OpenLDAP, AFP, Freenas Authentication

guypp

Cadet
Joined
Jun 7, 2019
Messages
4
After a lot of messing around I have SMB and OpenLDAP authentication working, I had to add a CA cert for Letsencrypt.

Do you have to really set up Kerberos now for this to work? I really don't need or want Kerberos.

However no matter what I do I'm not able to get AFP authentication working.

FreeNAS-11.2-U4.1

Jun 7 17:03:36 vla afpd: authentication failure; logname=root uid=0 euid=0 tty=afpd ruser=guy rhost=192.168.10.10 user=guy
Jun 7 17:03:36 vla afpd: received for user guy: 7 (permission denied)

Jun 07 17:03:36.145194 afpd[55006] {uams_dhx2_pam.c:330} (info:UAMS): DHX2 login: guy
Jun 07 17:03:36.168927 afpd[55006] {uams_dhx2_pam.c:215} (info:UAMS): PAM DHX2: PAM Success
Jun 07 17:03:36.171174 afpd[55006] {uams_dhx2_pam.c:215} (info:UAMS): PAM DHX2: PAM Success
Jun 07 17:03:36.171556 afpd[55006] {uams_dhx2_pam.c:667} (info:UAMS): DHX2: PAM_Error: authentication error
Jun 07 17:03:36.171638 afpd[55006] {afp_dsi.c:108} (note:AFPDaemon): AFP statistics: 0.51 KB read, 0.38 KB written
Jun 07 17:03:36.171651 afpd[55006] {dircache.c:615} (info:AFPDaemon): dircache statistics: entries: 0, lookups: 0, hits: 0, misses: 0, added: 0, removed: 0, expunged: 0, evicted: 0
Jun 07 17:03:36.173021 afpd[49875] {main.c:151} (info:AFPDaemon): child[55006]: done
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
Do you use Apple clients only or are you in a mixed environment? Are you really authenticating against OpenLDAP and then use that authentication to access SMB shares or are you only using user id lookups? I assume that if you use PAM, you use a per-share authentication dialog and then want the AFP server to check that password against LDAP - correct?

I tried to create the same setup about 5 years ago, running OpenLDAP on a Raspberry Pi. I got it to work but it was quite buggy and broke at least with every macOS upgrade. Apple really only supports Open Directory and for everything else you'll see odd errors that they seemingly do not care to fix.

Eventually I gave in, ran Open Directory and did a full Kerberos setup. If you are not in a mixed environment, maybe the following thread will help:
https://www.ixsystems.com/community...pen-directory-in-mac-os-x-environments.46493/
 

guypp

Cadet
Joined
Jun 7, 2019
Messages
4
I have openLDAP working just fine everywhere else. We mostly have Macs here but a few windows. I want to expose SMB and AFP shares using openLDAP to authenticate.

SMB authentication is working just fine. AFP continues to fail authenticate with openLDAP.. I really don't want to run AD or Mac Open Directory, or Kerberos.. None of this should be necessary.
 

guypp

Cadet
Joined
Jun 7, 2019
Messages
4
I'm still struggling with this... guest works, local auth works, it's just when I attempt to use ldap for auth that I run into issues.
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
I'm still struggling with this... guest works, local auth works, it's just when I attempt to use ldap for auth that I run into issues.

Are you referring to SMB or AFP? You stated earlier that you don't want to setup Kerberos, but Kerberos is a pre-requisite for single sign-on on Apple. You are fine to try another way, but my experience with Apple is that if you don't follow their system design, you usually don't get it to work.
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
I have the same problem and no one is helping :(

Can you follow every step in the howto from top to bottom (in the exact same sequence) and tell me where it fails? Every step has a check that ensures that everything is setup correctly. You need to determine the first step where you don't get past the checkpoint.
 

arminarmin

Cadet
Joined
Mar 3, 2020
Messages
3
Can you follow every step in the howto from top to bottom (in the exact same sequence) and tell me where it fails? Every step has a check that ensures that everything is setup correctly. You need to determine the first step where you don't get past the checkpoint.

Hi, I did follow that from top to bottom, my OpenLdap is currently working with Synology, but story is totally different In FreeNas, I can see the LDAP users when I'm trying to give permissions but after I apply it will be changed to " operator " user automatically. I tried with all different protocols such as SMB , AFP and FTP , all failed in Auth level .
 
Top