Google authenticator : Access-Reject
servernemesis at tutanota.com
servernemesis at tutanota.com
Tue Apr 24 16:23:09 CEST 2018
Thank you !
My FR server is domain joined, and his krb5 realm is mydomain.com
I don't know where I could specify the domain for PAM.
I'm not sure what you mean by "If it doesn't know about the domain, then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf)."
Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
Best regards
24. Avr 2018 16:00 de aland at deployingradius.com <mailto:aland at deployingradius.com>:
>> On Apr 24, 2018, at 9:56 AM, <>> servernemesis at tutanota.com <mailto:servernemesis at tutanota.com>>> > <>> servernemesis at tutanota.com <mailto:servernemesis at tutanota.com>>> > wrote:
>>
>> (0) Received Access-Request Id 65 from 127.0.0.1:46785 to 127.0.0.1:1812 length 92
>> (0) User-Name = ">> user at mydomain.com <mailto:user at mydomain.com>>> "
>
> That's the full user name, *with* domain.
>
> ...
>> (0) suffix: Checking for suffix after "@"
>> (0) suffix: Looking up realm "mydomain.com" for User-Name = ">> user at mydomain.com <mailto:user at mydomain.com>>> "
>> (0) suffix: No such realm "mydomain.com"
>> (0) [suffix] = noop
>
> And there's no realm, so the User-Name isn't being stripped of the domain name.
>
>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
>
> Does PAM (and everything past it) know about "user", or "> user at mydomain.com <mailto:user at mydomain.com>> "?
>
> If it doesn't know about the domain, then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf).
>
> Once that's done, FreeRADIUS will pass "user" to PAM, and it should work.
>
> *Reading* the debug output helps. See also > http://wiki.freeradius.org/radiusd-X <http://wiki.freeradius.org/radiusd-X>
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
More information about the Freeradius-Users
mailing list