Hi Alan, Really appreciate the reply.
The environment is as follows:
-Fedora 22 -Freeradius 3.0.4 -Samba 4.2.2
I'd suggest using 3.0.9.
I tried upgrading this morning to the version you suggested, and unfortunately there does not appear to be a RedHat/Fedora RPM from with 3.0.9, I did find one for 3.0.8 http://koji.fedoraproject.org/koji/packageinfo?packageID=298 Going step-by-step through the fabulous documentation found on freeradius.org: http://wiki.freeradius.org/guide/Red-Hat-FAQ#A-prebuilt-version-of-FreeRADIUS-in-the-version-I-need-is-not-available-for-the-distribution-I'm-using,-how-do-I-build-one ? I attempted to begin the upgrade process to the latest freeradius-3.0.8-3.fc23.x86_64.rpm. and received a package dependency error: [root]# yum install freeradius-3.0.8-3.fc23.x86_64.rpm Error: nothing provides libcrypto.so.10(OPENSSL_1.0.2)(64bit) needed by freeradius-3.0.8-3.fc23.x86_64 However, the "libcrypto.so.10" is already installed. [root]# yum install libcrypto.so.10 Package openssl-libs-1:1.0.1k-11.fc22.i686 is already installed, skipping. Dependencies resolved. langpacks: enabled languages are [] Nothing to do. Complete! Am I missing something?
---------------------- #/etc/pam.d/radius
auth required /usr/lib64/security/pam_winbind.so debug ----------------------
Don't use PAM. It's not just horrible, it's designed to be used once by an application, and then never again. It will likely leak memory, cause performance issues, etc. I would suggest using the ntlm_auth program. It's documented, and it works.
Fair enough. My understanding from the Google Authenticator documentation is that it requires the PAM libraries. The 2factor authentication piece is performed via /etc/pam.d/radius file by "forward_pass" attribute to the pam_google_authenticator.so. https://github.com/google/google-authenticator/blob/master/libpam/README
Standard NTLM via AD works very well, but utilizing the PAM module is creating a whole new can of worms.
Don't use PAM. It's almost impossible to understand. And almost impossible to debug.
My use case for PAM is 2 factor authentication with Google Authenticator, but if there is a better way to do this while still utilizing FreeRadius, then I am very interested.
You can run Perl scripts directly from FreeRADIUS. That should help.
Thanks for the suggestion, I've been researching this for the last hour. If Google TOTP requires PAM, is there anyway to reference a PAM function via pearl script. Or at least have it reference the /etc/pam.d/radiusd file for the Google auth portion of the authentication? The rlm_pearl documentation references chaning the Default Auth Type from PAM (in this case) to Pearl.
However, at this point I have not been unable to find another authentication methodology for Google OTP without the PAM component.
I don't see why PAM is necessary.
Unless I am mistaken, I believe it is a requirement, reference the aforementioned Google Authenticator Githhub URL
Also attaching the, radius -XXX startup output separately.
<sigh> Please use "radiusd -X". Not "-XXXXXXXXXXX". It doesn't help.
Following directions is good. And the directions say "-X".
My bad on that, the radiusd -X output is attached (was thinking more data is better). Lastly, would you mind sharing your opinion on what the most flexible flavor of Linux as far as FreeRadius is concerned (i.e.Ubuntu, Redhat, Centos etc)? Each one appears to have various anamolies. Thank you again.