Changes in 2.2.2
================
+* NEW: afpd: New option "adminauthuser". Specifying eg "-adminauthuser root"
+ whenever a normal user login fails, afpd tries to authenticate as
+ the specified adminauthuser. If this succeeds, a normal session is created
+ for the original connecting user. Said differently: if you know the
+ password of adminauthuser, you can authenticate as any other user.
* UPD: afpd: Enhanced POSIX ACL mapping semantics, from Laura Mueller
* FIX: afpd: ACL access checking
* FIX: afpd: Fix an error when duplicating files that lacked an AppleDouble file
free(opt->logconfig);
if (opt->mimicmodel && (opt->mimicmodel != save->mimicmodel))
free(opt->mimicmodel);
+ if (opt->adminauthuser && (opt->adminauthuser != save->adminauthuser))
+ free(opt->adminauthuser);
}
/* initialize options */
options->dsireadbuf = 12;
options->mimicmodel = NULL;
options->fce_fmodwait = 60; /* put fmod events 60 seconds on hold */
+ options->adminauthuser = NULL;
}
/* parse an afpd.conf line. i'm doing it this way because it's
if ((c = getoption(buf, "-mimicmodel")) && (opt = strdup(c)))
options->mimicmodel = opt;
+ if ((c = getoption(buf, "-adminauthuser")) && (opt = strdup(c)))
+ options->adminauthuser = opt;
+
return 1;
}
return ret;
}
-static int logincont2(void *obj, struct passwd **uam_pwd,
+/**
+ * Try to authenticate via PAM as root
+ **/
+static int loginasroot(const char *adminauthuser, int status)
+{
+ int PAM_error;
+ char *hostname = NULL;
+
+ if ((PAM_error = pam_end(pamh, status)) != PAM_SUCCESS)
+ goto exit;
+ pamh = NULL;
+
+ if ((PAM_error = pam_start("netatalk", adminauthuser, &PAM_conversation, &pamh)) != PAM_SUCCESS) {
+ LOG(log_info, logtype_uams, "DHX2: PAM_Error: %s", pam_strerror(pamh,PAM_error));
+ goto exit;
+ }
+
+ /* solaris craps out if PAM_TTY and PAM_RHOST aren't set. */
+ pam_set_item(pamh, PAM_TTY, "afpd");
+ pam_set_item(pamh, PAM_RHOST, hostname);
+ if ((PAM_error = pam_authenticate(pamh, 0)) != PAM_SUCCESS)
+ goto exit;
+
+ LOG(log_warning, logtype_uams, "DHX2: Authenticated as \"%s\2", adminauthuser);
+
+ if ((PAM_error = pam_end(pamh, status)) != PAM_SUCCESS)
+ goto exit;
+ pamh = NULL;
+
+ if ((PAM_error = pam_start("netatalk", PAM_username, &PAM_conversation, &pamh)) != PAM_SUCCESS) {
+ LOG(log_info, logtype_uams, "DHX2: PAM_Error: %s", pam_strerror(pamh,PAM_error));
+ goto exit;
+ }
+
+exit:
+ return PAM_error;
+}
+
+static int logincont2(void *obj_in, struct passwd **uam_pwd,
char *ibuf, size_t ibuflen,
char *rbuf _U_, size_t *rbuflen)
{
+ AFPObj *obj = obj_in;
int ret;
int PAM_error;
const char *hostname = NULL;
ret = AFPERR_PWDEXPR;
LOG(log_info, logtype_uams, "DHX2: PAM_Error: %s",
pam_strerror(pamh, PAM_error));
- goto error_ctx;
+ if (obj->options.adminauthuser
+ && loginasroot(obj->options.adminauthuser, PAM_error) != PAM_SUCCESS)
+ goto error_ctx;
}
PAM_error = pam_acct_mgmt(pamh, 0);
char *logconfig;
char *mimicmodel;
+ char *adminauthuser;
};
#define AFPOBJ_TMPSIZ (MAXPATHLEN)
.\" Title: macusers
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 02 Sep 2011
+.\" Date: 13 Oct 2011
.\" Manual: Netatalk 2.2
.\" Source: Netatalk 2.2
.\" Language: English
.\"
-.TH "MACUSERS" "1" "02 Sep 2011" "Netatalk 2.2" "Netatalk 2.2"
+.TH "MACUSERS" "1" "13 Oct 2011" "Netatalk 2.2" "Netatalk 2.2"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.SH "NAME"
macusers \- List the users connecting via AFP
.SH "SYNOPSIS"
-.HP \w'\fBmacusers\fR\fB\fR\fBmacusers\fR\fB\fR\ 'u
-\fBmacusers\fR\fB\fR\fBmacusers\fR\fB\fR \-v | \-version | \-\-version | \-h | \-help | \-\-help
+.HP \w'\fBmacusers\fR\fB\fR\ 'u
+\fBmacusers\fR\fB\fR
+.HP \w'\fBmacusers\fR\fB\fR\ 'u
+\fBmacusers\fR\fB\fR \-v | \-version | \-\-version | \-h | \-help | \-\-help
.SH "DESCRIPTION"
.PP
\fBmacusers\fR
.\" Title: AppleVolumes.default
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 30 Mar 2011
+.\" Date: 13 Oct 2011
.\" Manual: Netatalk 2.2
.\" Source: Netatalk 2.2
.\" Language: English
.\"
-.TH "APPLEVOLUMES\&.DEFAU" "5" "30 Mar 2011" "Netatalk 2.2" "Netatalk 2.2"
+.TH "APPLEVOLUMES\&.DEFAU" "5" "13 Oct 2011" "Netatalk 2.2" "Netatalk 2.2"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
needs a way to preserve extended macintosh characters, or characters illegal in unix filenames, when saving files on a unix filesystem\&. Earlier versions used the the so called CAP encoding\&. An extended character (>0x7F) would be converted to a :xx sequence, e\&.g\&. the Apple Logo (MacRoman: 0XF0) was saved as
:f0\&. Some special characters will be converted as to :xx notation as well\&. \'/\' will be encoded to
:2f, if
-\fB\-usedots\fR
+\fBusedots\fR
is not specified, a leading dot \'\&.\' will be encoded as
:2e\&.
.PP
.RS 4
Use for eg\&. winbind authentication, prepends both strings before the username from login and then tries to authenticate with the result through the availabel and active UAM authentication modules\&.
.RE
+.PP
+\-adminauthuser
+.RS 4
+Specifying eg
+\fB\-adminauthuser root\fR
+whenever a normal user login fails, afpd will try to authenticate as the specified
+\fBadminauthuser\fR\&. If this succeeds, a normal session is created for the original connecting user\&. Said differently: if you know the password of
+\fBadminauthuser\fR, you can authenticate as any other user\&.
+.RE
.SH "CODEPAGE OPTIONS"
.PP
With OS X Apple introduced the AFP3 protocol\&. One of the big changes was, that AFP3 uses Unicode names encoded as Decomposed UTF\-8 (UTF8\-MAC)\&. Previous AFP/OS versions used codepages like MacRoman, MacCentralEurope, etc\&.