Cannot build Netatalk on FreeBSD 14 with PAM support

[andylemin]

Hi,
It is no longer possible to compile Netatalk 3 on FreeBSD 14 with PAM support enabled.

Install FreeBSD 14 Release (test using netatalk3 in FreeBSD ports = 3.1.16)

cd /usr/ports/net/netatalk3
make clean
make config  # <- enable PAM Support
make
(...)
uams_pam.c:127:3: error: incompatible function pointer types initializing 'int (*)(int, const struct pam_message **, struct pam_response **, void *)' with an expression of type 'int (*)(int, struct pam_message **, struct pam_response **, void*)' [-Wincompatible-function-pointer-types]
  &PAM_conv
  ^~~~~~~~~

We need to enable PAM to provide YubiKey Authentication etc (via FreeRadius) to AFP clients.

PS; I notice that the Netatalk team seem to consider Netatalk as only for home/hobby users now, for legacy apple devices. However this is not true. The number of Apple-only businesses is increasing in my own experience, and nearly all these businesses use Netatalk in production/commercial environments as AFP is still much faster and more reliable than SMB..

SMB is only faster than AFP when using multiple RSS (receive side scaling) connections, on the latest code, on Linux, with Windows Clients. However MacOS does not support RSS at all yet. Until Apple support RSS, to allow multiple connections between Client and Server, Netatalk is the only realistic option.

I know Apple officially dropped support for AFP (Server, not Client), and one day they may also drop the AFP Client. However until the AFP Client stops working, Netatalk is often still the best option for many Apple-only businesses.

In other words, Please don't ignore the business users - we are still here :)

[andylemin]

I have also just tested using the current 'main' branch source for Netatalk3 on FreeBSD 14;

git clone https://github.com/Netatalk/netatalk.git netatalk3
cd netatalk3
./bootstrap
./configure --with-pkgconfdir=/usr/local/etc --with-libgcrypt-dir=/usr/local --with-uams-path=/usr/local/libexec/netatalk-uams --with-bdb=/usr/local --localstatedir=/var --disable-bundled-libevent --with-libevent-header=/usr/local/include --with-libevent-lib=/usr/local/lib --with-ssl-dir=/usr/include/openssl --without-dtrace
make clean
make

Build fails with the above configure options, and shows the same PAM build error (PAM option is enabled by default)

./configure --with-pkgconfdir=/usr/local/etc --with-libgcrypt-dir=/usr/local --with-uams-path=/usr/local/libexec/netatalk-uams --with-bdb=/usr/local --localstatedir=/var --disable-bundled-libevent --with-libevent-header=/usr/local/include --with-libevent-lib=/usr/local/lib --with-ssl-dir=/usr/include/openssl --without-dtrace --without-pam
make clean
make

Builds perfectly when PAM is disabled with --without-pam

[rdmark]

Thanks for reporting! I've been testing continuously on FreeBSD 13.1 without trouble, and I was able to build with PAM support just now too. So FreeBSD 14 must have introduced a major update to the PAM libraries that breaks compatibility...? Are you able to check what version of PAM is on you system?

BTW, you're using several deprecated configure options with the main branch there. The bundled libevent was removed a long time ago.

configure: WARNING: unrecognized options: --disable-bundled-libevent, --with-libevent-header, --with-libevent-lib

[rdmark]

I tracked down the issue to the definition of the pam_conv method.

/* PAM conversation function
 * Here we assume (for now, at least) that echo on means login name, and
 * echo off means password.
 */
static int PAM_conv (int num_msg,
#ifdef LINUX
                     const struct pam_message **msg,
#else
                     struct pam_message **msg,
#endif
                     struct pam_response **resp,
                     void *appdata_ptr _U_) {

11 years ago this commit made the assumption that the pam_message data structure was of const struct type on Linux and non-const struct everywhere else. 6216289 ... which followed this seemingly misguided removal of const keywords in many places bd3b0cf

This assumption is incorrect on at least FreeBSD and NetBSD.

However Illumos seems to use the non-const struc type.

Hence, I think this should be an adequate fix: #563

Basically, flip the ifdef check to look for Solaris and descendants.

@andylemin Would you be able to test if this resolves your problem?

[rdmark]

For the record, I went back and compiled on FreeBSD 13.1 again, observing the compiler log. The compiler does actually warn about incompatible function pointer types there, but does not error out. So the only change between 13 and 14 is that gcc got stricter in the latter.

[rdmark]

Note: The inverse is true for the netatalk2 branches when built on OpenIndiana. We need to add the if !defined(__svr4__) block there.

[rdmark]

@andylemin The fix is in the main branch now. Please try to build in your environment when you have the chance.

[andylemin]

Hi @rdmark
Thank you for looking into this so quickly.
Haha, You beat me to it! 😀

I was going to compare with 13.x, and see if I could find the relevant header files for you on the weekend, but I did not have time.

