Winfield, Alister Alister.Winfield at sky.uk
Wed Jun 27 16:06:58 CEST 2018

I don't know PAM well but I'll make a suggestion stop trying to use it directly and look at sssd its FAR less likely to cause pain and it documentation and logging is far more sane. It might help you stop wasting peoples time asking about software that’s 'using' RADIUS and not actually RADIUS itself. In either case normal refrain, read the documentation provided by the people who wrote the thing you are using (hint that’s not freeradius) and ask them questions if required (again hint not here freeradius != pam).


On 27/06/2018, 14:29, "Freeradius-Users on behalf of Yu Wang" <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org on behalf of ywang10 at fsu.edu> wrote:

    This email is from an external source. Please do not open attachments or click links from an unknown origin. Suspicious messages can be reported by sending them as an attachment to phishing at sky.uk


    Please see my other post. The pam module in question is pam_unix.so.


    -----Original Message-----
    From: Freeradius-Users [mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org] On Behalf Of Hailun Tan
    Sent: Monday, June 25, 2018 10:57 PM
    To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
    Subject: Re:

    On Tue, Jun 26, 2018 at 11:24 AM, Alan DeKok <aland at deployingradius.com>

    > On Jun 25, 2018, at 9:09 PM, Hailun Tan <dearambermini at gmail.com> wrote:
    > > I do not think the answer in the previous link was clear.
    >   It doesn't explain *why* PAM works the way it does.  But it explains
    > what's happening, and how to fix it.
    >   PAM problems?  Ask the PAM people
    > > The only viable solution in the link above is that having another
    > > local user  with the same name then it will fix the problem. Yes, it
    > > does fix
    > the
    > > problem. But what is the point to have radius server if  a local
    > > user is required  for radius to work?
    >   The point is that you can specify a users password (or OTP) via RADIUS.
    >   If you read the PAM documentation, it says that PAM doesn't supply
    > UID, GID, shell, home directory, etc.  PAM only does username /
    > password checking.  And some session logging.
    > >  Considering that there are thousands of radius clients to hookup
    > > with one radius server, having a local user for each of these
    > > clients for such user to work does not make sense.
    >   That's what LDAP is for.  Put the users into LDAP.  Configure NSS &&
    > LDAP.  That gets you UID, GID, etc.  Then do username / password
    > checking via RADIUS.

    I am new in the Radius  concept. So  the users in Radius server cannot be processed as those in LDAP because the users in Radius are not configured with UID/GID, etc? On the other hand, Radius cannot completely take the role of LDAP?

    So i wonder if PAM is not used for username/ password checking, in that case,  Does the UID/GID missing in Radius user matter? In that way, can Radius server replace LDAP?

    Thanks again for your advice.

    > > My question is very clear. If  pam_radius_auth.so is not the one to
    > > be fixed, which other pam module should be fixed?
    >   As I said repeatedly, ask the PAM people how their software works.
    > This isn't the "PAM help list".  This is the FreeRADIUS list.
    > > At least you can provide a
    > > way for us to check which PAM module is failing so that we can check.
    >   No.  It's ridiculous to ask that, because I didn't write PAM, and I
    > know nothing about it.
    > > I
    > > have even tried to disable ALL the pam module in /etc/pam.d/sshd
    > > except pam_radius_auth.so but I cannot even log in the ubuntu if i
    > > did that :(
    > So
    > > that is the most difficult part to troubleshoot with PAM.
    >   That's terrible.
    >   Why does that happen?  I don't know...
    >   Alan DeKok.
    > -
    > List info/subscribe/unsubscribe? See
    > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeradius.org
    > _&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=g_pelez0FZ0RjWlxdnat4A&m=1-Ia_Z3
    > yhNinuX_Gb7sC8yT-ftORLnv1-LvPoNHnY74&s=EiwmZAWothjt5zsUg-XV5CqEk14eGMQ
    > HnYCqLC3_2e4&e=
    > list/users.html
    List info/subscribe/unsubscribe? See https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeradius.org_list_users.html&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=g_pelez0FZ0RjWlxdnat4A&m=1-Ia_Z3yhNinuX_Gb7sC8yT-ftORLnv1-LvPoNHnY74&s=_YDJ3PsBeRsBO5R4SyVx7TTxIKxskMgSph8nc93uaZg&e=

    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

More information about the Freeradius-Users mailing list