Hi, i've been successfully using 0.9 thru 0.9.3 in a simple config in which all authentication is done by rlm_krb5. Now, i also need to authenticate a certain subgroup of users with rlm_passwd. This new subgroup of users will be identified by an IP-based huntgroup. The huntgroup selection, and authentication with krb5 or passwd all seem to work fine, when tested individually. My problem is for cases when a user is to be authenticated by rlm_krb5 as determined by huntgroup, but also happens to exist in the passwd file. In this case, the user's password is checked against the passwd file entry before rlm_krb gets called. This behavior is not what i was hoping for.
Does it have to do with rlm_passwd being an authorize module, while rlm_krb5 is an authenticate module? Is there a way around this?
Freeradius version is 0.9.3, built on Redhat 9. The relevant config info (i think) is below. Output from radiusd -X -x is in an attached text file.
##### radius.conf: #####
modules { ... passwd 1aix-passwd { filename = ${raddbdir}/aix-passwd format = "*User-Name:Crypt-Password" hashsize = 100 } ... }
authenticate { krb5 ... }
authorize { ... 1aix-passwd ... }
##### huntgroups: #####
aixusers NAS-IP-Address == 1.1.1.1
##### users: #####
DEFAULT Huntgroup-Name == aixusers, Auth-Type := 1aix-passwd
DEFAULT Auth-Type := Kerberos
#####
BTW, another weird thing is that radiusd was not able to instantiate the rlm_passwd module unless i began the instance name with a digit. In other words, if i used "aix-passwd", radiusd complained:
/opt/radius/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value aix-passwd for attribute Auth-Type Errors reading /opt/radius/etc/raddb/users radiusd.conf[931]: files: Module instantiation failed.
But when i stuck a 1 at the beginning, it worked. Is this expected?
Thanks in advance, -Matt
### ### radiusd -X -x startup output: ###
[...] Wed Jan 21 17:32:40 2004 : Debug: Module: Loaded passwd Wed Jan 21 17:32:40 2004 : Debug: passwd: filename = "/opt/radius/etc/raddb/aix-passwd" Wed Jan 21 17:32:40 2004 : Debug: passwd: format = "*User-Name:Crypt-Password" Wed Jan 21 17:32:40 2004 : Debug: passwd: authtype = "(null)" Wed Jan 21 17:32:40 2004 : Debug: passwd: delimiter = ":" Wed Jan 21 17:32:40 2004 : Debug: passwd: ignorenislike = yes Wed Jan 21 17:32:40 2004 : Debug: passwd: allowmultiplekeys = no Wed Jan 21 17:32:40 2004 : Debug: passwd: hashsize = 100 Wed Jan 21 17:32:40 2004 : Info: rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Wed Jan 21 17:32:40 2004 : Debug: Module: Instantiated passwd (1aix-passwd) [...] Wed Jan 21 17:32:40 2004 : Info: Listening on IP address *, ports 1812/udp and 1813/udp. Wed Jan 21 17:32:40 2004 : Info: Ready to process requests. ### ### success case, when rlm_passwd is expected: ### rad_recv: Access-Request packet from host 127.0.0.1:32782, id=2, length=65 User-Name = "test" User-Password = "pswdpass" NAS-IP-Address = 1.1.1.1 NAS-Port = 1 Framed-Protocol = PPP Wed Jan 21 17:33:28 2004 : Debug: modcall: entering group authorize for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Wed Jan 21 17:33:28 2004 : Debug: rlm_realm: No '@' in User-Name = "test", looking up realm NULL Wed Jan 21 17:33:28 2004 : Debug: rlm_realm: No such realm "NULL" Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: calling 1aix-passwd (rlm_passwd) for request 0 Wed Jan 21 17:33:28 2004 : Debug: rlm_passwd: Added Crypt-Password: 'zzzzzzzzzzzzz' to config_items Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: returned from 1aix-passwd (rlm_passwd) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modcall[authorize]: module "1aix-passwd" returns ok for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Wed Jan 21 17:33:28 2004 : Debug: huntgroups: Matched aixusers at 1 Wed Jan 21 17:33:28 2004 : Debug: users: Matched DEFAULT at 1 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modcall[authorize]: module "files" returns ok for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Wed Jan 21 17:33:28 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Wed Jan 21 17:33:28 2004 : Debug: modcall: group authorize returns ok for request 0 Wed Jan 21 17:33:28 2004 : Debug: rad_check_password: Found Auth-Type 1aix-passwd Wed Jan 21 17:33:28 2004 : Debug: auth: type Crypt Wed Jan 21 17:33:28 2004 : Auth: Login OK: [test] (from client localhost port 1) Sending Access-Accept of id 2 to 127.0.0.1:32782 Wed Jan 21 17:33:28 2004 : Debug: Finished request 0 ### ### failure case, when rlm_krb5 is expected, but rlm_passwd gets used instead: ### rad_recv: Access-Request packet from host 127.0.0.1:32782, id=40, length=59 User-Name = "test" User-Password = "kerbpass" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Wed Jan 21 17:56:55 2004 : Debug: modcall: entering group authorize for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Wed Jan 21 17:56:55 2004 : Debug: rlm_realm: No '@' in User-Name = "test", looking up realm NULL Wed Jan 21 17:56:55 2004 : Debug: rlm_realm: No such realm "NULL" Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: calling 1aix-passwd (rlm_passwd) for request 0 Wed Jan 21 17:56:55 2004 : Debug: rlm_passwd: Added Crypt-Password: 'zzzzzzzzzzzzz' to config_items Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: returned from 1aix-passwd (rlm_passwd) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modcall[authorize]: module "1aix-passwd" returns ok for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Wed Jan 21 17:56:55 2004 : Debug: users: Matched DEFAULT at 3 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modcall[authorize]: module "files" returns ok for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Wed Jan 21 17:56:55 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Wed Jan 21 17:56:55 2004 : Debug: modcall: group authorize returns ok for request 0 Wed Jan 21 17:56:55 2004 : Debug: rad_check_password: Found Auth-Type Kerberos Wed Jan 21 17:56:55 2004 : Debug: auth: type Crypt Wed Jan 21 17:56:55 2004 : Debug: auth: Failed to validate the user. Wed Jan 21 17:56:55 2004 : Auth: Login incorrect: [test] (from client localhost port 1) Wed Jan 21 17:56:55 2004 : Debug: Delaying request 0 for 1 seconds Wed Jan 21 17:56:55 2004 : Debug: Finished request 0 Wed Jan 21 17:56:55 2004 : Debug: Going to the next request Wed Jan 21 17:56:55 2004 : Debug: --- Walking the entire request list --- Wed Jan 21 17:56:55 2004 : Debug: Waking up in 1 seconds... Wed Jan 21 17:56:56 2004 : Debug: --- Walking the entire request list --- Wed Jan 21 17:56:56 2004 : Debug: Waking up in 1 seconds... Wed Jan 21 17:56:57 2004 : Debug: --- Walking the entire request list --- Sending Access-Reject of id 40 to 127.0.0.1:32782 # end