Passwords that users enter into the chooser to log into your netatalk share
need to be checked. On the Unix side of the fence, each netatalk user
requesting access to your system has to have a valid account. (with a valid
shell) If your system uses shadow passwords, you will need to compile shadow
password support into netatalk so it can check passwords from your
/etc/shadow file. (you know you have shadow passwords if lines in your
/etc/passwd file have an "x" where the password should be and there is a
/etc/shadow file read only by root listing the encrypted password. For
example, if a line in the /etc/passwd file looks like this:
and you have a line that looks like this in your /etc/shadow file:
then you have shadow passwords.) To use shadow passwords, you will need to
have netatalk compiled with -DSHADOWPW defined in the etc/afpd/Makefile in
the CFLAGS section.
If you want to get "2-way Encrypted Passwords" working with netatalk,
there are a few things you need to do. Because Apple's "2-way Encrypted
Password" scheme requires that the server know the password in cleartext,
existing /etc/passwd and /etc/shadow files will not do for authentication.
After successfully compiling with DES support, you will need to give the
server each netatalk user's password in cleartext by creating a file called
".passwd" in each netatalk user's home directory. This file should contain
the user's password in cleartext, be owned and have read/write permission by
the user, and have no read/write permissions for group or other.
-rw------- 1 anders users 9 Mar 31 12:18 .passwd
The user will be able to change their password through the chooser if you
leave this option enabled in afpd.conf. It is important to note, however,
that the only password afpd will change is the cleartext one in the .passwd
file and not the user's "real" unix password.
Origional document: [http://www.anders.com/projects/netatalk/passwords.html]