Old school: FreeRADIUS and NIS

Mark Haney mhaney at practichem.com
Mon Mar 10 20:09:59 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 03/10/14 14:31, Alan DeKok wrote:

> 
> The solution is simple, and is documented.
> 
> Alan DeKok.

I don't think I've ever flamed anyone in my life, but now I believe I
have to.

Sadly, it seems like this is a recurring theme with you. I've seen
literally DOZENS of posts from you in the archives and through google
and in every single one of them there IS NOT a shred of helpful advice
except to RTFM.

The vaunted documentation is just about the worst I've ever seen.  It
goes in circles:

- From modules/passwd:

> #  An example configuration for using /etc/passwd. # #  We do NOT
> recommend using the configuration below.  See the "unix" #  module,
> or the "pam" module for a cleaner way to get system passwords. #
> Using this configuration means that the server will find *only*
> those #  passwords which are in /etc/passwd, and will *ignore* all
> of the #  passwords in NIS, LDAP, etc. #

- From modules/unix

> unix { #  As of 1.1.0, the Unix module no longer reads, #  or
> caches /etc/passwd, /etc/shadow, or /etc/group. #  If you wish to
> cache those files, see the passwd #  module.

- From radiusd.conf:
> #  On systems with shadow passwords, you might have to set 'group =
> shadow' #  for the server to be able to read the shadow password
> file.  If you can #  authenticate users while in debug mode, but
> not in daemon mode, it may be #  that the debugging mode server is
> running as a user that can read the #  shadow info, and the user
> listed below can not.

(FWIW, this documentation is beyond incomprehensible.  The 'group =
shadow' is not about using the group 'shadow' to access /etc/shadow
it's changing the group on /etc/shadow to 'radiusd'.)

There are a good half dozen archived messages about /etc/shadow and
how it is NOT recommended to make such a change.  In fact, I found this:

>> From: "Alan DeKok" <aland at ox.org> To: "FreeRadius users
>> mailing list" <freeradius-users at lists.freeradius.org> Sent:
>> Thursday, January 26, 2006 3:37 PM Subject: Re: Problems System
>> Auth with FreeRadius (/etc/shadow)
>> 
>> 
>>> "Nataniel Klug" <nata at cnett.psi.br> wrote:
>>>> I just have installed the package from Fedora Core 3,
>> nothing else.
>>> 
>>> Then look at the configuration file.  See how it's different
>>> from what is shipped with FreeRADIUS.
>>> 
>>> And setting "a+rw" on /etc/passwd and /etc/shadow is probaby
>>> the single worst thing you can do to your system.  EVER.
>>> Rather than doing that, read raddb/radiusd.conf, it talks about
>>> issues with reading /etc/shadow, and describes suggested fixes
>>> won't
>> destroy your
>>> system.
>>> 
>>> Honestly, I don't understand why it's so hard to read the 
>>> configuration files.
>>> 
>>> Alan DeKok. -

Radiusd.conf DOES NOT talk about issues with reading /etc/shadow.
ANYWHERE.  PERIOD.

(And note, the 'why is it so hard to read the documentation' from you.)

In the one post (which I cannot dig up now since I've pulled up so
many the last two hours), it's RECOMMENDED not changing read
permissions on /etc/shadow.  Even though the OP actually got it
working that way.  And IIRC, it was a reply from you and someone else
in the thread that made that recommendation.

I have to be honest. I've been doing this a LONG time.  20 years or
so.  And I've NEVER dealt with a more unprofessional and unhelpful
mailing list as I have with this list.  What should be a relatively
'simple' solution is anything but with this list.  I'm no noob working
with linux/unix and text configuration files, and yet I feel FARTHER
away from an answer that I did before I started.

And due to that 'take two steps forward and half-dozen back', I've
made it clear to my boss that FreeRADIUS, while it may work just fine,
will be impossible to manage due to the horrible documentation and
utter lack of help on the lists.  I have removed the packages off my
system and will be finding another method of communicating with these
switches.  I will also be unsubscribing from this list immediately.





- -- 
Mark Haney
Network/Systems Administrator
Practichem
W: (919) 714-8428
Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTHg35AAoJEM/YzwEAv6e7MxMIAIEo85oaw7gXyVbbfJa5dzWb
6AjbxxgWQNqmPb2N1LH1VTlrI12eEVoUgx1SwMvqb13h3QXOv8+dDXQxRNvX10Zt
IyIw4yQZD3dbqj4yCnljRRvpWZONYts6tdo98LFH7gykBB8XigiaoQCu5oBcYFPf
njgwUltA/xlMGdMfCE1+sdIdYe0OvXdGb24assOVtyMFfthWYa3qdFolCapBTmxG
lOiCsqSeml68Fz8/uVtzDw5PbbtFpwhsKj81vBcZWm4l5HorvZMG4lRaSnhOHlcP
1uEVqfK69eVvcWVikK1eWeh+k5EHkaMUHjQq4DuAcxE9Xu4AZQKQt3CCTC+HWkQ=
=oiap
-----END PGP SIGNATURE-----



More information about the Freeradius-Users mailing list