PAM with GNU radius

[pam-list at redhat.com (Hakanson, David J.)]

This is a multi-part message in MIME format.

------_=_NextPart_001_01C25056.25D310C8
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

=20

    I am trying to set up a radius server (GNU radius) using PAM (krb5)
for authentication. I am having problems doing radius auths since the
account part fails. My pam file looks like:

=20

auth        sufficient    /lib/security/pam_krb5.so use_authtok

auth        required      /lib/security/pam_deny.so

=20

account    required     /lib/security/pam_permit.so

session    required     /lib/security/pam_permit.so

=20

    When I do a radius auth the authentication goes through without a
problem but then denies me with the error: "pam_krb5: unable to
determine uid/gid for user" and then "pam_krb5: authentication fails for
user". Is there any way that I can completely bypass the account/session
portion of PAM? Since all I am doing is using PAM for authentication and
not authorization I don't need the uid/gid information at all. I also
tried=20

=20

"account     [default=3Dignore success=3Dignore user_unknown=3Dignore
service_err=3Dignore system_err=3Dignore] /lib/security/pam_unix.so"=20

=20

and it did not help. Any ideas? Thanks,

=20

David


------_=_NextPart_001_01C25056.25D310C8
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;&nbsp;&nbsp; I am trying to set up a radius =
server (GNU
radius) using PAM (krb5) for authentication. I am having problems doing =
radius
auths since the account part fails. My pam file looks =
like:</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
sufficient&nbsp;&nbsp;&nbsp; /lib/security/pam_krb5.so =
use_authtok</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
required&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
/lib/security/pam_deny.so</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>account&nbsp;&nbsp;&nbsp; =
required&nbsp;&nbsp;&nbsp;&nbsp;
/lib/security/pam_permit.so</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>session&nbsp;&nbsp;&nbsp; =
required&nbsp;&nbsp;&nbsp;&nbsp;
/lib/security/pam_permit.so</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;&nbsp;&nbsp; When I do a radius auth the
authentication goes through without a problem but then denies me with =
the
error: &#8220;pam_krb5: unable to determine uid/gid for user&#8221; and =
then &#8220;pam_krb5:
authentication fails for user&#8221;. Is there any way that I can =
completely
bypass the account/session portion of PAM? Since all I am doing is using =
PAM
for authentication and not authorization I don&#8217;t need the uid/gid
information at all. I also tried </span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&#8220;account&nbsp;&nbsp;&nbsp;&nbsp; =
[default=3Dignore
success=3Dignore user_unknown=3Dignore service_err=3Dignore =
system_err=3Dignore] /lib/security/pam_unix.so&#8221;
</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>and it did not help. Any ideas? =
Thanks,</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>David</span></font></p>

</div>

</body>

</html>
=00
------_=_NextPart_001_01C25056.25D310C8--