(RADIATOR) AuthBy NISPlus

Fred Albrecht Fred at vwo.co.za
Fri Mar 22 04:39:28 CST 2002 

Hi

I'm seeing some funnies with AuthBy NISPlus.  When authenticating with
AuthBy NISPlus the master/root NIS server gets queried instead of the local
NIS replica.  If I do a nismatch on the local auth machine then the replica
server gets queried.  Is this a bug in Radiator?

Here are some logs:

The auth request looks like this:
Fri Mar 22 11:39:45 2002: DEBUG: Packet dump:
*** Received from 196.25.100.91 port 2000 ....
Code:       Access-Request
Identifier: 1
Authentic:        1016789973
Attributes:
        User-Name = "bruma at icon.co.za"
        User-Password =
"<16><146>TWg<193>NH<213>o<253><228>H<158><224><135>"
        NAS-IP-Address = 196.25.1.1
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Called-Station-Id = "async"
        NAS-Port = 1

Fri Mar 22 11:39:46 2002: DEBUG: Check if Handler Realm="oogly.co.za" should
be used to handle this request
Fri Mar 22 11:39:46 2002: DEBUG: Check if Handler
Realm="icon.co.za.superauth" should be used to handle this request
Fri Mar 22 11:39:46 2002: DEBUG: Check if Handler Realm="eldappy" should be
used to handle this request
Fri Mar 22 11:39:46 2002: DEBUG: Check if Handler Realm=icon.co.za,
Request-Type = Accounting-Request should be used to handle this request
Fri Mar 22 11:39:46 2002: DEBUG: Check if Handler Realm=icon.co.za should be
used to handle this request
Fri Mar 22 11:39:46 2002: DEBUG: Handling request with Handler
'Realm=icon.co.za'
Fri Mar 22 11:39:46 2002: DEBUG: Rewrote user name to bruma
Fri Mar 22 11:39:46 2002: DEBUG:  Deleting session for bruma at icon.co.za,
196.25.1.1, 1
Fri Mar 22 11:39:46 2002: DEBUG: Handling with Radius::AuthNISPLUS
Fri Mar 22 11:39:46 2002: DEBUG: NIS+ query is [name=bruma]
Fri Mar 22 11:39:47 2002: DEBUG: Radius::AuthNISPLUS looks for match with
bruma
Fri Mar 22 11:39:47 2002: DEBUG: Radius::AuthNISPLUS ACCEPT:
Fri Mar 22 11:39:47 2002: DEBUG: Handling with Radius::AuthDBFILE
Fri Mar 22 11:39:47 2002: DEBUG: Radius::AuthDBFILE looks for match with
bruma
Fri Mar 22 11:39:47 2002: DEBUG: Radius::AuthDBFILE ACCEPT:
Fri Mar 22 11:39:47 2002: DEBUG: Handling with Radius::AuthFILE
Fri Mar 22 11:39:47 2002: DEBUG: Radius::AuthFILE looks for match with bruma
Fri Mar 22 11:39:47 2002: DEBUG: Radius::AuthFILE looks for match with
DEFAULT
Fri Mar 22 11:39:47 2002: DEBUG: Radius::AuthFILE ACCEPT:
Fri Mar 22 11:39:47 2002: DEBUG: Access accepted for bruma
Fri Mar 22 11:39:47 2002: DEBUG: Packet dump:
*** Sending to 196.25.100.91 port 2000 ....
Code:       Access-Accept
Identifier: 1
Authentic:        1016789973
Attributes:
        Class = "040903"
        Service-Type = Framed-User
        Framed-Protocol = PPP

^[[BFri Mar 22 11:40:39 2002: DEBUG: Packet dump:
*** Received from 196.25.100.91 port 2125 ....
Code:       Access-Request
Identifier: 2
Authentic:        1016790027
Attributes:
        User-Name = "bruma at icon.co.za"
        User-Password = "<239><14><157>G<1><23>zV_v@<243><240>`<215><180>"
        NAS-IP-Address = 196.25.1.1
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Called-Station-Id = "async"
        NAS-Port = 1

