[Pkg-netatalk-devel] Bug#1111652: netatalk: Unable to using PAM in centralized authentication scenario
Stefan van Lieshout
debian at istvan.org
Wed Aug 20 16:15:57 BST 2025
Package: netatalk
Version: 4.2.3~ds-1
Severity: important
Dear Maintainer,
* What led up to the situation?
It's not possible to connect to a share with a centrally managed useraccount
on AD that is available via PAM. It's possible when connecting with a servers'
local account.
The complete setup used to work with the netatalk package in Debian Bullseye
* What exactly did you do (or not do) that was effective (or
ineffective)?
- Set up sssd correctly so that central users are available:
root at netatalkdbg:/etc/sssd# getent passwd istvan
istvan:*:10000:10001:Stefan van Lieshout:/home/ldapusers/istvan:/bin/bash
- Make sure the correct uams are configured and loaded:
root at netatalkdbg:/etc/netatalk# l /usr/lib/x86_64-linux-gnu/netatalk/
total 184
lrwxrwxrwx 1 root root 11 May 13 16:40 uams_clrtxt.so -> uams_pam.so
-rw-r--r-- 1 root root 26720 May 13 16:40 uams_dhx2_pam.so
-rw-r--r-- 1 root root 18504 May 13 16:40 uams_dhx2_passwd.so
lrwxrwxrwx 1 root root 16 May 13 16:40 uams_dhx2.so -> uams_dhx2_pam.so
-rw-r--r-- 1 root root 22640 May 13 16:40 uams_dhx_pam.so
-rw-r--r-- 1 root root 18488 May 13 16:40 uams_dhx_passwd.so
lrwxrwxrwx 1 root root 15 May 13 16:40 uams_dhx.so -> uams_dhx_pam.so
root at netatalkdbg:/etc/netatalk# journalctl -fn500
Aug 20 16:47:48 netatalkdbg afpd[41690]: auth_load: /usr/lib/x86_64-linux-gnu/netatalk/, uams_dhx.so uams_dhx2.so
Aug 20 16:47:48 netatalkdbg afpd[41690]: uam: loading (/usr/lib/x86_64-linux-gnu/netatalk/uams_dhx.so)
Aug 20 16:47:48 netatalkdbg afpd[41690]: uam: uams_dhx.so loaded
Aug 20 16:47:48 netatalkdbg afpd[41690]: uam: loading (/usr/lib/x86_64-linux-gnu/netatalk/uams_dhx2.so)
Aug 20 16:47:48 netatalkdbg afpd[41690]: DHX2: generating mersenne primes
Aug 20 16:47:48 netatalkdbg afpd[41690]: uam: uams_dhx2.so loaded
- Connect from a Mac machine to the share with the centrally managed
useraccount
- It results in the following error
Aug 20 16:53:04 netatalkdbg afpd[41840]: <== Start AFP command: AFP_LOGIN_EXT
Aug 20 16:53:04 netatalkdbg afpd[41840]: DHX2: unknown username
A few extra notes:
- I installed the same setup on a fresh system to rule out anything
that could block, but the result is the same
- When adding the same username to /etc/passwd the following occurs in the
log after trying again:
Aug 20 16:59:55 netatalkdbg afpd[42048]: <== Start AFP command: AFP_LOGIN_EXT
Aug 20 16:59:55 netatalkdbg afpd[42048]: DHX2 login: istvan
Aug 20 16:59:55 netatalkdbg afpd[42048]: ==> Finished AFP command: AFP_LOGIN_EXT -> AFPERR_AUTHCONT
...
Aug 20 16:59:55 netatalkdbg afpd[42048]: <== Start AFP command: AFP_LOGINCONT
Aug 20 16:59:55 netatalkdbg unix_chkpwd[42049]: check pass; user unknown
Aug 20 16:59:55 netatalkdbg afpd[42048]: PAM DHX2: PAM Success
Aug 20 16:59:55 netatalkdbg unix_chkpwd[42050]: check pass; user unknown
Aug 20 16:59:55 netatalkdbg unix_chkpwd[42050]: password check failed for user (istvan)
Aug 20 16:59:55 netatalkdbg afpd[42048]: pam_unix(netatalk:auth): authentication failure; logname=istvan uid=0 euid=0 tty=afpd ruser=istvan rhost=minimek user=istvan
Aug 20 16:59:55 netatalkdbg afpd[42048]: pam_sss(netatalk:auth): User info message: Warning: encryption type arcfour-hmac used for authentication is deprecated and will be disabled
Aug 20 16:59:55 netatalkdbg afpd[42048]: PAM DHX2: PAM Success
Aug 20 16:59:55 netatalkdbg afpd[42048]: pam_sss(netatalk:auth): authentication success; logname=istvan uid=0 euid=0 tty=afpd ruser=istvan rhost=minimek user=istvan
Aug 20 16:59:55 netatalkdbg unix_chkpwd[42052]: could not obtain user info (istvan)
Aug 20 16:59:55 netatalkdbg afpd[42048]: DHX2: PAM_Error: Authentication failure
- Contents of /etc/pam.d/netatalk
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session-noninteractive
* What was the outcome of this action?
No access to the share
* What outcome did you expect instead?
Access to the share after successfull authentication.
-- System Information:
Debian Release: 13.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-38-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages netatalk depends on:
ii avahi-daemon 0.8-16
ii dbus 1.16.2-2
ii init-system-helpers 1.68
ii libacl1 2.3.2-2+b1
ii libatalk 4.2.3~ds-1
ii libavahi-client3 0.8-16
ii libavahi-common3 0.8-16
ii libc6 2.41-12
ii libcrack2 2.9.6-5.2+b1
ii libcrypt1 1:4.4.38-1
ii libdb5.3t64 5.3.28+dfsg2-9
ii libevent-2.1-7t64 2.1.12-stable-10+b1
ii libgcrypt20 1.11.0-7
ii libglib2.0-0t64 2.84.3-1
ii libgssapi-krb5-2 1.21.3-5
ii libiniparser4 4.2.6-1
ii libkrb5-3 1.21.3-5
ii libpam-modules 1.7.0-5
ii libpam0g 1.7.0-5
ii libtalloc2 2:2.4.3+samba4.22.3+dfsg-4
ii libtinysparql-3.0-0 3.8.2-7
ii libtirpc3t64 1.3.6+ds-1
ii netbase 6.5
ii tracker-extract [localsearch] 3.8.2-4+b1
Versions of packages netatalk recommends:
ii a2boot 4.2.3~ds-1
ii atalkd 4.2.3~ds-1
ii macipgw 4.2.3~ds-1
ii netatalk-tools 4.2.3~ds-1
ii papd 4.2.3~ds-1
ii timelord 4.2.3~ds-1
Versions of packages netatalk suggests:
pn netatalk-doc <none>
pn quota <none>
-- Configuration Files:
/etc/netatalk/afp.conf changed:
;
; Netatalk 4.x configuration file
;
[Global]
; Global server settings
log level = default:maxdebug
[Homes]
basedir regex = /home
; [my volume]
; path = /path/to/volume
; volume name = My AFP Volume
; [my backup]
; path = /path/to/backup
; time machine = yes
; volume name = My Backup Volume
[My Time Machine Volume]
path = /srv/timemachine
time machine = yes
vol size limit = 1000000
-- no debconf information
More information about the pkg-netatalk-devel
mailing list