From debian at istvan.org Wed Aug 20 16:15:57 2025 From: debian at istvan.org (Stefan van Lieshout) Date: Wed, 20 Aug 2025 17:15:57 +0200 Subject: [Pkg-netatalk-devel] Bug#1111652: netatalk: Unable to using PAM in centralized authentication scenario Message-ID: <175570295765.42473.15299760284987000276.reportbug@netatalkdbg> Package: netatalk Version: 4.2.3~ds-1 Severity: important Dear Maintainer, * What led up to the situation? It's not possible to connect to a share with a centrally managed useraccount on AD that is available via PAM. It's possible when connecting with a servers' local account. The complete setup used to work with the netatalk package in Debian Bullseye * What exactly did you do (or not do) that was effective (or ineffective)? - Set up sssd correctly so that central users are available: root at netatalkdbg:/etc/sssd# getent passwd istvan istvan:*:10000:10001:Stefan van Lieshout:/home/ldapusers/istvan:/bin/bash - Make sure the correct uams are configured and loaded: root at netatalkdbg:/etc/netatalk# l /usr/lib/x86_64-linux-gnu/netatalk/ total 184 lrwxrwxrwx 1 root root 11 May 13 16:40 uams_clrtxt.so -> uams_pam.so -rw-r--r-- 1 root root 26720 May 13 16:40 uams_dhx2_pam.so -rw-r--r-- 1 root root 18504 May 13 16:40 uams_dhx2_passwd.so lrwxrwxrwx 1 root root 16 May 13 16:40 uams_dhx2.so -> uams_dhx2_pam.so -rw-r--r-- 1 root root 22640 May 13 16:40 uams_dhx_pam.so -rw-r--r-- 1 root root 18488 May 13 16:40 uams_dhx_passwd.so lrwxrwxrwx 1 root root 15 May 13 16:40 uams_dhx.so -> uams_dhx_pam.so root at netatalkdbg:/etc/netatalk# journalctl -fn500 Aug 20 16:47:48 netatalkdbg afpd[41690]: auth_load: /usr/lib/x86_64-linux-gnu/netatalk/, uams_dhx.so uams_dhx2.so Aug 20 16:47:48 netatalkdbg afpd[41690]: uam: loading (/usr/lib/x86_64-linux-gnu/netatalk/uams_dhx.so) Aug 20 16:47:48 netatalkdbg afpd[41690]: uam: uams_dhx.so loaded Aug 20 16:47:48 netatalkdbg afpd[41690]: uam: loading (/usr/lib/x86_64-linux-gnu/netatalk/uams_dhx2.so) Aug 20 16:47:48 netatalkdbg afpd[41690]: DHX2: generating mersenne primes Aug 20 16:47:48 netatalkdbg afpd[41690]: uam: uams_dhx2.so loaded - Connect from a Mac machine to the share with the centrally managed useraccount - It results in the following error Aug 20 16:53:04 netatalkdbg afpd[41840]: <== Start AFP command: AFP_LOGIN_EXT Aug 20 16:53:04 netatalkdbg afpd[41840]: DHX2: unknown username A few extra notes: - I installed the same setup on a fresh system to rule out anything that could block, but the result is the same - When adding the same username to /etc/passwd the following occurs in the log after trying again: Aug 20 16:59:55 netatalkdbg afpd[42048]: <== Start AFP command: AFP_LOGIN_EXT Aug 20 16:59:55 netatalkdbg afpd[42048]: DHX2 login: istvan Aug 20 16:59:55 netatalkdbg afpd[42048]: ==> Finished AFP command: AFP_LOGIN_EXT -> AFPERR_AUTHCONT ... Aug 20 16:59:55 netatalkdbg afpd[42048]: <== Start AFP command: AFP_LOGINCONT Aug 20 16:59:55 netatalkdbg unix_chkpwd[42049]: check pass; user unknown Aug 20 16:59:55 netatalkdbg afpd[42048]: PAM DHX2: PAM Success Aug 20 16:59:55 netatalkdbg unix_chkpwd[42050]: check pass; user unknown Aug 20 16:59:55 netatalkdbg unix_chkpwd[42050]: password check failed for user (istvan) Aug 20 16:59:55 netatalkdbg afpd[42048]: pam_unix(netatalk:auth): authentication failure; logname=istvan uid=0 euid=0 tty=afpd ruser=istvan rhost=minimek user=istvan Aug 20 16:59:55 netatalkdbg afpd[42048]: pam_sss(netatalk:auth): User info message: Warning: encryption type arcfour-hmac used for authentication is deprecated and will be disabled Aug 20 16:59:55 netatalkdbg afpd[42048]: PAM DHX2: PAM Success Aug 20 16:59:55 netatalkdbg afpd[42048]: pam_sss(netatalk:auth): authentication success; logname=istvan uid=0 euid=0 tty=afpd ruser=istvan rhost=minimek user=istvan Aug 20 16:59:55 netatalkdbg unix_chkpwd[42052]: could not obtain user info (istvan) Aug 20 16:59:55 netatalkdbg afpd[42048]: DHX2: PAM_Error: Authentication failure - Contents of /etc/pam.d/netatalk #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session-noninteractive * What was the outcome of this action? No access to the share * What outcome did you expect instead? Access to the share after successfull authentication. -- System Information: Debian Release: 13.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-38-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages netatalk depends on: ii avahi-daemon 0.8-16 ii dbus 1.16.2-2 ii init-system-helpers 1.68 ii libacl1 2.3.2-2+b1 ii libatalk 4.2.3~ds-1 ii libavahi-client3 0.8-16 ii libavahi-common3 0.8-16 ii libc6 2.41-12 ii libcrack2 2.9.6-5.2+b1 ii libcrypt1 1:4.4.38-1 ii libdb5.3t64 5.3.28+dfsg2-9 ii libevent-2.1-7t64 2.1.12-stable-10+b1 ii libgcrypt20 1.11.0-7 ii libglib2.0-0t64 2.84.3-1 ii libgssapi-krb5-2 1.21.3-5 ii libiniparser4 4.2.6-1 ii libkrb5-3 1.21.3-5 ii libpam-modules 1.7.0-5 ii libpam0g 1.7.0-5 ii libtalloc2 2:2.4.3+samba4.22.3+dfsg-4 ii libtinysparql-3.0-0 3.8.2-7 ii libtirpc3t64 1.3.6+ds-1 ii netbase 6.5 ii tracker-extract [localsearch] 3.8.2-4+b1 Versions of packages netatalk recommends: ii a2boot 4.2.3~ds-1 ii atalkd 4.2.3~ds-1 ii macipgw 4.2.3~ds-1 ii netatalk-tools 4.2.3~ds-1 ii papd 4.2.3~ds-1 ii timelord 4.2.3~ds-1 Versions of packages netatalk suggests: pn netatalk-doc pn quota -- Configuration Files: /etc/netatalk/afp.conf changed: ; ; Netatalk 4.x configuration file ; [Global] ; Global server settings log level = default:maxdebug [Homes] basedir regex = /home ; [my volume] ; path = /path/to/volume ; volume name = My AFP Volume ; [my backup] ; path = /path/to/backup ; time machine = yes ; volume name = My Backup Volume [My Time Machine Volume] path = /srv/timemachine time machine = yes vol size limit = 1000000 -- no debconf information