No subject

[Alan DeKok]

On Jun 25, 2018, at 9:09 PM, Hailun Tan <dearambermini at gmail.com> wrote:
> I do not think the answer in the previous link was clear.

  It doesn't explain *why* PAM works the way it does.  But it explains what's happening, and how to fix it.

  PAM problems?  Ask the PAM people

> The only viable solution in the link above is that having another local
> user  with the same name then it will fix the problem. Yes, it does fix the
> problem. But what is the point to have radius server if  a local user is
> required  for radius to work?

  The point is that you can specify a users password (or OTP) via RADIUS.

  If you read the PAM documentation, it says that PAM doesn't supply UID, GID, shell, home directory, etc.  PAM only does username / password checking.  And some session logging.

>  Considering that there are thousands of
> radius clients to hookup with one radius server, having a local user for
> each of these clients for such user to work does not make sense.

  That's what LDAP is for.  Put the users into LDAP.  Configure NSS && LDAP.  That gets you UID, GID, etc.  Then do username / password checking via RADIUS.

> My question is very clear. If  pam_radius_auth.so is not the one to be
> fixed, which other pam module should be fixed?

  As I said repeatedly, ask the PAM people how their software works.  This isn't the "PAM help list".  This is the FreeRADIUS list.

> At least you can provide a
> way for us to check which PAM module is failing so that we can check.

  No.  It's ridiculous to ask that, because I didn't write PAM, and I know nothing about it.

> I
> have even tried to disable ALL the pam module in /etc/pam.d/sshd except
> pam_radius_auth.so but I cannot even log in the ubuntu if i did that :( So
> that is the most difficult part to troubleshoot with PAM.

  That's terrible.

  Why does that happen?  I don't know...

  ASK THE PAM PEOPLE HOW THEIR SOFTWARE WORKS.

  Alan DeKok.