Auth-Type = System not working

Maillists maillists at cois.on.ca
Thu Jun 1 00:29:41 CEST 2006 

Hi,
	I've read the freeradius-users achives and found that other people have 
problems when using Freeradius on an OS which uses a shadow password 
file.  I too have encountered such problems and have found why this 
problem occurs but require assistance to fix.  Here's a recap of the 
problem:
Auth-Type = Local works fine but Auth-Type = System does not.

OS: FreeBSD 6.0 running Freeradius-1.1.1 installed from ports collection

users file contents:
DEFAULT Auth-Type = System
         Reply-Message = "System password works"

Running radiusd -X produces (see below for greater detail)
rlm_unix: [test]: invalid password

but I know 100% that the password is correct.  What appears to be 
happening (determined from hours of frustrating testing) is Freeradius 
(rlm_unix) is looking for the users passwords in the /etc/passwd file 
but my /etc/passwd file doesn't contain any passwords:
test:*:1003:1003:Test User:/home/test:/bin/sh

my /etc/master.passwd file does:
test:$1$RlHYm4Ca$QhlYcYV7BqIjTF.UQ4pTX/:1003:1003::0:0:Test 
User:/home/test:/bin/sh

if I copy the encrypted password from /etc/master.passwd and replace the 
"*" in /etc/passwd I can successfully authenticate via Auth-Type = System

Login OK: [test] (from client localhost port 0) (more detail below)

*******
So my question is what do I need to do so I don't have to manually 
replace the "*" in /etc/passwd with the encrypted password from 
/etc/master.passwd for every user I enter in the system?
*******
TIA,
Shane

Output of radiusd -X when /etc/passwd contains "*" for password
rad_recv: Access-Request packet from host 127.0.0.1:52869, id=153, length=53
         User-Name = "test"
         User-Password = "test"
         NAS-IP-Address = 127.0.0.1
         NAS-Port-Id = "0"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 688
   modcall[authorize]: module "preprocess" returns ok for request 688
radius_xlat:  '/var/log/radacct/127.0.0.1/auth-detail-20060531'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /var/log/radacct/127.0.0.1/auth-detail-20060531
   modcall[authorize]: module "auth_log" returns ok for request 688
   modcall[authorize]: module "chap" returns noop for request 688
   modcall[authorize]: module "mschap" returns noop for request 688
     rlm_realm: No '@' in User-Name = "test", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 688
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 688
     users: Matched entry DEFAULT at line 13
   modcall[authorize]: module "files" returns ok for request 688
modcall: leaving group authorize (returns ok) for request 688
   rad_check_password:  Found Auth-Type System
auth: type "System"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 688
rlm_unix: [test]: invalid password
   modcall[authenticate]: module "unix" returns reject for request 688
modcall: leaving group authenticate (returns reject) for request 688
auth: Failed to validate the user.
Login incorrect: [test/test] (from client localhost port 0)
Delaying request 688 for 1 seconds
Finished request 688
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 153 to 127.0.0.1 port 52869
         Reply-Message = "System password works"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 688 ID 153 with timestamp 447e1534
Nothing to do.  Sleeping until we see a request.


Output of radiusd -X when /etc/passwd contains encrypted password 
instead of "*"
rad_recv: Access-Request packet from host 127.0.0.1:55703, id=181, length=53
         User-Name = "test"
         User-Password = "test"
         NAS-IP-Address = 127.0.0.1
         NAS-Port-Id = "0"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/var/log/radacct/127.0.0.1/auth-detail-20060531'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /var/log/radacct/127.0.0.1/auth-detail-20060531
   modcall[authorize]: module "auth_log" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
     rlm_realm: No '@' in User-Name = "test", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 0
     users: Matched entry DEFAULT at line 13
   modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
   rad_check_password:  Found Auth-Type System
auth: type "System"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
   modcall[authenticate]: module "unix" returns ok for request 0
modcall: leaving group authenticate (returns ok) for request 0
radius_xlat:  'System password works'
Login OK: [test] (from client localhost port 0)
Sending Access-Accept of id 181 to 127.0.0.1 port 55703
         Reply-Message = "System password works"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 181 with timestamp 447e1744
Nothing to do.  Sleeping until we see a request.

More information about the Freeradius-Users mailing list