(RADIATOR) Radiatior and PAM authentication for Kerberos 5
Forbes Mike
Mike.Forbes at Colorado.EDU
Tue Sep 4 19:45:14 CDT 2001
Thanks for the information and my main problem was I was not running
radiator start as root.
As for the dummy account line, what does that exactly do, verify that the
user has a kerb account, how does that differ from the auth. Please
excuse by lack of knowledge in the PAM department.
With the acct line missing I got the following for a user with an account
in the kerb database but not on the radius machine (note everything works
fine if the user exist on the radius box).
Sep 4 18:22:09 radii perl[25135]: pam_krb5: authentication succeeds for
dretest
Sep 4 18:22:09 radii radiusd(pam_unix)[25135]: could not identify user
(from getpwnam(dretest))
Will the acct line in it works and I get
Sep 4 18:29:06 radii perl[25135]: pam_krb5: authentication succeeds for
dretest
Thanks,
Mike Forbes
On Mon, 3 Sep 2001, Mike McCauley wrote:
> Hello Mike,
>
> I have retested PAM+Kerberos on RH7.1 with Radiator 2.18.3 and it works fine.
> It looks a bit to me like your PAM service is not configured correctly: PAM
> is failing to get the authentication information. You may need a dummy
> account line like I have.
>
>
> My PAM service file for the service 'radiator' looks like this:
>
> # PAM config file to auth Radiator from Kerberos
> auth required /lib/security/pam_krb5.so skip_first_pass
> account required /lib/security/pam_permit.so
>
> And my Radiator config file has this:
> .....
> <Realm DEFAULT>
> # Authenticate from the PAM service called 'radiator'
> # see above for details
> <AuthBy PAM>
> Service radiator
> </AuthBy>
> </Realm>
>
> After adding the user 'mikem' to the Kerberos dataabse with kadmin, I can
> authenticate like this:
>
> Mon Sep 3 20:39:47 2001: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 32802 ....
> Code: Access-Request
> Identifier: 32
> Authentic: 1234567890123456
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Mon Sep 3 20:39:47 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Mon Sep 3 20:39:47 2001: DEBUG: Deleting session for mikem, 203.63.154.1,
> 1234Mon Sep 3 20:39:47 2001: DEBUG: Handling with PAM service radiator
> Mon Sep 3 20:39:48 2001: DEBUG: PAM is asking for 'Password'
> Mon Sep 3 20:39:48 2001: DEBUG: Access accepted for mikem
> Mon Sep 3 20:39:48 2001: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 32802 ....
> Code: Access-Accept
> Identifier: 32
> Authentic: 1234567890123456
> Attributes:
>
>
> On Sat, 1 Sep 2001 16:57, Hugh Irvine wrote:
> > Hello Mike -
> >
> > Have you done everything that is mentioned in section 6.37 of the
> > Radiator reference manual?
> >
> > I have also copied this to Mike for his comments.
> >
> > regards
> >
> > Hugh
> >
> > At 21:25 -0600 01/8/31, Forbes Mike wrote:
> > >I am using Radiatior on Redhat 7.1 with PAM authentication. I have the
> > >radius.cfg as
> > >follows:
> > >
> > ><Realm DEFAULT>
> > > <AuthBy PAM>
> > > Service radiusd
> > > </AuthBy>
> > >
> > > # Log accounting to a detail file
> > > AcctLogFileName %L/detail
> > ></Realm>
> > >
> > ><Client x.x.x.x>
> > > Secret mysecret
> > > NasType Cisco
> > > DupInterval 0
> > ></Client>
> > >
> > >
> > >more /etc/pam.d/radiusd
> > >auth required /lib/security/pam_krb5.so
> > >
> > >I get the following /var/messages
> > >
> > >Aug 31 21:10:54 radii perl: pam_krb5: authentication succeeds for forbeskm
> > >
> > >I get the following from radius logfile
> > >
> > >Fri Aug 31 21:10:54 2001: DEBUG: Handling request with Handler
> > >'Realm=DEFAULT'
> > >Fri Aug 31 21:10:54 2001: DEBUG: Deleting session for forbeskm,
> > >x.x.x.x, 3
> > >Fri Aug 31 21:10:54 2001: DEBUG: Handling with PAM service radiusd
> > >Fri Aug 31 21:10:54 2001: DEBUG: PAM is asking for 'Password'
> > >Fri Aug 31 21:10:54 2001: INFO: Access rejected for forbeskm:
> > >Authentication service cannot retrieve authentication info.:
> > >Fri Aug 31 21:10:54 2001: DEBUG: Packet dump:
> > >
> > >
> > >Why is this failing, is it my krb5.conf that may be misconfigured. I did
> > >not have any luck with getting more debug info from putting debug = true
> > >in the [pam] section.
> > >
> > >Anybody else doing kerb5 authentication with the radiator??
> > >
> > >Thanks,
> > >
> > >Mike Forbes
> > >
> > >===
> > >Archive at http://www.open.com.au/archives/radiator/
> > >Announcements on radiator-announce at open.com.au
> > >To unsubscribe, email 'majordomo at open.com.au' with
> > >'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list