Debian : serveur de fichiers AFP avec gestion LDAP

Installation et configuration de netatalk

# apt-get build-dep netatalk
# apt-get install libcrack2-dev fakeroot libssl-dev
# apt-get source netatalk
# cd netatalk-2.1.2/
# DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -rfakeroot
# dpkg -i netatalk_2.1.2-2_amd64.deb

# vim /etc/netatalk/afpd.conf

- -tcp -ipaddr 192.168.1.166 -noddp -uamlist uams_dhx2.so -nosavepassword

# vim /etc/netatalk/AppleVolumes.default

/home/share/work work allow:@users perm:770

# mkdir /home/work
# chown root:users /home/share/work
# chmod 770 /home/share/work

Intégration avec Avahi

# apt-get install avahi-daemon libnss-mdns

# touch /etc/avahi/services/afpd.service
# vim /etc/avahi/services/afpd.service

<?xml version= "1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards= "yes">%h</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
</service-group>

Intégration LDAP

# apt-get install libnss-ldap libpam-ldap

# vim /etc/libnss-ldap.conf
# vim /etc/libpam-ldap.conf

uri ldap://192.168.1.254/
base dc=my,dc=domain
ldap_version 3
binddn cn=proxy,dc=my,dc=domain
bindpw 123456
ssl start_tls
tls_checkpeer no

# vim /etc/pam/common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session    [default=1]            pam_permit.so
# here's the fallback if no module succeeds
session    requisite            pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
session    required    pam_unix.so
session    optional            pam_ldap.so
# end of pam-auth-update config

session required pam_mkhomedir.so skel=/etc/skel umask=0022

Note

Si le démon afpd refuse de se lancer automatiquement au démarrage de votre machine, il convient de vérifier la sortie de debug du démon en ajoutant l’option _-setuplog “default logmaxdebug”.

Dans le cas où la sortie syslog révèle cette erreur :

Nov  9 15:44:27 patty afpd[1505]:  "patty"'s signature is  978C0D71D26955DDF9149364E6377FB8
Nov  9 15:44:27 patty afpd[1505]: DSIConfigInit: hostslug: patty, ip/port: 192.168.2.200/548,
Nov  9 15:44:27 patty afpd[1505]: dsi_tcp_init: bind: Cannot assign requested address
Nov  9 15:44:27 patty afpd[1505]: dsi_tcp_init: no suitable network config for TCP socket
Nov  9 15:44:27 patty afpd[1505]: main: dsi_init: Cannot assign requested address

il convient d’appliquer ce patch au script de démarrage /etc/init.d/netatalk :

--- netatalk.old    2011-11-09 15:58:00.340749343 +0100
+++ netatalk    2011-11-09 15:48:01.460324452 +0100
@@ -63,6 +63,7 @@
fi

if [ x"$AFPD_RUN" = x"yes" ]; then
+    sleep 4
/usr/sbin/afpd $AFPD_UAMLIST -g $AFPD_GUEST -c $AFPD_MAX_CLIENTS \
-n "$ATALK_NAME$ATALK_ZONE"
echo -n " afpd"