Help using rlm_passwd and rlm_krb5 with a huntgroup?

Wed, 21 Jan 2004 16:18:00 -0800 

Hi, i've been successfully using 0.9 thru 0.9.3 in a simple config
in which all authentication is done by rlm_krb5.  Now, i also need
to authenticate a certain subgroup of users with rlm_passwd.  This
new subgroup of users will be identified by an IP-based huntgroup.
The huntgroup selection, and authentication with krb5 or passwd all
seem to work fine, when tested individually.  My problem is for
cases when a user is to be authenticated by rlm_krb5 as determined
by huntgroup, but also happens to exist in the passwd file.  In
this case, the user's password is checked against the passwd file
entry before rlm_krb gets called.  This behavior is not what i was
hoping for.

Does it have to do with rlm_passwd being an authorize module, while
rlm_krb5 is an authenticate module?  Is there a way around this?

Freeradius version is 0.9.3, built on Redhat 9.  The relevant config
info (i think) is below.   Output from radiusd -X -x is in an attached
text file.


##### radius.conf: #####

modules {
...
     passwd 1aix-passwd {
         filename = ${raddbdir}/aix-passwd
         format = "*User-Name:Crypt-Password"
         hashsize = 100
     }
...
}

authenticate {
     krb5
...
}

authorize {
...
     1aix-passwd
...
}


##### huntgroups: #####

aixusers NAS-IP-Address == 1.1.1.1


##### users: #####

DEFAULT Huntgroup-Name == aixusers, Auth-Type := 1aix-passwd

DEFAULT Auth-Type := Kerberos

#####


BTW, another weird thing is that radiusd was not able to instantiate
the rlm_passwd module unless i began the instance name with a digit.
In other words, if i used "aix-passwd", radiusd complained:

   /opt/radius/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown 
value aix-passwd for attribute Auth-Type
   Errors reading /opt/radius/etc/raddb/users
   radiusd.conf[931]: files: Module instantiation failed.

But when i stuck a 1 at the beginning, it worked. Is this expected?


Thanks in advance,
-Matt

###
### radiusd -X -x startup output:
###

[...]
Wed Jan 21 17:32:40 2004 : Debug: Module: Loaded passwd
Wed Jan 21 17:32:40 2004 : Debug:  passwd: filename = 
"/opt/radius/etc/raddb/aix-passwd"
Wed Jan 21 17:32:40 2004 : Debug:  passwd: format = "*User-Name:Crypt-Password"
Wed Jan 21 17:32:40 2004 : Debug:  passwd: authtype = "(null)"
Wed Jan 21 17:32:40 2004 : Debug:  passwd: delimiter = ":"
Wed Jan 21 17:32:40 2004 : Debug:  passwd: ignorenislike = yes
Wed Jan 21 17:32:40 2004 : Debug:  passwd: allowmultiplekeys = no
Wed Jan 21 17:32:40 2004 : Debug:  passwd: hashsize = 100
Wed Jan 21 17:32:40 2004 : Info: rlm_passwd: nfields: 2 keyfield 0(User-Name) 
listable: no
Wed Jan 21 17:32:40 2004 : Debug: Module: Instantiated passwd (1aix-passwd)
[...]
Wed Jan 21 17:32:40 2004 : Info: Listening on IP address *, ports 1812/udp and 
1813/udp.
Wed Jan 21 17:32:40 2004 : Info: Ready to process requests.


