Checkval weird issue with LDAP backend and PAM authentication

John Dennis jdennis at redhat.com
Tue Nov 30 16:22:53 CET 2010


On 11/30/2010 09:45 AM, John Dennis wrote:
> On 11/25/2010 04:24 PM, Marco Carcano wrote:
>> Hi John
>>
>> thank you very much for the reply - I haven't noticed that exists a
>> freeradius2 rpm package
>>
>> I tried, and after a lot of arrangement on the config files -
>> freeradius2 splits a lot radiusd.conf - I got it working
>>
>> but I have to point out this thing - that I hope you - Red Hat -
>> will fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in
>> CentOS package):
>>
>> this is the content of the original file
>>
>> #%PAM-1.0 auth       include      password-auth account    required
>> pam_nologin.so account    include      password-auth password
>> include      password-auth session    include      password-auth
>>
>> it is wrong: it causes PAM auth to fail with a really strange error
>>
>> pam_pass: using pamauth string<radiusd>   for pam.conf lookup
>> pam_pass: function pam_authenticate FAILED for<testuser>. Reason:
>> Module is unknown ++[pam] returns reject Failed to authenticate the
>> user. Using Post-Auth-Type Reject +- entering group REJECT {...}
>>
>> this error caused me a little headache because initially I tough it
>> was a mine misconfiguration of freeradius.
>>
>> the fix is to replace the contents of /etc/pam.d/radiusd with
>>
>> #%PAM-1.0 auth       include      system-auth account    required
>> pam_nologin.so account    include      system-auth password   include
>> system-auth session    include      system-auth
>>
>> PAM is usefull in situations like the my Easy Configuration Kit -
>> ECK: I built an AAA system that relies on Freeradius that do
>> Accounting in MySQL, Authorization with OpenLDAP and Authentication
>> by Kerberos - the LDAP directory is Kerberized. I think that PAM and
>> SASL are the good way to accomplish this - In ECK it works.
>>
>> Maybe you already know about this issue - I hope this post can help
>> anybody will get this strange error - until the package got fixed
>
> /etc/pam.d/radiusd was deliberately changed from using system-auth to
> use password-auth about a year ago.
>
> The reason is that the services cannot use the local means of
> authentication with an out-of-band data channel for the credentials such
> as Fingerprint and Smart card devices and should use password-auth
> instead of system-auth file. SMTP, FTP, and other services use it as
> well. So the problem is not in the change in the freeradius radiusd PAM
> config.
>
> There is likely an error in the password-auth file on your system. It
> should be possible to find out in /var/log/secure which module is the
> problem.
>

My apologies, I now realize there is a version mismatch. RHEL5 has not 
been updated with the password-auth module, it's exists only in Fedora 
and RHEL6. The RHEL5 version of /etc/pam.d/radiusd should be using 
system-auth as you correctly point out. The pam change was inadvertently 
copied into the RHEL5 version of FreeRADIUS, I will open a bug against 
the RHEL5 version.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



More information about the Freeradius-Users mailing list