Old school: FreeRADIUS and NIS

Mark Haney mhaney at practichem.com
Mon Mar 10 20:09:59 CET 2014

Hash: SHA1

On 03/10/14 14:31, Alan DeKok wrote:

> The solution is simple, and is documented.
> Alan DeKok.

I don't think I've ever flamed anyone in my life, but now I believe I
have to.

Sadly, it seems like this is a recurring theme with you. I've seen
literally DOZENS of posts from you in the archives and through google
and in every single one of them there IS NOT a shred of helpful advice
except to RTFM.

The vaunted documentation is just about the worst I've ever seen.  It
goes in circles:

- From modules/passwd:

> #  An example configuration for using /etc/passwd. # #  We do NOT
> recommend using the configuration below.  See the "unix" #  module,
> or the "pam" module for a cleaner way to get system passwords. #
> Using this configuration means that the server will find *only*
> those #  passwords which are in /etc/passwd, and will *ignore* all
> of the #  passwords in NIS, LDAP, etc. #

- From modules/unix

> unix { #  As of 1.1.0, the Unix module no longer reads, #  or
> caches /etc/passwd, /etc/shadow, or /etc/group. #  If you wish to
> cache those files, see the passwd #  module.

- From radiusd.conf:
> #  On systems with shadow passwords, you might have to set 'group =
> shadow' #  for the server to be able to read the shadow password
> file.  If you can #  authenticate users while in debug mode, but
> not in daemon mode, it may be #  that the debugging mode server is
> running as a user that can read the #  shadow info, and the user
> listed below can not.

(FWIW, this documentation is beyond incomprehensible.  The 'group =
shadow' is not about using the group 'shadow' to access /etc/shadow
it's changing the group on /etc/shadow to 'radiusd'.)

There are a good half dozen archived messages about /etc/shadow and
how it is NOT recommended to make such a change.  In fact, I found this:

>> From: "Alan DeKok" <aland at ox.org> To: "FreeRadius users
>> mailing list" <freeradius-users at lists.freeradius.org> Sent:
>> Thursday, January 26, 2006 3:37 PM Subject: Re: Problems System
>> Auth with FreeRadius (/etc/shadow)
>>> "Nataniel Klug" <nata at cnett.psi.br> wrote:
>>>> I just have installed the package from Fedora Core 3,
>> nothing else.
>>> Then look at the configuration file.  See how it's different
>>> from what is shipped with FreeRADIUS.
>>> And setting "a+rw" on /etc/passwd and /etc/shadow is probaby
>>> the single worst thing you can do to your system.  EVER.
>>> Rather than doing that, read raddb/radiusd.conf, it talks about
>>> issues with reading /etc/shadow, and describes suggested fixes
>>> won't
>> destroy your
>>> system.
>>> Honestly, I don't understand why it's so hard to read the 
>>> configuration files.
>>> Alan DeKok. -

Radiusd.conf DOES NOT talk about issues with reading /etc/shadow.

(And note, the 'why is it so hard to read the documentation' from you.)

In the one post (which I cannot dig up now since I've pulled up so
many the last two hours), it's RECOMMENDED not changing read
permissions on /etc/shadow.  Even though the OP actually got it
working that way.  And IIRC, it was a reply from you and someone else
in the thread that made that recommendation.

I have to be honest. I've been doing this a LONG time.  20 years or
so.  And I've NEVER dealt with a more unprofessional and unhelpful
mailing list as I have with this list.  What should be a relatively
'simple' solution is anything but with this list.  I'm no noob working
with linux/unix and text configuration files, and yet I feel FARTHER
away from an answer that I did before I started.

And due to that 'take two steps forward and half-dozen back', I've
made it clear to my boss that FreeRADIUS, while it may work just fine,
will be impossible to manage due to the horrible documentation and
utter lack of help on the lists.  I have removed the packages off my
system and will be finding another method of communicating with these
switches.  I will also be unsubscribing from this list immediately.

- -- 
Mark Haney
Network/Systems Administrator
W: (919) 714-8428
Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Freeradius-Users mailing list