Old school: FreeRADIUS and NIS

Phil Mayers p.mayers at imperial.ac.uk
Mon Mar 10 15:33:55 CET 2014


On 10/03/14 14:03, Mark Haney wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 03/07/14 16:00, Alan DeKok wrote:
>
>>> The only thing I've changed in the config files is to add the
>>> DEFAULT Auth-Type = System at the top of the users file.
>>
>> Which I don't recommend you do.
>>
>> Anyawyas, debug mode shows:
>>
>> ++[unix] returns notfound
>>
>> Which is pretty definitive.
>
> Okay, what would recommend then?  And the ++[unix] returns notfound is
> definitive of /what/?

rlm_unix has a flow like this:

  r = getpwnam(username)
  if not r:
    return NOTFOUND
  if not r.passwd or len(r.passwd) < 10:
    s = getspnam(username)
    if not s:
      return NOTFOUND
    passwd = s.passwd
  else:
    passwd = r.passwd

So, either FreeRADIUS is getting no reply to getpwnam() or it's getting 
an empty or "x" value for the password hash at that stage, *then* 
calling getspnam() and getting no value.

My NIS is rusty, but IIRC calling the getspnam() routines under NIS 
requires you being root? Most likely this is the problem.

PAM has a suid-root helper for this; FreeRADIUS doesn't. So one possible 
alternative would be to use rlm_pam, and let PAM do the work of getting 
at the shadow data.


More information about the Freeradius-Users mailing list