From owner-freebsd-questions@FreeBSD.ORG Fri Oct 17 01:06:38 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7DB61065699 for ; Fri, 17 Oct 2008 01:06:38 +0000 (UTC) (envelope-from todor.genov@za.verizonbusiness.com) Received: from smtpout3.uunet.co.za (smtpout3.uunet.co.za [196.7.142.139]) by mx1.freebsd.org (Postfix) with ESMTP id 538EE8FC17 for ; Fri, 17 Oct 2008 01:06:38 +0000 (UTC) (envelope-from todor.genov@za.verizonbusiness.com) Received: from [41.195.81.8] (helo=lap-todor.subnet.co.za) by smtp.uunet.co.za with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KqdnY-000EbR-AN; Fri, 17 Oct 2008 03:06:36 +0200 Message-ID: <48F7E51B.8030703@za.verizonbusiness.com> Date: Fri, 17 Oct 2008 03:06:35 +0200 From: Todor Genov User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: MattAD References: <20013780.post@talk.nabble.com> In-Reply-To: <20013780.post@talk.nabble.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Radius Authentication X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 01:06:38 -0000 Hi Matt, The three important steps here are as follows: 1.) Confirm that authentication against the RADIUS server succeeds using any command line RADIUS util. 2.) configure /etc/radius.conf as per "man pam_radius" and man "radius.conf" 3.) Add a user on the FreeBSD machine whose name corresponds with the Windows domain account (if the name contains spaces then refer to the pre-Windows2000 compatible username in AD). This is mandatory as pam_radius is only used for authentication. UID, GID, home dir and all *nix relevant account parameters are still retrieved from the local user database. An alternative to step 3 would be to use the template_user option in radius.conf, but this means that all your Windows users will appear to the system with same UID/GID as the template_user. MattAD wrote: > I would just like to know if anyone on earth has been able to get the > pam_radius module working on FreeBSD, using a windows domain username > through ssh... ??? This has become a mystery to me. My /etc/pam.d/sshd > config looks like so: > > # > # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ > # > # PAM configuration for the "sshd" service > # > > # auth > auth required pam_nologin.so no_warn > auth sufficient pam_opie.so no_warn > no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local > auth sufficient pam_radius.so no_warn > try_first_pass > #auth sufficient pam_krb5.so no_warn > try_first_pass > #auth sufficient pam_ssh.so no_warn > try_first_pass > auth sufficient pam_unix.so no_warn > try_first_pass > > # account > account required pam_nologin.so > #account required pam_krb5.so > account required pam_login_access.so > account required pam_unix.so > > # session > #session optional pam_ssh.so > session required pam_permit.so > > # password > #password sufficient pam_krb5.so no_warn > try_first_pass > password required pam_unix.so no_warn > try_first_pass > > > :confused: -- Regards, Todor Genov Systems Operations Verizon Business South Africa (Pty) Ltd todor.genov@za.verizonbusiness.com Tel: +27 11 235 6500 Fax: 086 692 0543