Re: AD Authentication using PAM_winbind.so succeeds, but FreeRadius 3.0.4 rejects with "Failed to Authenticate User"
Hi Alan, Really appreciate the reply.
The environment is as follows:
-Fedora 22 -Freeradius 3.0.4 -Samba 4.2.2
I'd suggest using 3.0.9.
I tried upgrading this morning to the version you suggested, and unfortunately there does not appear to be a RedHat/Fedora RPM from with 3.0.9, I did find one for 3.0.8 http://koji.fedoraproject.org/koji/packageinfo?packageID=298 Going step-by-step through the fabulous documentation found on freeradius.org: http://wiki.freeradius.org/guide/Red-Hat-FAQ#A-prebuilt-version-of-FreeRADIUS-in-the-version-I-need-is-not-available-for-the-distribution-I'm-using,-how-do-I-build-one ? I attempted to begin the upgrade process to the latest freeradius-3.0.8-3.fc23.x86_64.rpm. and received a package dependency error: [root]# yum install freeradius-3.0.8-3.fc23.x86_64.rpm Error: nothing provides libcrypto.so.10(OPENSSL_1.0.2)(64bit) needed by freeradius-3.0.8-3.fc23.x86_64 However, the "libcrypto.so.10" is already installed. [root]# yum install libcrypto.so.10 Package openssl-libs-1:1.0.1k-11.fc22.i686 is already installed, skipping. Dependencies resolved. langpacks: enabled languages are [] Nothing to do. Complete! Am I missing something?
---------------------- #/etc/pam.d/radius
auth required /usr/lib64/security/pam_winbind.so debug ----------------------
Don't use PAM. It's not just horrible, it's designed to be used once by an application, and then never again. It will likely leak memory, cause performance issues, etc. I would suggest using the ntlm_auth program. It's documented, and it works.
Fair enough. My understanding from the Google Authenticator documentation is that it requires the PAM libraries. The 2factor authentication piece is performed via /etc/pam.d/radius file by "forward_pass" attribute to the pam_google_authenticator.so. https://github.com/google/google-authenticator/blob/master/libpam/README
Standard NTLM via AD works very well, but utilizing the PAM module is creating a whole new can of worms.
Don't use PAM. It's almost impossible to understand. And almost impossible to debug.
My use case for PAM is 2 factor authentication with Google Authenticator, but if there is a better way to do this while still utilizing FreeRadius, then I am very interested.
You can run Perl scripts directly from FreeRADIUS. That should help.
Thanks for the suggestion, I've been researching this for the last hour. If Google TOTP requires PAM, is there anyway to reference a PAM function via pearl script. Or at least have it reference the /etc/pam.d/radiusd file for the Google auth portion of the authentication? The rlm_pearl documentation references chaning the Default Auth Type from PAM (in this case) to Pearl.
However, at this point I have not been unable to find another authentication methodology for Google OTP without the PAM component.
I don't see why PAM is necessary.
Unless I am mistaken, I believe it is a requirement, reference the aforementioned Google Authenticator Githhub URL
Also attaching the, radius -XXX startup output separately.
<sigh> Please use "radiusd -X". Not "-XXXXXXXXXXX". It doesn't help.
Following directions is good. And the directions say "-X".
My bad on that, the radiusd -X output is attached (was thinking more data is better). Lastly, would you mind sharing your opinion on what the most flexible flavor of Linux as far as FreeRadius is concerned (i.e.Ubuntu, Redhat, Centos etc)? Each one appears to have various anamolies. Thank you again.
On Jul 25, 2015, at 5:05 PM, Josh Miller <jmills5901@gmail.com> wrote:
Going step-by-step through the fabulous documentation found on freeradius.org:
I attempted to begin the upgrade process to the latest freeradius-3.0.8-3.fc23.x86_64.rpm. and received a package dependency error:
Well... ask RedHat about their packages. I don't know much about that. Alan DeKok.
On 26/07/2015, at 09:05, Josh Miller <jmills5901@gmail.com> wrote:
Am I missing something?
Yes, you are running FC22 but are installing a package targeting FC23. Try the FC22 package on the page you linked to, or build your own 3.0.9 package. Also, the FreeRADIUS wiki page that you reference talked about building the RPMs on that page from source, not downloading and installing binary ones - you can’t skim read instructions for links and ignore the rest of the text. Anyway, the FC22 3.0.8 RPM on that page will probably work for you, to get you 3.0.8, though I can’t vouch for it. It’s not in FC22 yet, it’s only a candidate, so YMMV etc. If I were in your shoes I’d take the FC22 SRPM and modify it so you get 3.0.9, assuming you’re comfortable with building packages. This is (roughly) how I run 3.0.9 on RHEL, and it works well so can vouch for this approach. You’ll want to audit the patches that are included to make sure they’re still required etc. -- Nathan Ward
Hey Nathan, Thanks for the reply. I did follow the directions beginning under the section "Installing SRPM" and I kept running into issues. I Before investing any more time trying to upgrade to a "non-stable" release, it would be nice to get a clear answer from the development team if upgrading from 3.0.4 to 3.0.9 will fix the PAM_Winbind issue that I described in my first post. I checked the release notes, and didn't find anything that stood out. I understand that PAM is hated, but a lot of 3rd party commercial products like WikiD and Yubikey appear to have success using it. Because there is such disdain in the FreeRadius dev community towards it, I have a hunch that it may receive little to no QA attention. On Sat, Jul 25, 2015 at 6:36 PM, Nathan Ward [via FreeRADIUS] < ml-node+s1045715n5735576h66@n5.nabble.com> wrote:
On 26/07/2015, at 09:05, Josh Miller <[hidden email] <http:///user/SendEmail.jtp?type=node&node=5735576&i=0>> wrote:
Am I missing something?
