-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/14 14:31, Alan DeKok wrote:
The solution is simple, and is documented.
Alan DeKok.
I don't think I've ever flamed anyone in my life, but now I believe I have to. Sadly, it seems like this is a recurring theme with you. I've seen literally DOZENS of posts from you in the archives and through google and in every single one of them there IS NOT a shred of helpful advice except to RTFM. The vaunted documentation is just about the worst I've ever seen. It goes in circles: - From modules/passwd:
# An example configuration for using /etc/passwd. # # We do NOT recommend using the configuration below. See the "unix" # module, or the "pam" module for a cleaner way to get system passwords. # Using this configuration means that the server will find *only* those # passwords which are in /etc/passwd, and will *ignore* all of the # passwords in NIS, LDAP, etc. #
- From modules/unix
unix { # As of 1.1.0, the Unix module no longer reads, # or caches /etc/passwd, /etc/shadow, or /etc/group. # If you wish to cache those files, see the passwd # module.
- From radiusd.conf:
# On systems with shadow passwords, you might have to set 'group = shadow' # for the server to be able to read the shadow password file. If you can # authenticate users while in debug mode, but not in daemon mode, it may be # that the debugging mode server is running as a user that can read the # shadow info, and the user listed below can not.
(FWIW, this documentation is beyond incomprehensible. The 'group = shadow' is not about using the group 'shadow' to access /etc/shadow it's changing the group on /etc/shadow to 'radiusd'.) There are a good half dozen archived messages about /etc/shadow and how it is NOT recommended to make such a change. In fact, I found this:
From: "Alan DeKok" <aland at ox.org> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org> Sent: Thursday, January 26, 2006 3:37 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)
"Nataniel Klug" <nata at cnett.psi.br> wrote:
I just have installed the package from Fedora Core 3, nothing else.
Then look at the configuration file. See how it's different from what is shipped with FreeRADIUS.
And setting "a+rw" on /etc/passwd and /etc/shadow is probaby the single worst thing you can do to your system. EVER. Rather than doing that, read raddb/radiusd.conf, it talks about issues with reading /etc/shadow, and describes suggested fixes won't destroy your system.
Honestly, I don't understand why it's so hard to read the configuration files.
Alan DeKok. -
Radiusd.conf DOES NOT talk about issues with reading /etc/shadow. ANYWHERE. PERIOD. (And note, the 'why is it so hard to read the documentation' from you.) In the one post (which I cannot dig up now since I've pulled up so many the last two hours), it's RECOMMENDED not changing read permissions on /etc/shadow. Even though the OP actually got it working that way. And IIRC, it was a reply from you and someone else in the thread that made that recommendation. I have to be honest. I've been doing this a LONG time. 20 years or so. And I've NEVER dealt with a more unprofessional and unhelpful mailing list as I have with this list. What should be a relatively 'simple' solution is anything but with this list. I'm no noob working with linux/unix and text configuration files, and yet I feel FARTHER away from an answer that I did before I started. And due to that 'take two steps forward and half-dozen back', I've made it clear to my boss that FreeRADIUS, while it may work just fine, will be impossible to manage due to the horrible documentation and utter lack of help on the lists. I have removed the packages off my system and will be finding another method of communicating with these switches. I will also be unsubscribing from this list immediately. - -- Mark Haney Network/Systems Administrator Practichem W: (919) 714-8428 Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTHg35AAoJEM/YzwEAv6e7MxMIAIEo85oaw7gXyVbbfJa5dzWb 6AjbxxgWQNqmPb2N1LH1VTlrI12eEVoUgx1SwMvqb13h3QXOv8+dDXQxRNvX10Zt IyIw4yQZD3dbqj4yCnljRRvpWZONYts6tdo98LFH7gykBB8XigiaoQCu5oBcYFPf njgwUltA/xlMGdMfCE1+sdIdYe0OvXdGb24assOVtyMFfthWYa3qdFolCapBTmxG lOiCsqSeml68Fz8/uVtzDw5PbbtFpwhsKj81vBcZWm4l5HorvZMG4lRaSnhOHlcP 1uEVqfK69eVvcWVikK1eWeh+k5EHkaMUHjQq4DuAcxE9Xu4AZQKQt3CCTC+HWkQ= =oiap -----END PGP SIGNATURE-----