AD Authentication using PAM_winbind.so succeeds, but FreeRadius 3.0.4 rejects with "Failed to Authenticate User"
Alan DeKok
aland at deployingradius.com
Sat Jul 25 14:02:25 CEST 2015
On Jul 24, 2015, at 9:28 PM, Josh Miller <jmills5901 at gmail.com> wrote:
> I am attempting to configure 2 factor authentication using Google
> Authenticator + AD (Winbind), ultimately for use in my Cisco and Windows
> VPN environment.
That should work.
> The environment is as follows:
>
> -Fedora 22
> -Freeradius 3.0.4
> -Samba 4.2.2
I'd suggest using 3.0.9.
> ----------------------
> #/etc/pam.d/radius
>
> auth required /usr/lib64/security/pam_winbind.so debug
> ----------------------
Don't use PAM. It's not just horrible, it's designed to be used once by an application, and then never again. It will likely leak memory, cause performance issues, etc.
I would suggest using the ntlm_auth program. It's documented, and it works.
> Standard NTLM via AD works very well, but utilizing the PAM module is
> creating a whole new can of worms.
Don't use PAM. It's almost impossible to understand. And almost impossible to debug.
> My use case for PAM is 2 factor
> authentication with Google Authenticator, but if there is a better way to
> do this while still utilizing FreeRadius, then I am very interested.
You can run Perl scripts directly from FreeRADIUS. That should help.
> However, at this point I have not been unable to find another
> authentication methodology for Google OTP without the PAM component.
I don't see why PAM is necessary.
> Also attaching the, radius -XXX startup output separately.
<sigh> Please use "radiusd -X". Not "-XXXXXXXXXXX". It doesn't help.
Following directions is good. And the directions say "-X".
Alan DeKok.
More information about the Freeradius-Users
mailing list