On Tue, Jun 26, 2018 at 11:24 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 25, 2018, at 9:09 PM, Hailun Tan <dearambermini@gmail.com> wrote:
I do not think the answer in the previous link was clear.
It doesn't explain *why* PAM works the way it does. But it explains what's happening, and how to fix it.
PAM problems? Ask the PAM people
The only viable solution in the link above is that having another local user with the same name then it will fix the problem. Yes, it does fix the problem. But what is the point to have radius server if a local user is required for radius to work?
The point is that you can specify a users password (or OTP) via RADIUS.
If you read the PAM documentation, it says that PAM doesn't supply UID, GID, shell, home directory, etc. PAM only does username / password checking. And some session logging.
Considering that there are thousands of radius clients to hookup with one radius server, having a local user for each of these clients for such user to work does not make sense.
That's what LDAP is for. Put the users into LDAP. Configure NSS && LDAP. That gets you UID, GID, etc. Then do username / password checking via RADIUS.
=============== I am new in the Radius concept. So the users in Radius server cannot be processed as those in LDAP because the users in Radius are not configured with UID/GID, etc? On the other hand, Radius cannot completely take the role of LDAP? So i wonder if PAM is not used for username/ password checking, in that case, Does the UID/GID missing in Radius user matter? In that way, can Radius server replace LDAP? Thanks again for your advice.
My question is very clear. If pam_radius_auth.so is not the one to be fixed, which other pam module should be fixed?
As I said repeatedly, ask the PAM people how their software works. This isn't the "PAM help list". This is the FreeRADIUS list.
At least you can provide a way for us to check which PAM module is failing so that we can check.
No. It's ridiculous to ask that, because I didn't write PAM, and I know nothing about it.
I have even tried to disable ALL the pam module in /etc/pam.d/sshd except pam_radius_auth.so but I cannot even log in the ubuntu if i did that :( So that is the most difficult part to troubleshoot with PAM.
That's terrible.
Why does that happen? I don't know...
ASK THE PAM PEOPLE HOW THEIR SOFTWARE WORKS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html