AD Authentication using PAM_winbind.so succeeds, but FreeRadius 3.0.4 rejects with "Failed to Authenticate User"
Josh Miller
jmills5901 at gmail.com
Sun Jul 26 11:38:31 CEST 2015
Nathan,
So I've been researching this heavily since you it pointed it out. For
anyone the following the thread, these are the lines in question.
Jul 24 16:37:25 freeradius01 audit[2995]: <audit-1100> pid=2995 uid=0
auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=pam_winbind acct="test-user-123"
exe="/usr/sbin/radiusd" hostname=? addr=? terminal=pts/1 res=success'
Jul 24 16:37:25 freeradius01 audit[2995]: <audit-1101> pid=2995 uid=0
auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:accounting grantors=? acct="test-user-123"
exe="/usr/sbin/radiusd" hostname=? addr=? terminal=pts/1 res=failed'
I didn't understand what the accounting grantor meant, and why it mattered
since Authentication was successful. Furthermore, I was under the
impression that because was only using a 1 line item "auth required
pam_winbind.so" in /etc/pam.d/radiusd then account being ignored.
However I was vastly mistaken.
Apparently, there is an implicit deny associated with the accounting
feature, and you must explicitly tell it to permit in the code. Simply
omitting the account line does not mean that FreeRadius will ignore that
data.
So /etc/pam.d/radiusd code now looks like this :
auth required
/etc/libpam-google-authenticator-1.0/pam_google_authenticator.so
secret=/var/lib/google-authenticator/${USER} forward_pass
auth required pam_winbind.so
account required pam_permit.so
And I'm now getting radius successes.
Nathan, you are the man, thank you so much. Where can I find your donate
button?
On Sun, Jul 26, 2015 at 1:16 AM, Nathan Ward [via FreeRADIUS] <
ml-node+s1045715n5735581h21 at n5.nabble.com> wrote:
>
> > On 26/07/2015, at 19:11, Josh Miller <[hidden email]
> <http:///user/SendEmail.jtp?type=node&node=5735581&i=0>> wrote:
> >
> > Hey Nathan,
> >
> > Thanks for the reply.
> >
> > I did follow the directions beginning under the section "Installing
> SRPM"
> > and I kept running into issues. I
> >
> > Before investing any more time trying to upgrade to a "non-stable"
> release,
> > it would be nice to get a clear answer from the development team if
> > upgrading from 3.0.4 to 3.0.9 will fix the PAM_Winbind issue that I
> > described in my first post. I checked the release notes, and didn't
> find
> > anything that stood out.
>
>
> https://github.com/FreeRADIUS/freeradius-server/commit/658f459d892af4f43d615720951bf75a96c2411d seems
> like something that might be related, given it touches almost every line in
> that file.
>
> It’s not your problem in this case, but my point is that the release notes
> don’t tell the whole story.
>
> It’s not really the job of the developer of free OSS software to tell you
> if upgrading to the current release is going to fix your problem, it takes
> time, and time isn’t free - as you know, you say you don’t want to invest
> the time yourself.
>
> > I understand that PAM is hated, but a lot of 3rd party commercial
> products
> > like WikiD and Yubikey appear to have success using it. Because there
> is
> > such disdain in the FreeRadius dev community towards it, I have a hunch
> > that it may receive little to no QA attention.
>
> I guess the above commit disproved that hunch.
>
> The problem in your case is revealed by the “res=failed” in your selinux
> log, and the specific PAM function that is referenced in the FreeRADIUS
> log. Look at the source for rlm_pam, it shows that pam_acct_mgmt is called
> after pam_authenticate, which is normal.
>
> Your PAM 'account' section is returning failed after the ‘auth’ section
> passes. Is the account locked out, or restricted to some specific time of
> day? Is your PAM config complete?
>
> --
> Nathan Ward
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://freeradius.1045715.n5.nabble.com/Re-AD-Authentication-using-PAM-winbind-so-succeeds-but-FreeRadius-3-0-4-rejects-with-Failed-to-Authe-tp5735553p5735581.html
> To unsubscribe from Re: AD Authentication using PAM_winbind.so succeeds,
> but FreeRadius 3.0.4 rejects with "Failed to Authenticate User", click
> here
> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5735553&code=am1pbGxzNTkwMUBnbWFpbC5jb218NTczNTU1M3wtMTQwNTk1MjU1MQ==>
> .
> NAML
> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
More information about the Freeradius-Users
mailing list