Linked by Thom Holwerda on Sat 26th Mar 2011 02:00 UTC
Mac OS X When you run smbd -V on your Snow Leopard installation, you'll see it's running SAMBA version 3.0.28a-apple. While I'm not sure how much difference the "-apple" makes, version 3.0.28a is old. Very old. In other words, it's riddled with bugs. Apple hasn't updated SAMBA in 3 years, and for Lion, they're dumping it altogether for something homegrown. The reason? SAMBA is now GPLv3.
Thread beginning with comment 468065
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Netatalk
by s_groening on Sun 27th Mar 2011 18:24 UTC in reply to "RE: Netatalk"
s_groening
Member since:
2005-12-13

I wasn't aware that these problems existed with TM backups. Let's hope that Netatalk 2.2 and its reconnect features cure this problem once and for all.

Concerning the problems with authentication, I've used Netatalk for several years with Kerberos only authentication and I have yet to experience the trouble you describe.

Reply Parent Score: 2

RE[3]: Netatalk
by theosib on Sun 27th Mar 2011 19:36 in reply to "RE[2]: Netatalk"
theosib Member since:
2006-03-02

I've heard from other sources that PAM is quite buggy, so that may be the source of the trouble.

Reply Parent Score: 2

RE[3]: Netatalk
by theosib on Sun 27th Mar 2011 20:26 in reply to "RE[2]: Netatalk"
theosib Member since:
2006-03-02

I would love to know how you manage to use kerberos directly without using a PAM plugin. From your comment, I'm inferring that although basically every Linux app that uses authentication uses PAM to communicate with the underlying authentication system (system-auth, kerberos, LDAP, etc.), you're saying that Netatalk can use Kerberos directly. How do you make that work?

Thanks.

Reply Parent Score: 2

Netatalk and Kerberos
by s_groening on Mon 28th Mar 2011 05:53 in reply to "RE[3]: Netatalk"
s_groening Member since:
2005-12-13

Yes, indeed it does!

-Actually, Netatalk uses its own set of authentication plugins that work independently of the surrounding architecture.

Netatalk kan use Kerberos for authentication with just a singe requirement met: The Kerberos keytab (e.g. /etc/krb5.keytab) needs to contain a service principal key for use with Netatalk. This is usually called afpserver/yourserver.example.org@EXAMPLE.ORG .

Create this service principal key in the following manner:

$ kadmin.local: addprinc --randkey afpserver/yourserver.example.org

(you can omit the realm as it's implied by kadmin.local)

then:

$ kadmin.local: ktadd -k /etc/krb5.keytab afpserver/yourserver.example.org

to add the new key to the existing keytab.

Once you've created this from kadmin.local, you can go on to setup Netatalk to use the newly created key by creating a setup like this:

- -tcp -no ddp -uamlist uams_gss.so -k5service afpserver -k5keytab /etc/krb5.keytab -k5realm EXAMPLE.ORG -fqdn yourserver.example.org:548

Basically, this tells Netatalk to bind to all interfaces, use TCP protocol, use GSSAPI (Kerberos5) for authentication, using the newly created afpserver service principal key from the system's Kerberos keytab and present to others a service of the type afpserver, identifying itself as yourserver.example.org within the realm EXAMPLE.ORG running AFP on port 548 ;)

I hope this example helps!

Reply Parent Score: 4