Fri Mar 22 11:40:39 2002: DEBUG: Check if Handler Realm="oogly.co.za" should
be used to handle this request
Fri Mar 22 11:40:39 2002: DEBUG: Check if Handler
Realm="icon.co.za.superauth" should be used to handle this request
Fri Mar 22 11:40:39 2002: DEBUG: Check if Handler Realm="eldappy" should be
used to handle this request
Fri Mar 22 11:40:39 2002: DEBUG: Check if Handler Realm=icon.co.za,
Request-Type = Accounting-Request should be used to handle this request
Fri Mar 22 11:40:39 2002: DEBUG: Check if Handler Realm=icon.co.za should be
used to handle this request
Fri Mar 22 11:40:39 2002: DEBUG: Handling request with Handler
'Realm=icon.co.za'
Fri Mar 22 11:40:39 2002: DEBUG: Rewrote user name to bruma
Fri Mar 22 11:40:39 2002: DEBUG:  Deleting session for bruma at icon.co.za,
196.25.1.1, 1
Fri Mar 22 11:40:39 2002: DEBUG: Handling with Radius::AuthNISPLUS
Fri Mar 22 11:40:39 2002: DEBUG: NIS+ query is [name=bruma]
Fri Mar 22 11:40:39 2002: DEBUG: Radius::AuthNISPLUS looks for match with
bruma
Fri Mar 22 11:40:39 2002: DEBUG: Radius::AuthNISPLUS ACCEPT:
Fri Mar 22 11:40:39 2002: DEBUG: Handling with Radius::AuthDBFILE
Fri Mar 22 11:40:39 2002: DEBUG: Radius::AuthDBFILE looks for match with
bruma
Fri Mar 22 11:40:39 2002: DEBUG: Radius::AuthDBFILE ACCEPT:
Fri Mar 22 11:40:39 2002: DEBUG: Handling with Radius::AuthFILE
Fri Mar 22 11:40:39 2002: DEBUG: Radius::AuthFILE looks for match with bruma
Fri Mar 22 11:40:39 2002: DEBUG: Radius::AuthFILE looks for match with
DEFAULT
Fri Mar 22 11:40:39 2002: DEBUG: Radius::AuthFILE ACCEPT:
Fri Mar 22 11:40:39 2002: DEBUG: Access accepted for bruma
Fri Mar 22 11:40:39 2002: DEBUG: Packet dump:
*** Sending to 196.25.100.91 port 2125 ....
Code:       Access-Accept
Identifier: 2
Authentic:        1016790027
Attributes:
        Class = "040903"
        Service-Type = Framed-User
        Framed-Protocol = PPP


The snoop looks like this:

wol-aaa1:/#snoop mail450
Using device /dev/hme (promiscuous mode)
wol-aaa1.worldonline.co.za -> mail450.icon.co.za NIS+ C Lookup
"passwd.org_dir.icon.co.za."
mail450.icon.co.za -> wol-aaa1.worldonline.co.za NIS+ R Lookup [Success] and
1 object
wol-aaa1.worldonline.co.za -> mail450.icon.co.za NIS+ C IBlist
"passwd.org_dir.icon.co.za." [name = "bruma"]
mail450.icon.co.za -> wol-aaa1.worldonline.co.za NIS+ R IBlist [Success] and
1 object
wol-aaa1.worldonline.co.za -> mail450.icon.co.za TCP D=32772 S=35876
Ack=1086635127 Seq=3835083472 Len=0 Win=33580


A local nismatch looks like this (no snoop results);
wol-aaa1:#nismatch name=bruma passwd.org_dir
bruma:ua2NkPWApbWXk:34671:200:Colin
Clegg:/usr/people/users/b/r/bruma:/usr/local/bin/tcsh:


So why does a dialup auth request gets sent the the Master/root nis server
when a command line query stays local.

My radiator config for this domain looks like this:

<Handler Realm=icon.co.za,  Request-Type = Accounting-Request>
        <AuthBy NISPLUS>
                Table passwd.org_dir
                Query [name=%U]
                AuthFieldDef passwd,Encrypted-Password,check
        </AuthBy>
        AcctLogFileName %L/%R/%d-%m-%y.log.test
</Handler>

<Handler Realm=icon.co.za>
        RewriteUsername      s/^(.+)\@icon.co.za/$1/
        AuthByPolicy ContinueWhileAccept
        <AuthBy NISPLUS>
                Table passwd.org_dir
                Query [name=%U]
                AuthFieldDef passwd,Encrypted-Password,check
        </AuthBy>
        <AuthBy DBFILE>
                Filename %D/users.db

                # Force it to use DB_File
                DBType DB_File
        </AuthBy>
        <AuthBy FILE>
                Filename %D/icon_users
                StripFromReply User-Category
        </AuthBy>
</Handler>

Any ideas?

:)
fred



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list