Netatalk with winbind auth

netatalklogo
Hi y'all!

Recently I had to setup an afpd (netatalk 2.2.1) server with pam authentication (winbind backed).

The problem was that the users can't log in into the AFPDaemon. I configured the log in verbose mode and I found this:

Jan 10 18:44:20.012522 afpd[7737] {afp_dsi.c:610} (D5:AFPDaemon): <== Start AFP command: AFP_LOGINCONT
Jan 10 18:44:20.017594 afpd[7737] {fault.c:122} (S:Default): ===============================================================
Jan 10 18:44:20.017646 afpd[7737] {fault.c:123} (S:Default): INTERNAL ERROR: Signal 11 in pid 7737 (2.2.1)
Jan 10 18:44:20.017678 afpd[7737] {fault.c:124} (S:Default): ===============================================================
Jan 10 18:44:20.017932 afpd[7737] {fault.c:96} (S:Default): BACKTRACE: 1 stack frames:
Jan 10 18:44:20.017970 afpd[7737] {fault.c:102} (S:Default): #0 /usr/lib/libatalk.so.0(netatalk_panic+0x29) [0xb7859745]
Jan 10 18:44:20.018544 afpd[7733] {main.c:219} (I:AFPDaemon): child[7737]: killed by signal 6

Google is your friend, and after some work I found a bug at ubuntu that pointed me to the right answer:
https://bugs.launchpad.net/ubuntu/+source/netatalk/+bug/810732

Radoslaw Ejsmont's comment was the right solution for my problem, after some modifications of the netatalk pam file I removed pam_smbpass.so and it all worked fine.

Now the netatalk pam looks like this:

auth required pam_tally2.so onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth optional pam_deny.so

account required pam_access.so
account required pam_nologin.so
account required pam_tally2.so onerr=succeed
account required pam_unix.so
account sufficient pam_winbind.so
account optional pam_deny.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_deny.so

session required pam_env.so
session required pam_limits.so
session required pam_unix.so
session optional pam_loginuid.so
session optional pam_permit.so
session optional pam_lastlog.so
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so

I hope this save you time if you find yourself in the same situation as me.

Cheers.