On Wed, Jun 23, 2010 at 4:13 AM, Alan DeKok <al...@deployingradius.com>wrote:
> Double-check that it's returning PAM_IGNORE. Maybe source code mods > to syslog "RETURNING PAM_IGNORE". > > If it is returning PAM_IGNORE, then it's a PAM problem. Ask the > question again on the PAM list. > > Found my problem. The pam_sm_authenticate() does return PAM_IGNORE with localifdown, as expected. Added a lot of logging including the final return value (PAM_IGNORE / 25). I had also tested that the stack was dealing with the ignore properly by using pam_debug.so. So my stack for 'auth' as originally posted works as expected, so I'm quite happy with the fallback setup. What was failing pseudo silently was the call to pam_sm_open_session() (or rather pam_private_session()). I only had this single module listed in the pam conf file, and since nothing was logged, I didn't catch on the fact that my login failures were coming from the 'session' part. Since no success was returned and it was my only line for PAM, it failed and I couldn't logon if the radius servers were unreachable. Time permitting I might submit a patch to add some logging to pam_private_session, if there would be interest from the dev team ? Thanks a lot for the infos and replies. Martin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html