On Wed, Jun 23, 2010 at 4:13 AM, Alan DeKok <aland@deployingradius.com> wrote:
 Double-check that it's returning PAM_IGNORE.  Maybe source code mods
to syslog "RETURNING PAM_IGNORE".

 If it is returning PAM_IGNORE, then it's a PAM problem.  Ask the
question again on the PAM list.


  Found my problem.

  The pam_sm_authenticate() does return PAM_IGNORE with localifdown, as expected. Added a lot of logging including the final return value (PAM_IGNORE / 25). I had also tested that the stack was dealing with the ignore properly by using pam_debug.so. So my stack for 'auth' as originally posted works as expected, so I'm quite happy with the fallback setup.

  What was failing pseudo silently was the call to pam_sm_open_session() (or rather pam_private_session()). I only had this single module listed in the pam conf file, and since nothing was logged, I didn't catch on the fact that my login failures were coming from the 'session' part. Since no success was returned and it was my only line for PAM, it failed and I couldn't logon if the radius servers were unreachable.

  Time permitting I might submit a patch to add some logging to pam_private_session, if there would be interest from the dev team ?

  Thanks a lot for the infos and replies.

  Martin