Opened 19 months ago
Closed 18 months ago
#955 closed defect (fixed)
LDAP authentication not working with AFP
| Reported by: | damiensatanus | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Backend | Version: | 8.0.2-RELEASE |
| Keywords: | Cc: |
Description
LDAP authentication not working with AFP shares. (AFP works fine with local users)
When I run getent group and getent passwd from the command line the correct users and groups are returned so ldap appears to be working correctly as well i can ssh in as an ldap user.
Additionally there are the following related errors:
Oct 26 09:37:55 freenas0 afpd[47839]: bind(fd, (struct sockaddr *)&address, address_length) failed: Address already in use
Change History (5)
comment:1 Changed 19 months ago by gcooper
comment:2 Changed 19 months ago by damiensatanus
Ya it is not related to authentication error just thought I would add it.
I have been doing some more debugging. I have maxed out debugging for afp and pam. According to the logs the user authenticates successfully actually however it fails to present an apple share/volume do to permissions errors.
It may be a pam configuration problem. If I ssh in as a regular ldap user and run 'getent group' and 'getent passwd' ldap users and groups are not returned. I believe when a user connects via afp a new afp process is created which is owned by that user and if they can’t correct user id then it will fail (just theory so far)
I have setup a Freebsd Release 8.2 system running the latest netatalk, pam_ldap,nss_ldap.
I copied over the relevant files from the freenas system (netatalk,ldap and pam configs) and receive the exact same error.
I will keep you posted when/if I find something
comment:3 follow-up: ↓ 4 Changed 19 months ago by gcooper
Did you setup LDAP at all on your box and turn on the "service"?
comment:4 in reply to: ↑ 3 Changed 19 months ago by damiensatanus
Replying to gcooper:
Did you setup LDAP at all on your box and turn on the "service"?
Yes ldap is on under services on the Freenas box. I can ssh into the box as root and run 'getent group' it returns ldap groups as expected. If i logon as an ldap user(testuser1 for example) and run 'getent group' and ‘getent passwd’ the ldap users and groups are returned as expected as well. However I believe there is pam problem because as that same ldap user (testuser1) if i run the groups command 'groups testuser1' or ‘id testuser1’ both returns no user found.
I have the ldap server is in debug mode. I can see all the requests from the freenas box. There have been no ldap errors from client requests.
comment:5 Changed 18 months ago by gcooper
- Resolution set to fixed
- Status changed from new to closed
It should work now in 8.0.3 because the missing pam.d integration files been added to FreeNAS. Please try that version and verify whether or not it fixes the issue.
Yeah.. a customer commented on LDAP support being incomplete as well. I forgot to file a ticket for that.
That being said, the afpd bind issue doesn't apply to the issue being discussed. It's something I believe I resolved on trunk via some of the changes to notifier where it was starting stuff up incorrectly.