Centrify DirectControl version 5.0 with Mac 10.7 and Ubuntu 10.04

What is Netatalk?
 

Netatalk is a package that lets a Unix machine supply Appletalk print and file services on a LAN. The package supports AppleShare IP and classic Appletalk protocols. With netatalk, Macintosh computers can mount Unix volumes and print to Unix print spools as if they were standard Appletalk network devices.


Problem:
 

Some AD users cannot login and are not authenticating when trying to access the share through Mac and some users can access the share using their AD account.

The issue occurred after DirectAuthorize was configured. Before DirectAuthorize was setup all users were able to access the shares.

from /var/log/auth.log on server with hostname 'files' the following error occurred:

Oct 10 11:25:30 files adclient[2140]: INFO <fd:25 PAMVerifyPassword > audit User 'cg114796' authenticated based on Kerberos exchange to AD
Oct 10 11:25:30 files adclient[2140]: INFO <fd:25 PAMIsUserAllowedAccess2 > audit User 'cg114796' is not authorized: User 'cg114796' denied access to application 'netatalk' by DirectAuthorize

The above error indicate that the user is blocked by DirectAuthorize.


Solution:

On the CentrifyDC Console add 'netatalk' into the PAM access list, then run /usr/sbin/adflush (with no option) and restart /etc/init.d/netatalk restart

See the image as an example:








NOTE:  This KB does not explain on how to configure Netatalk.