Yes, you are running FC22 but are installing a package targeting FC23. Try the FC22 package on the page you linked to, or build your own 3.0.9 package.
Also, the FreeRADIUS wiki page that you reference talked about building the RPMs on that page from source, not downloading and installing binary ones - you can’t skim read instructions for links and ignore the rest of the text.
Anyway, the FC22 3.0.8 RPM on that page will probably work for you, to get you 3.0.8, though I can’t vouch for it. It’s not in FC22 yet, it’s only a candidate, so YMMV etc.
If I were in your shoes I’d take the FC22 SRPM and modify it so you get 3.0.9, assuming you’re comfortable with building packages. This is (roughly) how I run 3.0.9 on RHEL, and it works well so can vouch for this approach. You’ll want to audit the patches that are included to make sure they’re still required etc.
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/Re-AD-Authentication-using-PAM-winbi... To unsubscribe from Re: AD Authentication using PAM_winbind.so succeeds, but FreeRadius 3.0.4 rejects with "Failed to Authenticate User", click here <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5735553&code=am1pbGxzNTkwMUBnbWFpbC5jb218NTczNTU1M3wtMTQwNTk1MjU1MQ==> . NAML <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
On 26/07/2015, at 19:11, Josh Miller <jmills5901@gmail.com> wrote:
Hey Nathan,
Thanks for the reply.
I did follow the directions beginning under the section "Installing SRPM" and I kept running into issues. I
Before investing any more time trying to upgrade to a "non-stable" release, it would be nice to get a clear answer from the development team if upgrading from 3.0.4 to 3.0.9 will fix the PAM_Winbind issue that I described in my first post. I checked the release notes, and didn't find anything that stood out.
https://github.com/FreeRADIUS/freeradius-server/commit/658f459d892af4f43d615... seems like something that might be related, given it touches almost every line in that file. It’s not your problem in this case, but my point is that the release notes don’t tell the whole story. It’s not really the job of the developer of free OSS software to tell you if upgrading to the current release is going to fix your problem, it takes time, and time isn’t free - as you know, you say you don’t want to invest the time yourself.
I understand that PAM is hated, but a lot of 3rd party commercial products like WikiD and Yubikey appear to have success using it. Because there is such disdain in the FreeRadius dev community towards it, I have a hunch that it may receive little to no QA attention.
I guess the above commit disproved that hunch. The problem in your case is revealed by the “res=failed” in your selinux log, and the specific PAM function that is referenced in the FreeRADIUS log. Look at the source for rlm_pam, it shows that pam_acct_mgmt is called after pam_authenticate, which is normal. Your PAM 'account' section is returning failed after the ‘auth’ section passes. Is the account locked out, or restricted to some specific time of day? Is your PAM config complete? -- Nathan Ward
Nathan, So I've been researching this heavily since you it pointed it out. For anyone the following the thread, these are the lines in question. Jul 24 16:37:25 freeradius01 audit[2995]: <audit-1100> pid=2995 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_winbind acct="test-user-123" exe="/usr/sbin/radiusd" hostname=? addr=? terminal=pts/1 res=success' Jul 24 16:37:25 freeradius01 audit[2995]: <audit-1101> pid=2995 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="test-user-123" exe="/usr/sbin/radiusd" hostname=? addr=? terminal=pts/1 res=failed' I didn't understand what the accounting grantor meant, and why it mattered since Authentication was successful. Furthermore, I was under the impression that because was only using a 1 line item "auth required pam_winbind.so" in /etc/pam.d/radiusd then account being ignored. However I was vastly mistaken. Apparently, there is an implicit deny associated with the accounting feature, and you must explicitly tell it to permit in the code. Simply omitting the account line does not mean that FreeRadius will ignore that data. So /etc/pam.d/radiusd code now looks like this : auth required /etc/libpam-google-authenticator-1.0/pam_google_authenticator.so secret=/var/lib/google-authenticator/${USER} forward_pass auth required pam_winbind.so account required pam_permit.so And I'm now getting radius successes. Nathan, you are the man, thank you so much. Where can I find your donate button? On Sun, Jul 26, 2015 at 1:16 AM, Nathan Ward [via FreeRADIUS] < ml-node+s1045715n5735581h21@n5.nabble.com> wrote:
On 26/07/2015, at 19:11, Josh Miller <[hidden email] <http:///user/SendEmail.jtp?type=node&node=5735581&i=0>> wrote:
Hey Nathan,
Thanks for the reply.
