TransWikia.com

Errors log in the auth.log but all working fine

Server Fault Asked on December 13, 2021

Hi I have a Linux server (18.04) that acts as a TimeMachine backup server using the netatalk service.
The users are authenticating using the LDAP (/etc/ldap.conf)

The client can connect to the AFP mount do the TimeMachine backup and log out just fine.
Please let me know if you need more conf file to be shared.

AFPD Version:

    afpd -V
afpd 2.2.6 - Apple Filing Protocol (AFP) daemon of Netatalk

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version. Please see the file COPYING for further information and details.

afpd has been compiled with support for these features:

          AFP versions: 1.1 2.0 2.1 2.2 3.0 3.1 3.2 3.3 
DDP(AppleTalk) Support: Yes
         CNID backends: dbd last tdb 
           SLP support: No
      Zeroconf support: Avahi
  TCP wrappers support: Yes
         Quota support: Yes
   Admin group support: Yes
    Valid shell checks: Yes
      cracklib support: Yes
        Dropbox kludge: No
  Force volume uid/gid: No
            EA support: ad | sys
           ACL support: Yes
          LDAP support: Yes

             afpd.conf: /etc/netatalk/afpd.conf
   AppleVolumes.system: /etc/netatalk/AppleVolumes.system
  AppleVolumes.default: /etc/netatalk/AppleVolumes.default
    afp_signature.conf: /etc/netatalk/afp_signature.conf
      afp_voluuid.conf: /etc/netatalk/afp_voluuid.conf
         afp_ldap.conf: /etc/netatalk/afp_ldap.conf
       UAM search path: /usr/lib/netatalk/
  Server messages path: /etc/netatalk/msg/
              lockfile: /var/run/afpd.pid

/etc/pam.d/common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

#auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

/etc/pam.d/common-account

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

/etc/pam.d/common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_ldap.so
session optional        pam_systemd.so
session optional                        pam_mkhomedir.so skel=/etc/skel/ umask=0066
# end of pam-auth-update config

/etc/pam.d/common-password

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password        requisite                       pam_cracklib.so retry=3 minlen=8 difok=3
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Error Log in auth.log

Jul 20 11:05:17 server afpd[5131]: pam_unix(netatalk:auth): authentication failure; logname= uid=0 euid=0 tty=afpd ruser=demouser rhost=192.168.1.10  user=demouser
Jul 20 11:05:17 server afpd[5131]: pam_unix(netatalk:session): session opened for user demouser by (uid=0)
Jul 20 11:05:17 server systemd-logind[1166]: New session c23 of user demouser.
Jul 20 11:06:21 server afpd[5131]: pam_unix(netatalk:session): session closed for user demouser
Jul 20 11:06:21 server dbus-daemon[1278]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.69" (uid=10001 pid=5131 comm="/usr/sbin/afpd -U uams_dhx2.so,uams_clrtxt.so -g n" label="unconfined") interface="org.freedesktop.login1.Manager" member="ReleaseSession" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=1166 comm="/lib/systemd/systemd-logind " label="unconfined")
Jul 20 11:06:21 server afpd[5131]: pam_systemd(netatalk:session): Failed to release session: Access denied
Jul 20 11:06:21 server afpd[5131]: PAM audit_log_acct_message() failed: Operation not permitted
Jul 20 11:06:21 server systemd-logind[1166]: Removed session c23.

One Answer

I managed to fix all the errors but one by replacing my /etc/pam.d/netatalk file from:

#%PAM-1.0

@include common-auth
@include common-account
@include common-password
@include common-session

To:

#%PAM-1.0
auth required pam_ldap.so try_first_pass
account required pam_ldap.so try_first_pass
session required pam_permit.so

The following error though still occurs once the session is terminated:

Jul 23 13:52:05 server afpd[2426]: PAM audit_log_acct_message() failed: Operation not permitted

Answered by OscarCy on December 13, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP