Hello,<br><br> I've tried the doc, the wiki, and the ML archives but I can't find an answer to what must be a simple configuration thing.. I've compiled freeradius server 2.1.9 and only added two simples lines to $confdir/user:<br>
<br>mrichard Cleartext-Password := "qwerty"<br>mrichard2 Cleartext-Password := "qwerty"<br><br> When starting radiusd -X (yes, I've looked at the output) and testing these 2 most simple accounts with radtest, the first one fails while the second one works. The difference being that there's a "mrichard" account on the box in /etc/passwd while "mrichard2" only exists in radiusd's config. Hence the output differences when calling "radtest thelogin qwerty localhost 666 testing123" (cut) :<br>
<br>for mrichard:<br><br><font size="1"><span style="font-family: courier new,monospace;">+- entering group PAP {...}</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[pap] login attempt with password "qwerty"</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[pap] Using CRYPT encryption.</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[pap] Passwords don't match</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">++[pap] returns reject</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">Failed to authenticate the user.</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Using Post-Auth-Type Reject</span></font><br><br>for mrichard2:<br><br><font size="1"><span style="font-family: courier new,monospace;">+- entering group PAP {...}</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[pap] login attempt with password "qwerty"</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[pap] Using clear text password "qwerty"</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[pap] User authenticated successfully</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">++[pap] returns ok</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">+- entering group post-auth {...}</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">++[exec] returns noop</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Sending Access-Accept of id 79 to 127.0.0.1 port 60023</span></font><br><br> Of course, the first account works if I use the OS level password associated with it.<br><br>
After a bit of searching I found a reference in the ML archives to $confdir/sites-enabled/default and saw "unix" in there with the description saying it caches the hashes from /etc/passwd and its accompanying shadow. I've commented those lines and restarted the daemon. Now I get this in the PAP output for both users:<br>
<font size="1"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">++[pap] returns noop</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">No authenticate method (Auth-Type) configuration found for the request: Rejecting the user</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Failed to authenticate the user.</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">Using Post-Auth-Type Reject</span></font><br>
<br><br> I must be missing something rather obvious.. But how can I totally disable the lookup of OS accounts ?<br><br> Thanks<br><br> Martin<br><br>