pam_auth_radius - fallback with localifdown?
martin.richard at gmail.com
Wed Jun 23 20:33:16 CEST 2010
On Wed, Jun 23, 2010 at 4:13 AM, Alan DeKok <aland at deployingradius.com>wrote:
> Double-check that it's returning PAM_IGNORE. Maybe source code mods
> to syslog "RETURNING PAM_IGNORE".
> If it is returning PAM_IGNORE, then it's a PAM problem. Ask the
> question again on the PAM list.
Found my problem.
The pam_sm_authenticate() does return PAM_IGNORE with localifdown, as
expected. Added a lot of logging including the final return value
(PAM_IGNORE / 25). I had also tested that the stack was dealing with the
ignore properly by using pam_debug.so. So my stack for 'auth' as originally
posted works as expected, so I'm quite happy with the fallback setup.
What was failing pseudo silently was the call to pam_sm_open_session() (or
rather pam_private_session()). I only had this single module listed in the
pam conf file, and since nothing was logged, I didn't catch on the fact that
my login failures were coming from the 'session' part. Since no success was
returned and it was my only line for PAM, it failed and I couldn't logon if
the radius servers were unreachable.
Time permitting I might submit a patch to add some logging to
pam_private_session, if there would be interest from the dev team ?
Thanks a lot for the infos and replies.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users