On Fri, 29 Oct 1999, Dawn Lovell wrote:
>Hi, Hugh! We are running 2.14.1; the note in the revision history was
>part of why we thought it should work. We had not explicitly specified
>GroupFilename, so we added that option and tried again. It still seems
>to be ignoring our primary groups; maybe we're missing something else?
I see the problem! Primary groups aren't listed in /etc/shadow at all.
You'd need to use /etc/passwd, but then of course you lose all your
passwords.
Maybe a seperate Shadow Password entry should be allowed...
>Here's the relevant portion of our config file:
>
><AuthBy UNIX>
> Identifier System
> Filename /etc/shadow
> GroupFilename /etc/group
> DefaultSimultaneousUse 1
></AuthBy>
><Handler>
> <AuthBy FILE>
> # The filename defaults to %D/users
> Filename %D/users.trial
> </AuthBy>
> ## Trial userids will have a Class of "trial" and
> ## all others will have no Class attribute set.
> AcctLogFileName %L/%N/detail%{Class}
></Handler>
>
> From the users.trial file:
>DEFAULT Auth-Type = System, Group = trial, NAS-Port-Type = Async
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Address = 255.255.255.254,
> Framed-Netmask = 255.255.255.255,
> Reply-Message="choice: ",
> Port-Limit = 1,
> Idle-Timeout = 1200,
> Session-Timeout = 28800,
> Class = trial
>
>DEFAULT Auth-Type = System, NAS-Port-Type = Async
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Address = 255.255.255.254,
> Framed-Netmask = 255.255.255.255,
> Reply-Message="choice: ",
> Port-Limit = 1,
> Idle-Timeout = 1200,
> Session-Timeout = 28800
>
>This works great for userids that are explicitly listed in the groups
>file, but doesn't seem to work if they are not. We are running nscd,
>just in case that may be related to our problem. This is a Solaris 7
>box. Passwd and group are both set to files in nsswitch.conf.
>
>Here's an example user and the debug output for it.
>
>In /etc/passwd:
>testuser:x:12268:2000:Test User:/tmp:/bin/noshell
>
>In /etc/group:
>trial::2000:user1,user2
>
>Debug output:
>Fri Oct 29 08:09:59 1999: DEBUG: Check if Handler should be used to handle
>this request
>Fri Oct 29 08:09:59 1999: DEBUG: Handling request with Handler ''
>Fri Oct 29 08:09:59 1999: DEBUG: Deleting session for testuser, 209.142.178.4,
>0
>Fri Oct 29 08:09:59 1999: DEBUG: Handling with Radius::AuthFILE
>Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE looks for match with testuser
>Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT
>Fri Oct 29 08:09:59 1999: DEBUG: Handling with Radius::AuthUNIX
>Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX looks for match with testuser
>Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX REJECT: User testuser is not
>in Group trial
>Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE REJECT: User testuser is not
>in Group trial
>Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1
>Fri Oct 29 08:09:59 1999: DEBUG: Handling with Radius::AuthUNIX
>Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX looks for match with testuser
>Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX ACCEPT:
>Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE ACCEPT:
>Fri Oct 29 08:09:59 1999: DEBUG: Access accepted for testuser
>
>Thanks again for your help!
>
>Dawn
>
>At 12:26 PM 10/29/99 +1000, Hugh Irvine wrote:
>
>>This was fixed in Radiator 2.14. The following is from the revision history on
>>the web page (http://www.open.com.au/radiator/history.html):
>>
>>
>> AuthBy SYSTEM now checks the primary group as well as
>> the secondary groups. It used only to do the secondaries.
>>
>>You will also need to use the GroupFilename parameter in your AuthBy.
>>
>>hth
>>
>>Hugh
>>
>>--
>>Radiator: the most portable, flexible and configurable RADIUS server
>>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
>>NT, Rhapsody
>>
>>===
>>Archive at http://www.thesite.com.au/~radiator/
>>To unsubscribe, email '[EMAIL PROTECTED]' with
>>'unsubscribe radiator' in the body of the message.
>
>
>===
>Archive at http://www.thesite.com.au/~radiator/
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
>
===========================================================
David M. Lloyd mailto:[EMAIL PROTECTED]
Administrator
Internet Express, Inc.
802 W. Broadway, Suite 0101
Madison, WI. 53713-1866
Voice: (608) 663-5555 http://www.inxpress.net
Fax: (608) 663-5595 mailto:[EMAIL PROTECTED]
Data: (608) 663-5551 mailto:[EMAIL PROTECTED]
===========================================================
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
