(RADIATOR) Radiatior and PAM authentication for Kerberos 5

Forbes Mike Mike.Forbes at Colorado.EDU
Tue Sep 4 19:45:14 CDT 2001 

Thanks for the information and my main problem was I was not running
radiator start as root.

As for the dummy account line, what does that exactly do, verify that the
user has a kerb account, how does that differ from the auth.  Please
excuse by lack of knowledge in the PAM department.

With the acct line missing I got the following for a user with an account
in the kerb database but not on the radius machine (note everything works
fine if the user exist on the radius box).

Sep  4 18:22:09 radii perl[25135]: pam_krb5: authentication succeeds for
dretest
Sep  4 18:22:09 radii radiusd(pam_unix)[25135]: could not identify user
(from getpwnam(dretest))

Will the acct line in it works and I get

Sep  4 18:29:06 radii perl[25135]: pam_krb5: authentication succeeds for
dretest


Thanks,

Mike Forbes

On Mon, 3 Sep 2001, Mike McCauley wrote:

> Hello Mike,
>
> I have retested PAM+Kerberos on RH7.1 with Radiator 2.18.3 and it works fine.
> It looks a bit to me like your PAM service is not configured correctly: PAM
> is failing to get the authentication information. You may need a dummy
> account line like I have.
>
>
> My PAM service file for the service 'radiator' looks like this:
>
> # PAM config file to auth Radiator from Kerberos
> auth       required     /lib/security/pam_krb5.so skip_first_pass
> account    required     /lib/security/pam_permit.so
>
> And my Radiator config file has this:
> .....
> <Realm DEFAULT>
> 	# Authenticate from the PAM service called 'radiator'
> 	# see above for details
> 	<AuthBy PAM>
> 		Service radiator
> 	</AuthBy>
> </Realm>
>
> After adding the user 'mikem' to the Kerberos dataabse with kadmin, I can
> authenticate like this:
>
> Mon Sep  3 20:39:47 2001: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 32802 ....
> Code:       Access-Request
> Identifier: 32
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "mikem"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Mon Sep  3 20:39:47 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Mon Sep  3 20:39:47 2001: DEBUG:  Deleting session for mikem, 203.63.154.1,
> 1234Mon Sep  3 20:39:47 2001: DEBUG: Handling with PAM service radiator
> Mon Sep  3 20:39:48 2001: DEBUG: PAM is asking for 'Password'
> Mon Sep  3 20:39:48 2001: DEBUG: Access accepted for mikem
> Mon Sep  3 20:39:48 2001: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 32802 ....
> Code:       Access-Accept
> Identifier: 32
> Authentic:  1234567890123456
> Attributes:
>
>
> On Sat, 1 Sep 2001 16:57, Hugh Irvine wrote:
> > Hello Mike -
> >
> > Have you done everything that is mentioned in section 6.37 of the
> > Radiator reference manual?
> >
> > I have also copied this to Mike for his comments.
> >
> > regards
> >
> > Hugh
> >
> > At 21:25 -0600 01/8/31, Forbes Mike wrote:
> > >I am using Radiatior on Redhat 7.1 with PAM authentication.  I have the
> > >radius.cfg as
> > >follows:
> > >
> > ><Realm DEFAULT>
> > >         <AuthBy PAM>
> > >         Service radiusd
> > >         </AuthBy>
> > >
> > >         # Log accounting to a detail file
> > >         AcctLogFileName %L/detail
> > ></Realm>
> > >
> > ><Client x.x.x.x>
> > >         Secret  mysecret
> > >         NasType Cisco
> > >         DupInterval 0
> > ></Client>
> > >
> > >
> > >more /etc/pam.d/radiusd
> > >auth     required       /lib/security/pam_krb5.so
> > >
> > >I get the following /var/messages
> > >
> > >Aug 31 21:10:54 radii perl: pam_krb5: authentication succeeds for forbeskm
> > >
> > >I get the following from radius logfile
> > >
> > >Fri Aug 31 21:10:54 2001: DEBUG: Handling request with Handler
> > >'Realm=DEFAULT'
> > >Fri Aug 31 21:10:54 2001: DEBUG:  Deleting session for forbeskm,
> > >x.x.x.x, 3
> > >Fri Aug 31 21:10:54 2001: DEBUG: Handling with PAM service radiusd
> > >Fri Aug 31 21:10:54 2001: DEBUG: PAM is asking for 'Password'
> > >Fri Aug 31 21:10:54 2001: INFO: Access rejected for forbeskm:
> > >Authentication service cannot retrieve authentication info.:
> > >Fri Aug 31 21:10:54 2001: DEBUG: Packet dump:
> > >
> > >
> > >Why is this failing, is it my krb5.conf that may be misconfigured.  I did
> > >not have any luck with getting more debug info from putting debug = true
> > >in the [pam] section.
> > >
> > >Anybody else doing kerb5 authentication with the radiator??
> > >
> > >Thanks,
> > >
> > >Mike Forbes
> > >
> > >===
> > >Archive at http://www.open.com.au/archives/radiator/
> > >Announcements on radiator-announce at open.com.au
> > >To unsubscribe, email 'majordomo at open.com.au' with
> > >'unsubscribe radiator' in the body of the message.
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list