Hi I have a Linux server (18.04) that acts as a TimeMachine backup server using the netatalk service. The users are authenticating using the LDAP (/etc/ldap.conf)
The client can connect to the AFP mount do the TimeMachine backup and log out just fine. Please let me know if you need more conf file to be shared.
AFPD Version:
afpd -V
afpd 2.2.6 - Apple Filing Protocol (AFP) daemon of Netatalk
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version. Please see the file COPYING for further information and details.
afpd has been compiled with support for these features:
AFP versions: 1.1 2.0 2.1 2.2 3.0 3.1 3.2 3.3
DDP(AppleTalk) Support: Yes
CNID backends: dbd last tdb
SLP support: No
Zeroconf support: Avahi
TCP wrappers support: Yes
Quota support: Yes
Admin group support: Yes
Valid shell checks: Yes
cracklib support: Yes
Dropbox kludge: No
Force volume uid/gid: No
EA support: ad | sys
ACL support: Yes
LDAP support: Yes
afpd.conf: /etc/netatalk/afpd.conf
AppleVolumes.system: /etc/netatalk/AppleVolumes.system
AppleVolumes.default: /etc/netatalk/AppleVolumes.default
afp_signature.conf: /etc/netatalk/afp_signature.conf
afp_voluuid.conf: /etc/netatalk/afp_voluuid.conf
afp_ldap.conf: /etc/netatalk/afp_ldap.conf
UAM search path: /usr/lib/netatalk/
Server messages path: /etc/netatalk/msg/
lockfile: /var/run/afpd.pid
/etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
/etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
/etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0066
# end of pam-auth-update config
/etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
Error Log in auth.log
Jul 20 11:05:17 server afpd[5131]: pam_unix(netatalk:auth): authentication failure; logname= uid=0 euid=0 tty=afpd ruser=demouser rhost=192.168.1.10 user=demouser
Jul 20 11:05:17 server afpd[5131]: pam_unix(netatalk:session): session opened for user demouser by (uid=0)
Jul 20 11:05:17 server systemd-logind[1166]: New session c23 of user demouser.
Jul 20 11:06:21 server afpd[5131]: pam_unix(netatalk:session): session closed for user demouser
Jul 20 11:06:21 server dbus-daemon[1278]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.69" (uid=10001 pid=5131 comm="/usr/sbin/afpd -U uams_dhx2.so,uams_clrtxt.so -g n" label="unconfined") interface="org.freedesktop.login1.Manager" member="ReleaseSession" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=1166 comm="/lib/systemd/systemd-logind " label="unconfined")
Jul 20 11:06:21 server afpd[5131]: pam_systemd(netatalk:session): Failed to release session: Access denied
Jul 20 11:06:21 server afpd[5131]: PAM audit_log_acct_message() failed: Operation not permitted
Jul 20 11:06:21 server systemd-logind[1166]: Removed session c23.
I managed to fix all the errors but one by replacing my /etc/pam.d/netatalk file from:
To:
The following error though still occurs once the session is terminated: