(RADIATOR) Radiatior and PAM authentication for Kerberos 5

Mike McCauley mikem at open.com.au
Tue Sep 4 20:16:14 CDT 2001 

Hi Mike,


On Wed, 5 Sep 2001 10:45, Forbes Mike wrote:
> Thanks for the information and my main problem was I was not running
> radiator start as root.

Hmm, curious. I did not need to run as root on RH7.1. Maybe thats becasue I 
had a ticket-granting-ticket isued by kinit?

>
> As for the dummy account line, what does that exactly do, verify that the
> user has a kerb account, how does that differ from the auth.  Please
> excuse by lack of knowledge in the PAM department.

Without it on RH7.1, PAM has no account details (they do not cone from 
Kerberos) and thinks that the account has expired. That line tells it that 
the account is always valid. You can see similar uses in other PAM service 
files.

Hope that helps.

Cheers.

>
> With the acct line missing I got the following for a user with an account
> in the kerb database but not on the radius machine (note everything works
> fine if the user exist on the radius box).
>
> Sep  4 18:22:09 radii perl[25135]: pam_krb5: authentication succeeds for
> dretest
> Sep  4 18:22:09 radii radiusd(pam_unix)[25135]: could not identify user
> (from getpwnam(dretest))
>
> Will the acct line in it works and I get
>
> Sep  4 18:29:06 radii perl[25135]: pam_krb5: authentication succeeds for
> dretest
>
>
> Thanks,
>
> Mike Forbes
>
> On Mon, 3 Sep 2001, Mike McCauley wrote:
> > Hello Mike,
> >
> > I have retested PAM+Kerberos on RH7.1 with Radiator 2.18.3 and it works
> > fine. It looks a bit to me like your PAM service is not configured
> > correctly: PAM is failing to get the authentication information. You may
> > need a dummy account line like I have.
> >
> >
> > My PAM service file for the service 'radiator' looks like this:
> >
> > # PAM config file to auth Radiator from Kerberos
> > auth       required     /lib/security/pam_krb5.so skip_first_pass
> > account    required     /lib/security/pam_permit.so
> >
> > And my Radiator config file has this:
> > .....
> > <Realm DEFAULT>
> > 	# Authenticate from the PAM service called 'radiator'
> > 	# see above for details
> > 	<AuthBy PAM>
> > 		Service radiator
> > 	</AuthBy>
> > </Realm>
> >
> > After adding the user 'mikem' to the Kerberos dataabse with kadmin, I can
> > authenticate like this:
> >
> > Mon Sep  3 20:39:47 2001: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 32802 ....
> > Code:       Access-Request
> > Identifier: 32
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "mikem"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         User-Password =
> > "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
> >
> > Mon Sep  3 20:39:47 2001: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT' Mon Sep  3 20:39:47 2001: DEBUG:  Deleting session for
> > mikem, 203.63.154.1, 1234Mon Sep  3 20:39:47 2001: DEBUG: Handling with
> > PAM service radiator Mon Sep  3 20:39:48 2001: DEBUG: PAM is asking for
> > 'Password'
> > Mon Sep  3 20:39:48 2001: DEBUG: Access accepted for mikem
> > Mon Sep  3 20:39:48 2001: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 32802 ....
> > Code:       Access-Accept
> > Identifier: 32
> > Authentic:  1234567890123456
> > Attributes:
> >
> > On Sat, 1 Sep 2001 16:57, Hugh Irvine wrote:
> > > Hello Mike -
> > >
> > > Have you done everything that is mentioned in section 6.37 of the
> > > Radiator reference manual?
> > >
> > > I have also copied this to Mike for his comments.
> > >
> > > regards
> > >
> > > Hugh
> > >
> > > At 21:25 -0600 01/8/31, Forbes Mike wrote:
> > > >I am using Radiatior on Redhat 7.1 with PAM authentication.  I have
> > > > the radius.cfg as
> > > >follows:
> > > >
> > > ><Realm DEFAULT>
> > > >         <AuthBy PAM>
> > > >         Service radiusd
> > > >         </AuthBy>
> > > >
> > > >         # Log accounting to a detail file
> > > >         AcctLogFileName %L/detail
> > > ></Realm>
> > > >
> > > ><Client x.x.x.x>
> > > >         Secret  mysecret
> > > >         NasType Cisco
> > > >         DupInterval 0
> > > ></Client>
> > > >
> > > >
> > > >more /etc/pam.d/radiusd
> > > >auth     required       /lib/security/pam_krb5.so
> > > >
> > > >I get the following /var/messages
> > > >
> > > >Aug 31 21:10:54 radii perl: pam_krb5: authentication succeeds for
> > > > forbeskm
> > > >
> > > >I get the following from radius logfile
> > > >
> > > >Fri Aug 31 21:10:54 2001: DEBUG: Handling request with Handler
> > > >'Realm=DEFAULT'
> > > >Fri Aug 31 21:10:54 2001: DEBUG:  Deleting session for forbeskm,
> > > >x.x.x.x, 3
> > > >Fri Aug 31 21:10:54 2001: DEBUG: Handling with PAM service radiusd
> > > >Fri Aug 31 21:10:54 2001: DEBUG: PAM is asking for 'Password'
> > > >Fri Aug 31 21:10:54 2001: INFO: Access rejected for forbeskm:
> > > >Authentication service cannot retrieve authentication info.:
> > > >Fri Aug 31 21:10:54 2001: DEBUG: Packet dump:
> > > >
> > > >
> > > >Why is this failing, is it my krb5.conf that may be misconfigured.  I
> > > > did not have any luck with getting more debug info from putting debug
> > > > = true in the [pam] section.
> > > >
> > > >Anybody else doing kerb5 authentication with the radiator??
> > > >
> > > >Thanks,
> > > >
> > > >Mike Forbes
> > > >
> > > >===
> > > >Archive at http://www.open.com.au/archives/radiator/
> > > >Announcements on radiator-announce at open.com.au
> > > >To unsubscribe, email 'majordomo at open.com.au' with
> > > >'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list