[EXTERNAL] Re: Odd behavior on authentication

Winfield, Alister (Senior Solutions Architect) Alister.Winfield at sky.uk
Thu Nov 9 22:24:49 UTC 2023

Off topic but just be warned,

It’s possible you could make an NSS plugin but its normally not done that way because the NSS lookups sometimes ask for ‘everything’ and not just map this user or map this UID / GID. Remember ls -l uses nss to turn uid’s and gid’s to usernames 2 requests per file and may not cache hoping that the NSS layer is doing that (it doesn’t unless you use something like sssd).

So, look to the NSS people for answers and good luck if you try to attempt an abnormal solution.


From: Freeradius-Users <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org> on behalf of Philip Prindeville <philipp_subx at redfish-solutions.com>
Date: Thursday, 9 November 2023 at 22:12
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: [EXTERNAL] Re: Odd behavior on authentication

> On Nov 8, 2023, at 12:31 PM, Alan DeKok <aland at deployingradius.com> wrote:
> On Nov 8, 2023, at 7:06 PM, Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
>> Also, I've run "pam-auth-update --enable radius" to get pam_radius_auth.so plugged into the PAM stack, but how do I integrate it into /etc/nsswitch.conf as well?  This is on Ubuntu so I don't have authconfig/authselect which are RedHat only.
>  Ask the PAM people how PAM / nsswitch.conf works.  This isn't a FreeRADIUS issue.
>  Alan DeKok.

Discovered the following.  The password being passed up comes from pam-auth.c in sshd.  And if I put "ldap" into /etc/nsswitch.conf, then things work.

It shouldn't be hard to refactor the nss_ldap project so that it generates two plugins, one specifically for Radius.


List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing at sky.uk. Thank you
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD

More information about the Freeradius-Users mailing list