<br><br><div class="gmail_quote">On Wed, Jun 23, 2010 at 4:13 AM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br><div>
> I do not think pam_radius_auth is behaving wrongly - looking at the<br>
> code is simple enough, I do get "All RADIUS servers failed to respond"<br>
> in the SYSLOG, so it should clearly be returning PAM_IGNORE as documented.<br>
<br>
</div> Double-check that it's returning PAM_IGNORE. Maybe source code mods<br>
to syslog "RETURNING PAM_IGNORE".<br>
<br>
If it is returning PAM_IGNORE, then it's a PAM problem. Ask the<br>
question again on the PAM list.<br>
<font color="#888888"></font><br></blockquote></div><br> I've added logging at the end of talk_radius() to confirm that it was returning PAM_IGNORE, and it was indeed the case. I posted to the pam list, where someone suggested I used pam_debug to see how the stack reacted to PAM_IGNORE:<br>
<br>------8<-------<br>auth required pam_debug.so auth=ignore<br><div class="im">auth required /lib/security/$ISA/pam_env.so<br></div>auth
sufficient /lib/security/$ISA/pam_unix.so debug audit likeauth
nullok<br>
auth required /lib/security/$ISA/pam_deny.so<br>auth
required pam_nologin.so<br>------8<-------<br><br> I can indeed login with the local auth via pam_unix in this case, so I'm back at looking at the module's code.. I know talk_radius() is returning PAM_IGNORE, here's the very last part of the function with my mod:<br>
<br>------8<-------<br> if (!server) {<br> _pam_log(LOG_ERR, "All RADIUS servers failed to respond.");<br> if (conf->localifdown) {<br> _pam_log(LOG_ERR, "Retval = PAM_IGNORE");<br> retval = PAM_IGNORE;<br>
} else<br> retval = PAM_AUTHINFO_UNAVAIL;<br> } else {<br> retval = PAM_SUCCESS;<br> }<br><br> return retval;<br>}<br>------8<-------<br><br> I'll have a look at the rest of the flow, see if it could have been overriden elsewhere after that call.. I've never coded a pam module, am I correct to guess that since I'm calling the module with an auth call from the stack I should be looking at pam_sm_authenticate() ?<br>
<br> Martin<br>