Answering my own question, much later.

Comparing working netatalk running in the root of a pcBSD system with a non-working netatalk running in a jail I noticed that the working version of cnid_metad was listening on loopback (lo0, 127.0.0.1:4700) vs the jailed version listening on the external interface (lagg0, 10.128.x.y:4700).

Specifying "cnid listen" and/or "cnid server" in afp.conf did not work.

What did work was creating an extra IP address on lo0 and assigning it to the jail:

In the parent BSD system:
ifconfig lo0 alias 127.0.0.2
jail -m ip4.addr=127.0.0.2,10.128.x.y jid=nn

Then inside the jail restart netatalk (without "cnid listen" or "cnid server" in afp.conf) and netatalk works. Mavericks client connects no problem.

In the jail:
sockstat|grep cnid
root     cnid_metad 44502 3  tcp4   127.0.0.2:4700        *:*
root     cnid_metad 44502 4  dgram  -> /var/run/logpriv

Not sure if cnid_metad not working when bound to the external interface is a bug or a feature, but I'm happy to have jailed netatalk working.

Russ Poyner


-------- Forwarded Message --------
Subject: Netatalk trouble in FreeBSD Jail
Date: Fri, 27 Jun 2014 14:24:13 -0500
From: Russell R Poyner <rpoyner@engr.wisc.edu>
To: netatalk-admins@lists.sourceforge.net


I'm setting up a fileserver on FreeBSD. I'm hoping to run all of my 
services in Jails.

Unfortunately when I run netatalk in a jail my mac clients are unable to 
connect. If I use a similar configuration of netatalk running on the 
parent server the Macs can connect and run time machine with no trouble.

On the Mac
Connect to Server afp://<ip-address> gives:
Check the server name or IP address and then try again...

In the server log:

Jun 27 14:21:29 timemachine afpd[20652]: Login by me (AFP3.4)
Jun 27 14:21:40 timemachine afpd[20652]: AFP logout by me
Jun 27 14:21:40 timemachine afpd[20652]: dsi_stream_read: len:0, 
unexpected EOF
Jun 27 14:21:40 timemachine afpd[20652]: afp_over_dsi: client logged 
out, terminating DSI session
Jun 27 14:21:40 timemachine afpd[20652]: AFP statistics: 0.66 KB read, 
0.52 KB written

>From the Mac
telnet timemachine.server.edu 548

connects, which seems to show that the jail network is working and 
accepting connections.

I'm also able to ping to and from the jail network.

Furthermore I can run other services in the jail successfully.

So this seems to be a fairly subtle problem related to running netatalk 
in an otherwise functional jail environment.

OS: PC-BSD 10.0.2 trueos

Netatalk built from FreeBSD port with PAM support enabled.

afpd -V
afpd 3.1.2 - Apple Filing Protocol (AFP) daemon of Netatalk

This program is free software; you can redistribute it and/or modify it 
under
the terms of the GNU General Public License as published by the Free 
Software
Foundation; either version 2 of the License, or (at your option) any later
version. Please see the file COPYING for further information and details.

afpd has been compiled with support for these features:

          AFP versions:    2.2 3.0 3.1 3.2 3.3 3.4
         CNID backends:    dbd last tdb
      Zeroconf support:    Avahi
  TCP wrappers support:    Yes
         Quota support:    No
   Admin group support:    Yes
    Valid shell checks:    Yes
      cracklib support:    No
            EA support:    ad | sys
           ACL support:    No
          LDAP support:    No
         D-Bus support:    Yes
     Spotlight support:    No
         DTrace probes:    No

              afp.conf:    /usr/local/etc/afp.conf
           extmap.conf:    /usr/local/etc/extmap.conf
       state directory:    /var/netatalk/
    afp_signature.conf:    /var/netatalk/afp_signature.conf
      afp_voluuid.conf:    /var/netatalk/afp_voluuid.conf
       UAM search path:    /usr/local/libexec/netatalk-uams//
  Server messages path:    /var/netatalk/msg/

asip-status.pl localhost
AFP reply from localhost:548
Flags: 1  Cmd: 3  ID: 57005
Reply: DSIGetStatus
Request ID: 57005
Machine type: Netatalk3.1.2
AFP versions: AFP2.2,AFPX03,AFP3.1,AFP3.2,AFP3.3,AFP3.4
UAMs: DHX2,DHCAST128
Volume Icon & Mask: Yes
Flags:
    SupportsCopyFile
    SupportsServerMessages
    SupportsServerSignature
    SupportsTCP/IP
    SupportsSrvrNotifications
    SupportsOpenDirectory
    SupportsUTF8Servername
    SupportsUUIDs
    SupportsExtSleep
    SupportsSuperClient
Server name: timemachine
Signature:
f2 75 ad e8 02 db bb e0 46 91 d9 0b b2 24 b1 68  .u......F....$.h

Network address: <gone.daddy.gone> (TCP/IP address)
UTF8 Servername: timemachine

Thoughts or debugging tips welcome
Thanks in advance

RP