On 11/25/2010 04:24 PM, Marco Carcano wrote:
Hi John
thank you very much for the reply - I haven't noticed that exists a freeradius2 rpm package
I tried, and after a lot of arrangement on the config files - freeradius2 splits a lot radiusd.conf - I got it working
but I have to point out this thing - that I hope you - Red Hat - will fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in CentOS package):
this is the content of the original file
#%PAM-1.0 auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session include password-auth
it is wrong: it causes PAM auth to fail with a really strange error
pam_pass: using pamauth string<radiusd> for pam.conf lookup pam_pass: function pam_authenticate FAILED for<testuser>. Reason: Module is unknown ++[pam] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...}
this error caused me a little headache because initially I tough it was a mine misconfiguration of freeradius.
the fix is to replace the contents of /etc/pam.d/radiusd with
#%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth
PAM is usefull in situations like the my Easy Configuration Kit - ECK: I built an AAA system that relies on Freeradius that do Accounting in MySQL, Authorization with OpenLDAP and Authentication by Kerberos - the LDAP directory is Kerberized. I think that PAM and SASL are the good way to accomplish this - In ECK it works.
Maybe you already know about this issue - I hope this post can help anybody will get this strange error - until the package got fixed
/etc/pam.d/radiusd was deliberately changed from using system-auth to use password-auth about a year ago. The reason is that the services cannot use the local means of authentication with an out-of-band data channel for the credentials such as Fingerprint and Smart card devices and should use password-auth instead of system-auth file. SMTP, FTP, and other services use it as well. So the problem is not in the change in the freeradius radiusd PAM config. There is likely an error in the password-auth file on your system. It should be possible to find out in /var/log/secure which module is the problem. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/