Accounting with pam_radius_auth

Christophe Boyanique tof+freeradius at
Tue Feb 20 10:29:57 CET 2007


I found in the archive that pam_radius questions can be asked here so here
is mine:

I am using pam_radius_auth to authenticate and do some accounting against
a freeradius+ldaps server (which works perfectly).

Everything (authorization, authentication and accounting) work perfectly
except accounting in some cases.

Configuration uses pam_radius_auth 1.3.16.

Here is an example pam configfile (/etc/pam.d/su):

-- cut --
auth     sufficient  /lib/security/$ISA/
auth     required    /lib/security/$ISA/
auth     sufficient  /lib/security/$ISA/ likeauth nullok
auth     sufficient  /lib/security/ try_first_pass debug
auth     required    /lib/security/$ISA/

account  sufficient  /lib/security/ debug
account  sufficient  /lib/security/$ISA/
account  sufficient  /lib/security/$ISA/ uid<100 quiet
account  required    /lib/security/$ISA/

password requisite   /lib/security/$ISA/ retry=3
password sufficient  /lib/security/$ISA/ nullok use_authok md5
password required    /lib/security/$ISA/

#session  required    /lib/security/$ISA/ close
#session  required    /lib/security/$ISA/
session  sufficient  /lib/security/ debug
session  sufficient  /lib/security/$ISA/
#session  sufficient  /lib/security/$ISA/ open multiple
#session  optional    /lib/security/$ISA/

-- cut --

In fact the main problem is if I su to an unprivileged user, no accounting
packet is sent and output displays:

su: pam_radius_auth: Could not open configuration file /etc/raddb/server:
Permission denid

If I su to root user, then accounting packet is correctly sent.

I suppose that session part of pam runs as unprivilegied user and it can't
open the /etc/raddb/server which is protected as advised in the

I tried with and without commented lines in the session parts without

Is this a common problem (I found nothing in the archive) or do I have a
mistake in the pam configuration ?



More information about the Freeradius-Users mailing list