Date: Fri, 17 Oct 2008 03:06:35 +0200 From: Todor Genov <todor.genov@za.verizonbusiness.com> To: MattAD <mattvdwest@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Radius Authentication Message-ID: <48F7E51B.8030703@za.verizonbusiness.com> In-Reply-To: <20013780.post@talk.nabble.com> References: <20013780.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Matt, The three important steps here are as follows: 1.) Confirm that authentication against the RADIUS server succeeds using any command line RADIUS util. 2.) configure /etc/radius.conf as per "man pam_radius" and man "radius.conf" 3.) Add a user on the FreeBSD machine whose name corresponds with the Windows domain account (if the name contains spaces then refer to the pre-Windows2000 compatible username in AD). This is mandatory as pam_radius is only used for authentication. UID, GID, home dir and all *nix relevant account parameters are still retrieved from the local user database. An alternative to step 3 would be to use the template_user option in radius.conf, but this means that all your Windows users will appear to the system with same UID/GID as the template_user. MattAD wrote: > I would just like to know if anyone on earth has been able to get the > pam_radius module working on FreeBSD, using a windows domain username > through ssh... ??? This has become a mystery to me. My /etc/pam.d/sshd > config looks like so: > > # > # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ > # > # PAM configuration for the "sshd" service > # > > # auth > auth required pam_nologin.so no_warn > auth sufficient pam_opie.so no_warn > no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local > auth sufficient pam_radius.so no_warn > try_first_pass > #auth sufficient pam_krb5.so no_warn > try_first_pass > #auth sufficient pam_ssh.so no_warn > try_first_pass > auth sufficient pam_unix.so no_warn > try_first_pass > > # account > account required pam_nologin.so > #account required pam_krb5.so > account required pam_login_access.so > account required pam_unix.so > > # session > #session optional pam_ssh.so > session required pam_permit.so > > # password > #password sufficient pam_krb5.so no_warn > try_first_pass > password required pam_unix.so no_warn > try_first_pass > > > :confused: -- Regards, Todor Genov Systems Operations Verizon Business South Africa (Pty) Ltd todor.genov@za.verizonbusiness.com Tel: +27 11 235 6500 Fax: 086 692 0543
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48F7E51B.8030703>