I did follow the directions beginning under the section "Installing SRPM" and I kept running into issues. I
Before investing any more time trying to upgrade to a "non-stable" release, it would be nice to get a clear answer from the development team if upgrading from 3.0.4 to 3.0.9 will fix the PAM_Winbind issue that I described in my first post. I checked the release notes, and didn't find anything that stood out.
https://github.com/FreeRADIUS/freeradius-server/commit/658f459d892af4f43d615... seems like something that might be related, given it touches almost every line in that file.
It’s not your problem in this case, but my point is that the release notes don’t tell the whole story.
It’s not really the job of the developer of free OSS software to tell you if upgrading to the current release is going to fix your problem, it takes time, and time isn’t free - as you know, you say you don’t want to invest the time yourself.
I understand that PAM is hated, but a lot of 3rd party commercial products like WikiD and Yubikey appear to have success using it. Because there is such disdain in the FreeRadius dev community towards it, I have a hunch that it may receive little to no QA attention.
I guess the above commit disproved that hunch.
The problem in your case is revealed by the “res=failed” in your selinux log, and the specific PAM function that is referenced in the FreeRADIUS log. Look at the source for rlm_pam, it shows that pam_acct_mgmt is called after pam_authenticate, which is normal.
Your PAM 'account' section is returning failed after the ‘auth’ section passes. Is the account locked out, or restricted to some specific time of day? Is your PAM config complete?
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/Re-AD-Authentication-using-PAM-winbi... To unsubscribe from Re: AD Authentication using PAM_winbind.so succeeds, but FreeRadius 3.0.4 rejects with "Failed to Authenticate User", click here <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5735553&code=am1pbGxzNTkwMUBnbWFpbC5jb218NTczNTU1M3wtMTQwNTk1MjU1MQ==> . NAML <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
And I'm now getting radius successes.
Great.
Nathan, you are the man, thank you so much. Where can I find your donate button?
I don’t have one, I’m not part of the FreeRADIUS project if that is what you had assumed, just someone with a little spare time today. I haven’t seen a FR donate link, but if there is one someone might like to share it. -- Nathan Ward
On Jul 26, 2015, at 5:38 AM, Josh Miller <jmills5901@gmail.com> wrote:
I didn't understand what the accounting grantor meant, and why it mattered since Authentication was successful.
And instead of trying to figure it out, you blamed FreeRADIUS, and the FreeRADIUS developers. That's an asshole thing to do.
Furthermore, I was under the impression that because was only using a 1 line item "auth required pam_winbind.so" in /etc/pam.d/radiusd then account being ignored.
Yeah... and you apparently didn't read, or try to understand the debug logs you posted to the list. There's a sample "radiusd-pam" file distributed with the server. Instead of taking that and adding "winbind", you created your own file... and broke the server. And then blamed us.
Apparently, there is an implicit deny associated with the accounting feature, and you must explicitly tell it to permit in the code. Simply omitting the account line does not mean that FreeRadius will ignore that data.
This is all documented by the PAM people. It helps to understand the systems you're using. Alan DeKok.
On Jul 26, 2015, at 3:11 AM, Josh Miller <jmills5901@gmail.com> wrote:
I understand that PAM is hated, but a lot of 3rd party commercial products like WikiD and Yubikey appear to have success using it. Because there is such disdain in the FreeRadius dev community towards it, I have a hunch that it may receive little to no QA attention.
Don't be a whiny asshole. You're getting the software, and support, for free. If you don't like it, go away, and buy a commercial RADIUS server. Your complaints are doubly annoying because as it turns out... the problem wasn't FreeRADIUS. It was you. If you keep complaining that we're mean to you, you will be unsubscribed and banned from the list. Alan DeKok.
Hey Alan, Understandable, sorry about that. This was my first serious Linux implementation. Really appreciate what you guys are doing for the community. Cheers On Sun, Jul 26, 2015 at 3:47 AM, Alan DeKok-2 [via FreeRADIUS] < ml-node+s1045715n5735587h7@n5.nabble.com> wrote:
On Jul 26, 2015, at 3:11 AM, Josh Miller <[hidden email] <http:///user/SendEmail.jtp?type=node&node=5735587&i=0>> wrote:
I understand that PAM is hated, but a lot of 3rd party commercial products like WikiD and Yubikey appear to have success using it. Because there is such disdain in the FreeRadius dev community towards it, I have a hunch that it may receive little to no QA attention.
Don't be a whiny asshole.
You're getting the software, and support, for free. If you don't like it, go away, and buy a commercial RADIUS server.
Your complaints are doubly annoying because as it turns out... the problem wasn't FreeRADIUS. It was you.
If you keep complaining that we're mean to you, you will be unsubscribed and banned from the list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/Re-AD-Authentication-using-PAM-winbi... To unsubscribe from Re: AD Authentication using PAM_winbind.so succeeds, but FreeRadius 3.0.4 rejects with "Failed to Authenticate User", click here <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5735553&code=am1pbGxzNTkwMUBnbWFpbC5jb218NTczNTU1M3wtMTQwNTk1MjU1MQ==> . NAML <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
participants (3)
-
Alan DeKok -
Josh Miller -
Nathan Ward