Re: strange PAM problem with Free Radius

Wed, 25 Dec 2002 19:17:41 -0800 

On Mon, Dec 23, 2002 at 09:04:23PM -0300, Rodolfo Siviero Stein wrote:

>         To build these files I copy the login pam file  and made changes 
> to system-auth and rename to smb-auth.
>         Only the radius users need to authenticate in NT Domain....  local 
> users are normal passwd/shadow users.

> This is the server that works:

> radiusd
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_stack.so service=smb-auth
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so service=smb-auth
> password   required     /lib/security/pam_stack.so service=smb-auth
> session    required     /lib/security/pam_stack.so service=smb-auth
> session    optional     /lib/security/pam_console.so
> 
> smb-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_winbind.so
> auth        required      /lib/security/pam_deny.so
> 
> account         sufficient              /lib/security/pam_winbind.so
> account         required                /lib/security/pam_unix.so
> 
> password    required      /lib/security/pam_cracklib.so retry=3 type=
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 
> shadow
> password    required      /lib/security/pam_deny.so
> 
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so

For starters, you seem to have a lot of unnecessary cruft in your PAM
config that could cause problems later.  I recommend trying this file
for /etc/pam.d/radiusd, since it seems to be closer to what you want:

#%PAM-1.0
# This line is only to keep root from logging in via radius (!)
auth    required        pam_securetty.so
auth    required        pam_winbind.so
account required        pam_winbind.so

Note that you don't need /etc/pam.d/smb-auth -- or pam_stack -- at all.
If you aren't using the same version of the PAM packages on each server,
it's possible that pam_stack may be causing problems.  I recommend
trying the above config first on the machine where you already have
RADIUS working, and if it does what you want, try it on the other
machine as well.

Do you have winbindd running on both machines?  If I'm not mistaken,
winbindd is needed for non-root users to access the NT domain
information, but might *not* be required for nay tests that you ran as
root.

Regards,
-- 
Steve Langasek
postmodern programmer

Attachment: msg12359/pgp00000.pgp
Description: PGP signature

Reply via email to