they are snobs but if Microsoft does it everyone says what took them so long. Why should apple manage everyone else’s business when they are riding their coat tails. Seams to me that everyone else simply needs to catch up and do the right thing.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>