Checkval weird issue with LDAP backend and PAM authentication

John Dennis jdennis at redhat.com
Tue Nov 30 15:45:39 CET 2010 

On 11/25/2010 04:24 PM, Marco Carcano wrote:
> Hi John
>
> thank you very much for the reply - I haven't noticed that exists a
> freeradius2 rpm package
>
> I tried, and after a lot of arrangement on the config files -
> freeradius2 splits a lot radiusd.conf - I got it working
>
> but I have to point out this thing - that I hope you - Red Hat -
> will fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in
> CentOS package):
>
> this is the content of the original file
>
> #%PAM-1.0 auth       include      password-auth account    required
> pam_nologin.so account    include      password-auth password
> include      password-auth session    include      password-auth
>
> it is wrong: it causes PAM auth to fail with a really strange error
>
> pam_pass: using pamauth string<radiusd>  for pam.conf lookup
> pam_pass: function pam_authenticate FAILED for<testuser>. Reason:
> Module is unknown ++[pam] returns reject Failed to authenticate the
> user. Using Post-Auth-Type Reject +- entering group REJECT {...}
>
> this error caused me a little headache because initially I tough it
> was a mine misconfiguration of freeradius.
>
> the fix is to replace the contents of /etc/pam.d/radiusd with
>
> #%PAM-1.0 auth       include      system-auth account    required
> pam_nologin.so account    include      system-auth password   include
> system-auth session    include      system-auth
>
> PAM is usefull in situations like the my Easy Configuration Kit -
> ECK: I built an AAA system that relies on Freeradius that do
> Accounting in MySQL, Authorization with OpenLDAP and Authentication
> by Kerberos - the LDAP directory is Kerberized. I think that PAM and
> SASL are the good way to accomplish this - In ECK it works.
>
> Maybe you already know about this issue - I hope this post can help
> anybody will get this strange error - until the package got fixed

/etc/pam.d/radiusd was deliberately changed from using system-auth to
use password-auth about a year ago.

The reason is that the services cannot use the local means of
authentication with an out-of-band data channel for the credentials such 
as Fingerprint and Smart card devices and should use password-auth 
instead of system-auth file. SMTP, FTP, and other services use it as 
well. So the problem is not in the change in the freeradius radiusd PAM 
config.

There is likely an error in the password-auth file on your system. It 
should be possible to find out in /var/log/secure which module is the
problem.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeradius-Users mailing list