No subject

Yu Wang ywang10 at
Wed Jun 27 15:29:35 CEST 2018

Please see my other post. The pam module in question is


-----Original Message-----
From: Freeradius-Users [ at] On Behalf Of Hailun Tan
Sent: Monday, June 25, 2018 10:57 PM
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re:

On Tue, Jun 26, 2018 at 11:24 AM, Alan DeKok <aland at>

> On Jun 25, 2018, at 9:09 PM, Hailun Tan <dearambermini at> wrote:
> > I do not think the answer in the previous link was clear.
>   It doesn't explain *why* PAM works the way it does.  But it explains 
> what's happening, and how to fix it.
>   PAM problems?  Ask the PAM people
> > The only viable solution in the link above is that having another 
> > local user  with the same name then it will fix the problem. Yes, it 
> > does fix
> the
> > problem. But what is the point to have radius server if  a local 
> > user is required  for radius to work?
>   The point is that you can specify a users password (or OTP) via RADIUS.
>   If you read the PAM documentation, it says that PAM doesn't supply 
> UID, GID, shell, home directory, etc.  PAM only does username / 
> password checking.  And some session logging.
> >  Considering that there are thousands of radius clients to hookup 
> > with one radius server, having a local user for each of these 
> > clients for such user to work does not make sense.
>   That's what LDAP is for.  Put the users into LDAP.  Configure NSS && 
> LDAP.  That gets you UID, GID, etc.  Then do username / password 
> checking via RADIUS.

I am new in the Radius  concept. So  the users in Radius server cannot be processed as those in LDAP because the users in Radius are not configured with UID/GID, etc? On the other hand, Radius cannot completely take the role of LDAP?

So i wonder if PAM is not used for username/ password checking, in that case,  Does the UID/GID missing in Radius user matter? In that way, can Radius server replace LDAP?

Thanks again for your advice.

> > My question is very clear. If is not the one to 
> > be fixed, which other pam module should be fixed?
>   As I said repeatedly, ask the PAM people how their software works.  
> This isn't the "PAM help list".  This is the FreeRADIUS list.
> > At least you can provide a
> > way for us to check which PAM module is failing so that we can check.
>   No.  It's ridiculous to ask that, because I didn't write PAM, and I 
> know nothing about it.
> > I
> > have even tried to disable ALL the pam module in /etc/pam.d/sshd 
> > except but I cannot even log in the ubuntu if i 
> > did that :(
> So
> > that is the most difficult part to troubleshoot with PAM.
>   That's terrible.
>   Why does that happen?  I don't know...
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> _&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=g_pelez0FZ0RjWlxdnat4A&m=1-Ia_Z3
> yhNinuX_Gb7sC8yT-ftORLnv1-LvPoNHnY74&s=EiwmZAWothjt5zsUg-XV5CqEk14eGMQ
> HnYCqLC3_2e4&e=
> list/users.html
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list