Old school: FreeRADIUS and NIS
Phil Mayers
p.mayers at imperial.ac.uk
Mon Mar 10 15:33:55 CET 2014
On 10/03/14 14:03, Mark Haney wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 03/07/14 16:00, Alan DeKok wrote:
>
>>> The only thing I've changed in the config files is to add the
>>> DEFAULT Auth-Type = System at the top of the users file.
>>
>> Which I don't recommend you do.
>>
>> Anyawyas, debug mode shows:
>>
>> ++[unix] returns notfound
>>
>> Which is pretty definitive.
>
> Okay, what would recommend then? And the ++[unix] returns notfound is
> definitive of /what/?
rlm_unix has a flow like this:
r = getpwnam(username)
if not r:
return NOTFOUND
if not r.passwd or len(r.passwd) < 10:
s = getspnam(username)
if not s:
return NOTFOUND
passwd = s.passwd
else:
passwd = r.passwd
So, either FreeRADIUS is getting no reply to getpwnam() or it's getting
an empty or "x" value for the password hash at that stage, *then*
calling getspnam() and getting no value.
My NIS is rusty, but IIRC calling the getspnam() routines under NIS
requires you being root? Most likely this is the problem.
PAM has a suid-root helper for this; FreeRADIUS doesn't. So one possible
alternative would be to use rlm_pam, and let PAM do the work of getting
at the shadow data.
More information about the Freeradius-Users
mailing list