Linked by Thom Holwerda on Sat 26th Mar 2011 02:00 UTC
Mac OS X When you run smbd -V on your Snow Leopard installation, you'll see it's running SAMBA version 3.0.28a-apple. While I'm not sure how much difference the "-apple" makes, version 3.0.28a is old. Very old. In other words, it's riddled with bugs. Apple hasn't updated SAMBA in 3 years, and for Lion, they're dumping it altogether for something homegrown. The reason? SAMBA is now GPLv3.
Thread beginning with comment 468072
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Netatalk
by theosib on Sun 27th Mar 2011 20:26 UTC in reply to "RE[2]: Netatalk"
theosib
Member since:
2006-03-02

I would love to know how you manage to use kerberos directly without using a PAM plugin. From your comment, I'm inferring that although basically every Linux app that uses authentication uses PAM to communicate with the underlying authentication system (system-auth, kerberos, LDAP, etc.), you're saying that Netatalk can use Kerberos directly. How do you make that work?

Thanks.

Reply Parent Score: 2

Netatalk and Kerberos
by s_groening on Mon 28th Mar 2011 05:53 in reply to "RE[3]: Netatalk"
s_groening Member since:
2005-12-13

Yes, indeed it does!

-Actually, Netatalk uses its own set of authentication plugins that work independently of the surrounding architecture.

Netatalk kan use Kerberos for authentication with just a singe requirement met: The Kerberos keytab (e.g. /etc/krb5.keytab) needs to contain a service principal key for use with Netatalk. This is usually called afpserver/yourserver.example.org@EXAMPLE.ORG .

Create this service principal key in the following manner:

$ kadmin.local: addprinc --randkey afpserver/yourserver.example.org

(you can omit the realm as it's implied by kadmin.local)

then:

$ kadmin.local: ktadd -k /etc/krb5.keytab afpserver/yourserver.example.org

to add the new key to the existing keytab.

Once you've created this from kadmin.local, you can go on to setup Netatalk to use the newly created key by creating a setup like this:

- -tcp -no ddp -uamlist uams_gss.so -k5service afpserver -k5keytab /etc/krb5.keytab -k5realm EXAMPLE.ORG -fqdn yourserver.example.org:548

Basically, this tells Netatalk to bind to all interfaces, use TCP protocol, use GSSAPI (Kerberos5) for authentication, using the newly created afpserver service principal key from the system's Kerberos keytab and present to others a service of the type afpserver, identifying itself as yourserver.example.org within the realm EXAMPLE.ORG running AFP on port 548 ;)

I hope this example helps!

Reply Parent Score: 4

RE: Netatalk and Kerberos
by theosib on Tue 29th Mar 2011 01:59 in reply to "Netatalk and Kerberos"
theosib Member since:
2006-03-02

Well, I followed your instructions, but no matter what I do, I get access denied when I try to mount. What might I be doing wrong?

I've tried a few other guides to this, and none of them worked either.

Any idea how I might diagnose it? Something's clearly not setup right. BTW, I did restart all the krb and atalk processes.

Reply Parent Score: 2