###
### success case, when rlm_passwd is expected:
###

rad_recv: Access-Request packet from host 127.0.0.1:32782, id=2, length=65
        User-Name = "test"
        User-Password = "pswdpass"
        NAS-IP-Address = 1.1.1.1
        NAS-Port = 1
        Framed-Protocol = PPP
Wed Jan 21 17:33:28 2004 : Debug: modcall: entering group authorize for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: calling preprocess 
(rlm_preprocess) for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: returned from preprocess 
(rlm_preprocess) for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modcall[authorize]: module "preprocess" returns ok 
for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: calling chap (rlm_chap) for 
request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: returned from chap 
(rlm_chap) for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modcall[authorize]: module "chap" returns noop for 
request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for 
request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) 
for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modcall[authorize]: module "eap" returns noop for 
request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: calling suffix (rlm_realm) 
for request 0
Wed Jan 21 17:33:28 2004 : Debug:     rlm_realm: No '@' in User-Name = "test", looking 
up realm NULL
Wed Jan 21 17:33:28 2004 : Debug:     rlm_realm: No such realm "NULL"
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: returned from suffix 
(rlm_realm) for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modcall[authorize]: module "suffix" returns noop 
for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: calling 1aix-passwd 
(rlm_passwd) for request 0
Wed Jan 21 17:33:28 2004 : Debug: rlm_passwd: Added Crypt-Password: 'zzzzzzzzzzzzz' to 
config_items
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: returned from 1aix-passwd 
(rlm_passwd) for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modcall[authorize]: module "1aix-passwd" returns 
ok for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: calling files (rlm_files) 
for request 0
Wed Jan 21 17:33:28 2004 : Debug:   huntgroups: Matched aixusers at 1
Wed Jan 21 17:33:28 2004 : Debug:     users: Matched DEFAULT at 1
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: returned from files 
(rlm_files) for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modcall[authorize]: module "files" returns ok for 
request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: calling mschap (rlm_mschap) 
for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modsingle[authorize]: returned from mschap 
(rlm_mschap) for request 0
Wed Jan 21 17:33:28 2004 : Debug:   modcall[authorize]: module "mschap" returns noop 
for request 0
Wed Jan 21 17:33:28 2004 : Debug: modcall: group authorize returns ok for request 0
Wed Jan 21 17:33:28 2004 : Debug:   rad_check_password:  Found Auth-Type 1aix-passwd
Wed Jan 21 17:33:28 2004 : Debug: auth: type Crypt
Wed Jan 21 17:33:28 2004 : Auth: Login OK: [test] (from client localhost port 1)
Sending Access-Accept of id 2 to 127.0.0.1:32782
Wed Jan 21 17:33:28 2004 : Debug: Finished request 0


###
### failure case, when rlm_krb5 is expected, but rlm_passwd gets used instead:
###

rad_recv: Access-Request packet from host 127.0.0.1:32782, id=40, length=59
        User-Name = "test"
        User-Password = "kerbpass"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1
Wed Jan 21 17:56:55 2004 : Debug: modcall: entering group authorize for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: calling preprocess 
(rlm_preprocess) for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: returned from preprocess 
(rlm_preprocess) for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modcall[authorize]: module "preprocess" returns ok 
for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: calling chap (rlm_chap) for 
request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: returned from chap 
(rlm_chap) for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modcall[authorize]: module "chap" returns noop for 
request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for 
request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) 
for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modcall[authorize]: module "eap" returns noop for 
request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: calling suffix (rlm_realm) 
for request 0
Wed Jan 21 17:56:55 2004 : Debug:     rlm_realm: No '@' in User-Name = "test", looking 
up realm NULL
Wed Jan 21 17:56:55 2004 : Debug:     rlm_realm: No such realm "NULL"
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: returned from suffix 
(rlm_realm) for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modcall[authorize]: module "suffix" returns noop 
for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: calling 1aix-passwd 
(rlm_passwd) for request 0
Wed Jan 21 17:56:55 2004 : Debug: rlm_passwd: Added Crypt-Password: 'zzzzzzzzzzzzz' to 
config_items
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: returned from 1aix-passwd 
(rlm_passwd) for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modcall[authorize]: module "1aix-passwd" returns 
ok for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: calling files (rlm_files) 
for request 0
Wed Jan 21 17:56:55 2004 : Debug:     users: Matched DEFAULT at 3
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: returned from files 
(rlm_files) for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modcall[authorize]: module "files" returns ok for 
request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: calling mschap (rlm_mschap) 
for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modsingle[authorize]: returned from mschap 
(rlm_mschap) for request 0
Wed Jan 21 17:56:55 2004 : Debug:   modcall[authorize]: module "mschap" returns noop 
for request 0
Wed Jan 21 17:56:55 2004 : Debug: modcall: group authorize returns ok for request 0
Wed Jan 21 17:56:55 2004 : Debug:   rad_check_password:  Found Auth-Type Kerberos
Wed Jan 21 17:56:55 2004 : Debug: auth: type Crypt
Wed Jan 21 17:56:55 2004 : Debug: auth: Failed to validate the user.
Wed Jan 21 17:56:55 2004 : Auth: Login incorrect: [test] (from client localhost port 1)
Wed Jan 21 17:56:55 2004 : Debug: Delaying request 0 for 1 seconds
Wed Jan 21 17:56:55 2004 : Debug: Finished request 0
Wed Jan 21 17:56:55 2004 : Debug: Going to the next request
Wed Jan 21 17:56:55 2004 : Debug: --- Walking the entire request list ---
Wed Jan 21 17:56:55 2004 : Debug: Waking up in 1 seconds...
Wed Jan 21 17:56:56 2004 : Debug: --- Walking the entire request list ---
Wed Jan 21 17:56:56 2004 : Debug: Waking up in 1 seconds...
Wed Jan 21 17:56:57 2004 : Debug: --- Walking the entire request list ---
Sending Access-Reject of id 40 to 127.0.0.1:32782


# end

Reply via email to