Checkval weird issue with LDAP backend and PAM authentication

John Dennis jdennis at
Tue Nov 30 16:22:53 CET 2010

On 11/30/2010 09:45 AM, John Dennis wrote:
> On 11/25/2010 04:24 PM, Marco Carcano wrote:
>> Hi John
>> thank you very much for the reply - I haven't noticed that exists a
>> freeradius2 rpm package
>> I tried, and after a lot of arrangement on the config files -
>> freeradius2 splits a lot radiusd.conf - I got it working
>> but I have to point out this thing - that I hope you - Red Hat -
>> will fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in
>> CentOS package):
>> this is the content of the original file
>> #%PAM-1.0 auth       include      password-auth account    required
>> account    include      password-auth password
>> include      password-auth session    include      password-auth
>> it is wrong: it causes PAM auth to fail with a really strange error
>> pam_pass: using pamauth string<radiusd>   for pam.conf lookup
>> pam_pass: function pam_authenticate FAILED for<testuser>. Reason:
>> Module is unknown ++[pam] returns reject Failed to authenticate the
>> user. Using Post-Auth-Type Reject +- entering group REJECT {...}
>> this error caused me a little headache because initially I tough it
>> was a mine misconfiguration of freeradius.
>> the fix is to replace the contents of /etc/pam.d/radiusd with
>> #%PAM-1.0 auth       include      system-auth account    required
>> account    include      system-auth password   include
>> system-auth session    include      system-auth
>> PAM is usefull in situations like the my Easy Configuration Kit -
>> ECK: I built an AAA system that relies on Freeradius that do
>> Accounting in MySQL, Authorization with OpenLDAP and Authentication
>> by Kerberos - the LDAP directory is Kerberized. I think that PAM and
>> SASL are the good way to accomplish this - In ECK it works.
>> Maybe you already know about this issue - I hope this post can help
>> anybody will get this strange error - until the package got fixed
> /etc/pam.d/radiusd was deliberately changed from using system-auth to
> use password-auth about a year ago.
> The reason is that the services cannot use the local means of
> authentication with an out-of-band data channel for the credentials such
> as Fingerprint and Smart card devices and should use password-auth
> instead of system-auth file. SMTP, FTP, and other services use it as
> well. So the problem is not in the change in the freeradius radiusd PAM
> config.
> There is likely an error in the password-auth file on your system. It
> should be possible to find out in /var/log/secure which module is the
> problem.

My apologies, I now realize there is a version mismatch. RHEL5 has not 
been updated with the password-auth module, it's exists only in Fedora 
and RHEL6. The RHEL5 version of /etc/pam.d/radiusd should be using 
system-auth as you correctly point out. The pam change was inadvertently 
copied into the RHEL5 version of FreeRADIUS, I will open a bug against 
the RHEL5 version.

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list