ywang10 at fsu.edu
Wed Jun 27 15:29:35 CEST 2018
Please see my other post. The pam module in question is pam_unix.so.
From: Freeradius-Users [mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org] On Behalf Of Hailun Tan
Sent: Monday, June 25, 2018 10:57 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
On Tue, Jun 26, 2018 at 11:24 AM, Alan DeKok <aland at deployingradius.com>
> On Jun 25, 2018, at 9:09 PM, Hailun Tan <dearambermini at gmail.com> wrote:
> > I do not think the answer in the previous link was clear.
> It doesn't explain *why* PAM works the way it does. But it explains
> what's happening, and how to fix it.
> PAM problems? Ask the PAM people
> > The only viable solution in the link above is that having another
> > local user with the same name then it will fix the problem. Yes, it
> > does fix
> > problem. But what is the point to have radius server if a local
> > user is required for radius to work?
> The point is that you can specify a users password (or OTP) via RADIUS.
> If you read the PAM documentation, it says that PAM doesn't supply
> UID, GID, shell, home directory, etc. PAM only does username /
> password checking. And some session logging.
> > Considering that there are thousands of radius clients to hookup
> > with one radius server, having a local user for each of these
> > clients for such user to work does not make sense.
> That's what LDAP is for. Put the users into LDAP. Configure NSS &&
> LDAP. That gets you UID, GID, etc. Then do username / password
> checking via RADIUS.
I am new in the Radius concept. So the users in Radius server cannot be processed as those in LDAP because the users in Radius are not configured with UID/GID, etc? On the other hand, Radius cannot completely take the role of LDAP?
So i wonder if PAM is not used for username/ password checking, in that case, Does the UID/GID missing in Radius user matter? In that way, can Radius server replace LDAP?
Thanks again for your advice.
> > My question is very clear. If pam_radius_auth.so is not the one to
> > be fixed, which other pam module should be fixed?
> As I said repeatedly, ask the PAM people how their software works.
> This isn't the "PAM help list". This is the FreeRADIUS list.
> > At least you can provide a
> > way for us to check which PAM module is failing so that we can check.
> No. It's ridiculous to ask that, because I didn't write PAM, and I
> know nothing about it.
> > I
> > have even tried to disable ALL the pam module in /etc/pam.d/sshd
> > except pam_radius_auth.so but I cannot even log in the ubuntu if i
> > did that :(
> > that is the most difficult part to troubleshoot with PAM.
> That's terrible.
> Why does that happen? I don't know...
> ASK THE PAM PEOPLE HOW THEIR SOFTWARE WORKS.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
List info/subscribe/unsubscribe? See https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeradius.org_list_users.html&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=g_pelez0FZ0RjWlxdnat4A&m=1-Ia_Z3yhNinuX_Gb7sC8yT-ftORLnv1-LvPoNHnY74&s=_YDJ3PsBeRsBO5R4SyVx7TTxIKxskMgSph8nc93uaZg&e=
More information about the Freeradius-Users