Accounting with pam_radius_auth
Christophe Boyanique
tof+freeradius at raceme.org
Tue Feb 20 10:29:57 CET 2007
Hello,
I found in the archive that pam_radius questions can be asked here so here
is mine:
I am using pam_radius_auth to authenticate and do some accounting against
a freeradius+ldaps server (which works perfectly).
Everything (authorization, authentication and accounting) work perfectly
except accounting in some cases.
Configuration uses pam_radius_auth 1.3.16.
Here is an example pam configfile (/etc/pam.d/su):
-- cut --
auth sufficient /lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_radius_auth.so try_first_pass debug
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/pam_radius_auth.so debug
account sufficient /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid<100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authok md5
shadow
password required /lib/security/$ISA/pam_deny.so
#session required /lib/security/$ISA/pam_selinux.so close
#session required /lib/security/$ISA/pam_limits.so
session sufficient /lib/security/pam_radius_auth.so debug
session sufficient /lib/security/$ISA/pam_unix.so
#session sufficient /lib/security/$ISA/pam_selinux.so open multiple
#session optional /lib/security/$ISA/pam_xauth.so
-- cut --
In fact the main problem is if I su to an unprivileged user, no accounting
packet is sent and output displays:
su: pam_radius_auth: Could not open configuration file /etc/raddb/server:
Permission denid
If I su to root user, then accounting packet is correctly sent.
I suppose that session part of pam runs as unprivilegied user and it can't
open the /etc/raddb/server which is protected as advised in the
documentation.
I tried with and without commented lines in the session parts without
success.
Is this a common problem (I found nothing in the archive) or do I have a
mistake in the pam configuration ?
Regards,
Christophe.
More information about the Freeradius-Users
mailing list