AD Authentication using PAM_winbind.so succeeds, but FreeRadius 3.0.4 rejects with "Failed to Authenticate User"

Nathan Ward lists+freeradius at daork.net
Sun Jul 26 10:16:23 CEST 2015


> On 26/07/2015, at 19:11, Josh Miller <jmills5901 at gmail.com> wrote:
> 
> Hey Nathan,
> 
> Thanks for the reply.
> 
> I did follow the directions beginning under the section "Installing SRPM"
> and I kept running into issues.  I
> 
> Before investing any more time trying to upgrade to a "non-stable" release,
> it would be nice to get a clear answer from the development team if
> upgrading from 3.0.4 to 3.0.9 will fix the PAM_Winbind issue that I
> described in my first post.   I checked the release notes, and didn't find
> anything that stood out.

https://github.com/FreeRADIUS/freeradius-server/commit/658f459d892af4f43d615720951bf75a96c2411d seems like something that might be related, given it touches almost every line in that file.

It’s not your problem in this case, but my point is that the release notes don’t tell the whole story.

It’s not really the job of the developer of free OSS software to tell you if upgrading to the current release is going to fix your problem, it takes time, and time isn’t free - as you know, you say you don’t want to invest the time yourself.

> I understand that PAM is hated, but a lot of 3rd party commercial products
> like WikiD and Yubikey appear to have success using it.   Because there is
> such disdain in the FreeRadius dev community towards it, I have a hunch
> that it may receive little to no QA attention.

I guess the above commit disproved that hunch.

The problem in your case is revealed by the “res=failed” in your selinux log, and the specific PAM function that is referenced in the FreeRADIUS log. Look at the source for rlm_pam, it shows that pam_acct_mgmt is called after pam_authenticate, which is normal.

Your PAM 'account' section is returning failed after the ‘auth’ section passes. Is the account locked out, or restricted to some specific time of day? Is your PAM config complete?

--
Nathan Ward




More information about the Freeradius-Users mailing list