[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

login using pam_radius or pam_tacplus is limited to user found inpassword file only ?!?!



Hi all
i have been trying to set up some redhat boxes here to use either radius or
tacacs for login.
i used both redhat 7.1 and 7.3.
for some reason, both behave the same:
if the user exists in the password file, it's password is checked against
the remote server, and the user is allowed in. this is regardless of the
entry in the password file.
if the user does not exist - it fails to log on.

i have ran pam_tacplus.so with full debug, and saw that in either cases it
does exactly the same, the module is called 3 times for auth, account and
session, and each time it returns "OK", for both users.
seems to me there is something i am missing.
i also ran the getty through strace and tried login, in the case of the user
that doesnt exist - the getty finished with a SIGSEGV :(

here is my /etc/pam.d/login :
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       sufficient  /lib/security/pam_tacplus.so debug server=10.3.3.3
secret=pam encrypt first_hit
auth       sufficient   /lib/security/pam_stack.so service=system-auth
auth       sufficient   /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_tacplus.so debug server=10.3.3.3
secret=pam encrypt service=login protocol=none
account    sufficient   /lib/security/pam_stack.so service=system-auth
password   sufficient   /lib/security/pam_stack.so service=system-auth
session    sufficient   /lib/security/pam_tacplus.so debug server=10.3.3.3
secret=pam encrypt service=login protocol=none
session    sufficient   /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

i also tried through sshd, which had the same results, here is
/etc/pam.d/sshd :
#%PAM-1.0
auth       sufficient  /lib/security/pam_tacplus.so debug server=10.3.3.3
secret=pam encrypt first_hit
auth       sufficient     /lib/security/pam_stack.so service=system-auth
auth       sufficient     /lib/security/pam_nologin.so
account    sufficient /lib/security/pam_tacplus.so debug server=10.3.3.3
secret=pam encrypt service=login protocol=none
account    sufficient     /lib/security/pam_stack.so service=system-auth
password   sufficient     /lib/security/pam_stack.so service=system-auth
session    sufficient /lib/security/pam_tacplus.so debug server=10.3.3.3
secret=pam encrypt service=login protocol=none
session    sufficient     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so


what am i missing ?


thanks for you help

Hilik





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []