On 11/30/2010 09:45 AM, John Dennis wrote:
On 11/25/2010 04:24 PM, Marco Carcano wrote:
Hi John
thank you very much for the reply - I haven't noticed that exists a
freeradius2 rpm package
I tried, and after a lot of arrangement on the config files -
freeradius2 splits a lot radiusd.conf - I got it working
but I have to point out this thing - that I hope you - Red Hat -
will fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in
CentOS package):
this is the content of the original file
#%PAM-1.0 auth include password-auth account required
pam_nologin.so account include password-auth password
include password-auth session include password-auth
it is wrong: it causes PAM auth to fail with a really strange error
pam_pass: using pamauth string<radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for<testuser>. Reason:
Module is unknown ++[pam] returns reject Failed to authenticate the
user. Using Post-Auth-Type Reject +- entering group REJECT {...}
this error caused me a little headache because initially I tough it
was a mine misconfiguration of freeradius.
the fix is to replace the contents of /etc/pam.d/radiusd with
#%PAM-1.0 auth include system-auth account required
pam_nologin.so account include system-auth password include
system-auth session include system-auth
PAM is usefull in situations like the my Easy Configuration Kit -
ECK: I built an AAA system that relies on Freeradius that do
Accounting in MySQL, Authorization with OpenLDAP and Authentication
by Kerberos - the LDAP directory is Kerberized. I think that PAM and
SASL are the good way to accomplish this - In ECK it works.
Maybe you already know about this issue - I hope this post can help
anybody will get this strange error - until the package got fixed
/etc/pam.d/radiusd was deliberately changed from using system-auth to
use password-auth about a year ago.
The reason is that the services cannot use the local means of
authentication with an out-of-band data channel for the credentials such
as Fingerprint and Smart card devices and should use password-auth
instead of system-auth file. SMTP, FTP, and other services use it as
well. So the problem is not in the change in the freeradius radiusd PAM
config.
There is likely an error in the password-auth file on your system. It
should be possible to find out in /var/log/secure which module is the
problem.
My apologies, I now realize there is a version mismatch. RHEL5 has not
been updated with the password-auth module, it's exists only in Fedora
and RHEL6. The RHEL5 version of /etc/pam.d/radiusd should be using
system-auth as you correctly point out. The pam change was inadvertently
copied into the RHEL5 version of FreeRADIUS, I will open a bug against
the RHEL5 version.
--
John Dennis <[email protected]>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
