Google authenticator : Access-Reject

servernemesis at tutanota.com servernemesis at tutanota.com
Tue Apr 24 16:23:09 CEST 2018


Thank you !

My FR server is domain joined, and his krb5 realm is mydomain.com
I don't know where I could specify the domain for PAM.

I'm not sure what you mean by "If it doesn't know about the domain, then add a realm for "mydomain.com".  Make it LOCAL (see proxy.conf)." 
Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?

Best regards

24. Avr 2018 16:00 de aland at deployingradius.com <mailto:aland at deployingradius.com>:


>> On Apr 24, 2018, at 9:56 AM, <>> servernemesis at tutanota.com <mailto:servernemesis at tutanota.com>>> > <>> servernemesis at tutanota.com <mailto:servernemesis at tutanota.com>>> > wrote:
>>
>> (0) Received Access-Request Id 65 from 127.0.0.1:46785 to 127.0.0.1:1812 length 92
>> (0)   User-Name = ">> user at mydomain.com <mailto:user at mydomain.com>>> "
>
>   That's the full user name, *with* domain.
>
> ...
>> (0) suffix: Checking for suffix after "@"
>> (0) suffix: Looking up realm "mydomain.com" for User-Name = ">> user at mydomain.com <mailto:user at mydomain.com>>> "
>> (0) suffix: No such realm "mydomain.com"
>> (0)     [suffix] = noop
>
>   And there's no realm, so the User-Name isn't being stripped of the domain name.
>
>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
>
>   Does PAM (and everything past it) know about "user", or "> user at mydomain.com <mailto:user at mydomain.com>> "?
>
>   If it doesn't know about the domain, then add a realm for "mydomain.com".  Make it LOCAL (see proxy.conf).
>
>   Once that's done, FreeRADIUS will pass "user" to PAM, and it should work.
>
>   *Reading* the debug output helps.  See also > http://wiki.freeradius.org/radiusd-X <http://wiki.freeradius.org/radiusd-X>
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>


More information about the Freeradius-Users mailing list