Thank you for breathing new life and love into this project!
Take care, A

[rdmark]

In other words, Please don't ignore the business users - we are still here :)

We don't ignore you if you speak up. ;)

Earlier this year I had a hypothesis that enterprise users had all but moved off of netatalk at this point. Given the feedback that we've gotten over the last few months, that does not seem to be the case. In the absence of user analytics I can't say for sure what the active install base looks like. But hearing from folks like you is very valuable.

This year we celebrate (?) the 10 year anniversary of Apple making SMB the primary file sharing protocol (OS X Mavericks, October 22, 2013). The AFP client is living on borrowed time, surely!

[andylemin]

Hi @rdmark Thanks, I will test the fix hopefully this week and let you know.

Ha, that's great to hear :) I see mostly startups using Netatalk.
Yes AFP is on borrowed time, Apple has made many improvements in recent years. And SMB on MacOS is catching up to Windows performance slowly.

[andylemin]

Hi @rdmark
Sorry for slow feedback, have been busy with the OpenZFS corruption bug issues.

I pulled the latest main branch code on a test FreeBSD 14 box today (confirmed your fix for PAM is there), and configured with;
./configure --with-pkgconfdir=/usr/local/etc --with-libgcrypt-dir=/usr/local --with-uams-path=/usr/local/libexec/netatalk-uams --with-bdb=/usr/local --localstatedir=/var --with-ssl-dir=/usr/include/openssl --without-dtrace --without-acls --with-pam --without-spotlight

giving;

Configure summary:
    INIT STYLE:
         none
    AFP:
         Extended Attributes: ad | sys
         ACL support: no
         Spotlight: no
    CNID:
         backends:  dbd last mysql
    UAMS:
         DHX     (PAM)
         DHX2    (PAM)
         RANDNUM (afppasswd)
         clrtxt  (PAM)
         guest
    Options:
         Zeroconf support:        yes
         tcp wrapper support:     yes
         valid shell check:       yes
         cracklib support:        no
         ACL support:             no
         Kerberos support:        yes
         LDAP support:            yes
         AFP stats via dbus:      yes
         dtrace probes:           no
    Paths:
         Netatalk lockfile:       /var/spool/lock/netatalk
         dbus system directory:   /usr/local/etc/dbus-1/system.d
         pam config directory:    /usr/local/etc/pam.d
    Documentation:
         Docbook:                 no

However I now get the build error;

make  all-am
  CC       afpd-afp_config.o
  CC       afpd-afp_dsi.o
In file included from ../../include/atalk/spotlight.h:25,
                 from afp_dsi.c:44:
../../include/atalk/dalloc.h:25:10: fatal error: talloc.h: No such file or directory
   25 | #include <talloc.h>
      |          ^~~~~~~~~~
compilation terminated.
*** Error code 1

This surpised me as according to https://github.com/Netatalk/netatalk/pull/572/commits, using --without-spotlight should have forced it to not trying building talloc stuff!

So I think I am using bad options or something..

[rdmark]

@andylemin If you haven't done so already, please try to:

• Pull the latest main branch code
• Clean up the repo with make clean, git reset --hard, git clean -dfx

[andylemin]

Hi @rdmark
Thanks, I actually deleted my local repo, and cloned a brand new one - so its not a local issue I believe.

and I have just tried again today (again deleted and fresh clone);

Install FreeBSD14
cd /var/tmp/
git clone http://github.com/Netatalk/netatalk.git netatalk
cd netatalk
pkg install gcc gawk cracklib
./bootstrap
./configure --with-pkgconfdir=/usr/local/etc --with-libgcrypt-dir=/usr/local --with-uams-path=/usr/local/libexec/netatalk-uams --with-bdb=/usr/local --localstatedir=/var --with-ssl-dir=/usr/include/openssl --without-dtrace --without-acls --with-pam --without-spotlight
make

Same talloc build error as before..

./configure output shows Spotlight is disabled, but it is still trying to build talloc etc.

If I install talloc with pkg install talloc then the build does work. However it should not be trying to build talloc anymore with --without-spotlight?

PAM testing;
After building (with talloc installed) and installing;
Check PAM config for Netatalk exists cat /usr/local/etc/pam.d/netatalk

And check that your uams_dhx.so and uams_dhx2.so uams are either sym-linked to the _pam equivalents in /usr/local/libexec/netatalk-uams, or just set uam list = uams_dhx_pam.so uams_dhx2_pam.so in /usr/local/etc/afp.conf

After restarting with debug mode enabled I can see lines like; DHX2: PAM Auth OK! in afpd.log

So it looks like your const changes did the trick. I will test with radius and let you know if any issues, otherwise looking good.

[rdmark]

Cheers, thanks for testing. Good to hear that the original issue was resolved at least.

The talloc configuration issue has been reported by another user (for macOS) in #577 so let’s follow up on this over there!

[rdmark]

I have a tentative patch lined up in #578 ... however not fully tested yet