Hi, Hugh! We are running 2.14.1; the note in the revision history was
part of why we thought it should work. We had not explicitly specified
GroupFilename, so we added that option and tried again. It still seems
to be ignoring our primary groups; maybe we're missing something else?
Here's the relevant portion of our config file:
<AuthBy UNIX>
Identifier System
Filename /etc/shadow
GroupFilename /etc/group
DefaultSimultaneousUse 1
</AuthBy>
<Handler>
<AuthBy FILE>
# The filename defaults to %D/users
Filename %D/users.trial
</AuthBy>
## Trial userids will have a Class of "trial" and
## all others will have no Class attribute set.
AcctLogFileName %L/%N/detail%{Class}
</Handler>
From the users.trial file:
DEFAULT Auth-Type = System, Group = trial, NAS-Port-Type = Async
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Reply-Message="choice: ",
Port-Limit = 1,
Idle-Timeout = 1200,
Session-Timeout = 28800,
Class = trial
DEFAULT Auth-Type = System, NAS-Port-Type = Async
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Reply-Message="choice: ",
Port-Limit = 1,
Idle-Timeout = 1200,
Session-Timeout = 28800
This works great for userids that are explicitly listed in the groups
file, but doesn't seem to work if they are not. We are running nscd,
just in case that may be related to our problem. This is a Solaris 7
box. Passwd and group are both set to files in nsswitch.conf.
Here's an example user and the debug output for it.
In /etc/passwd:
testuser:x:12268:2000:Test User:/tmp:/bin/noshell
In /etc/group:
trial::2000:user1,user2
Debug output:
Fri Oct 29 08:09:59 1999: DEBUG: Check if Handler should be used to handle
this request
Fri Oct 29 08:09:59 1999: DEBUG: Handling request with Handler ''
Fri Oct 29 08:09:59 1999: DEBUG: Deleting session for testuser, 209.142.178.4,
0
Fri Oct 29 08:09:59 1999: DEBUG: Handling with Radius::AuthFILE
Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE looks for match with testuser
Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Fri Oct 29 08:09:59 1999: DEBUG: Handling with Radius::AuthUNIX
Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX looks for match with testuser
Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX REJECT: User testuser is not
in Group trial
Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE REJECT: User testuser is not
in Group trial
Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1
Fri Oct 29 08:09:59 1999: DEBUG: Handling with Radius::AuthUNIX
Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX looks for match with testuser
Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX ACCEPT:
Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE ACCEPT:
Fri Oct 29 08:09:59 1999: DEBUG: Access accepted for testuser
Thanks again for your help!
Dawn
At 12:26 PM 10/29/99 +1000, Hugh Irvine wrote:
>This was fixed in Radiator 2.14. The following is from the revision history on
>the web page (http://www.open.com.au/radiator/history.html):
>
>
> AuthBy SYSTEM now checks the primary group as well as
> the secondary groups. It used only to do the secondaries.
>
>You will also need to use the GroupFilename parameter in your AuthBy.
>
>hth
>
>Hugh
>
>--
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
>NT, Rhapsody
>
>===
>Archive at http://www.thesite.com.au/~radiator/
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
