Different Passwd Files on Different Servers

Thu Jul 21 09:56:15 CEST 2005

On 7/20/05, Alan DeKok <aland at ox.org> wrote:
> Bryan Beronilla <bberonilla at gmail.com> wrote:
> > 1.  How will I configure the conf files in order to authenticate
> > different users to different passwd and shadow files based on their
> > domain names?
> 
>   You don't.  You configure the "passwd" module to read passwords from
> the different files.  The server will then use the password to
> authenticate the user.
> 
>   To select which passwd module to use, and which passwd file to read,
> see doc/Autz-Type.
> 

I've tried using Autz-Tye but I can't seem to quite make it work.  I'm
getting this erro:  No authenticate method (Auth-Type) configuration
found for the request.  I'm not sure where this should be set.

I've defined the passwd modules in in the modules subsection:
         passwd sys_passwd {
               filename = /etc/passwd
               format = "*User-Name::LM-Password"
                authtype = MS-CHAP
        }

        #  Added by Barok for alternate password
         passwd virtual_passwd {
                filename = /home/virtual/domain.com/etc/passwd
                format = "*User-Name::LM-Password"
                authtype = MS-CHAP
        }

And I've inserted this int he users file:
DEFAULT Realm == "domain.com"
        Autz-Type := virtual_passwd,
        Auth-Type := unix,
        Fall-Through = 1

DEFAULT Realm == "NULL"
        Autz-Type := sys_passwd,
        Auth-Type := unix

Added this to authorize:
        Autz-Type domain.com{
                virtual_passwd
        }
        Autz-Type NULL{
                sys_passwd
        }

And this to the authenticate portion:
        Auth-Type domain.com{
                unix
        }
        Auth-Type NULL{
                unix
        }

I tried to follow the doc file mentioned but I can't seem to make it
work.  I apologize if this might be a basic question that should be
obvious to me by now.  I have only started using radius past two
weeks.

> > 2.  What is the most elegant way of accessing the passwd files on the
> > second server?  Should I set up another radius server on the second
> > box and pass on the request?  Or is there a better alternative.
> 
>   I would suggest copying the passwd files between the servers, unless
> there's some other interaction I'm not aware of.
> 

This might not be an option we can consider.  The users are
dynamically created, so a copy-and-paste-passwd-files solution would
not be practical.  What other solutions exists?  We're considering
proxying off to another radius on the 2nd box, or to go the NFS
route...

>   Alan DeKok.
> 
> 

Thank you very much for your patience.