Old school: FreeRADIUS and NIS

Alan DeKok aland at deployingradius.com
Mon Mar 10 21:22:03 CET 2014

Adam Bishop wrote:
> I suspect the problem here is either SELinux or the shadow group not existing.

  Quote possibly.

> RHEL doesn't have a shadow group by default - as it's a nasty hack and potential source of vulnerability, you're expected to have the sense to create it yourself if its needed.

  That's unfriendly.  Oh well.

> It's also tagged with a unique policy type:
>   [root at orps1 ~]# ls -alZ /etc/shadow
>   ----------. root root system_u:object_r:shadow_t:s0    /etc/shadow
> Which I *think* would cause an AVC denial.


> Then there's the small matter of /etc/shadow having no permission mask by default.

  Arg.  That's Unix 101 debugging, TBH.  Track down the root cause of
the problem, and fix it.

> But someone who's been doing this for a long time would have checked such things, or even provided us with the output of strace, right? :) 

  Yes.  The people who claim decades of experience usually don't follow
standard practices.  The people who have decades of experience just get
follow standard practice, and things done.

  Alan DeKok.

More information about the Freeradius-Users mailing list