AD Authentication using PAM_winbind.so succeeds, but FreeRadius 3.0.4 rejects with "Failed to Authenticate User"
Alan DeKok
aland at deployingradius.com
Sun Jul 26 12:44:59 CEST 2015
On Jul 26, 2015, at 5:38 AM, Josh Miller <jmills5901 at gmail.com> wrote:
> I didn't understand what the accounting grantor meant, and why it mattered
> since Authentication was successful.
And instead of trying to figure it out, you blamed FreeRADIUS, and the FreeRADIUS developers.
That's an asshole thing to do.
> Furthermore, I was under the
> impression that because was only using a 1 line item "auth required
> pam_winbind.so" in /etc/pam.d/radiusd then account being ignored.
Yeah... and you apparently didn't read, or try to understand the debug logs you posted to the list.
There's a sample "radiusd-pam" file distributed with the server. Instead of taking that and adding "winbind", you created your own file... and broke the server.
And then blamed us.
> Apparently, there is an implicit deny associated with the accounting
> feature, and you must explicitly tell it to permit in the code. Simply
> omitting the account line does not mean that FreeRadius will ignore that
> data.
This is all documented by the PAM people. It helps to understand the systems you're using.
Alan DeKok.
More information about the Freeradius-Users
mailing list