Forum OpenACS Q&A: Error using PAM-Authentication

Collapse
Posted by Nima Mazloumi on
Hi everybody,

When I try to login the access is denied and I receive the following error.log:

[20/Nov/2003:14:10:20][25994.49156][-conn0-] Error: auth::authenticate: error invoking authentication driver for authority_id = 1949: Permission denied
    while executing
"array set result [auth::authentication::Authenticate  -username $username  -authority_id $authority_id  -password $password]"
    ("uplevel" body line 2)
    invoked from within
"uplevel $body "

This is what I did so far:

  • I installed pam, pam-radius and nspam on the server.
  • The remote radius server is running.
  • The radbb/server file contains the ip address of the radius server and the secret
  • I changed config.tcl to
    • ns_param  PamDomain "aolserver"
    • ns_param   nspam ${bindir}/nspam.so
  • I created a pam.d/aolserver file with the below two lines. The filename is identical to the PamDomain parameter in config.tcl:
    • auth sufficient /lib/security/pam_radius_auth.so
    • account sufficient /lib/security/pam_radius_auth.so
  • I created an xml file in accordance to IMS 1.1 and used the batch synchronisation to upload the user. Worked without error.
  • The user was in a pending state and I accepted it.

Can someone tell me what goes wrong here?
Is there a pam log file where I can check if the pam is contacted at all?

Thank you for any help.

Best wishes,
Nima
Collapse
Posted by Lars Pind on
Nima,

Which operating system?

Try adding " debug" at the end of your auth and account lines like so:

auth sufficient /lib/security/pam_radius_auth.so debug
account sufficient /lib/security/pam_radius_auth.so debug

This should cause PAM to output debugging information in /var/adm/messages (probably OS dependent though, so it could be somewhere else, like /var/log/messages).

If this doesn't work, Mat Kovach also produced a version of nspam which outputs debug info, but a) that didn't help, and b) I can't find it now.

Two common pit-falls I want to mention, even though they don't apply in your case:

1) If you're using standard unix password authentication, your /etc/shadow must be readable by AOLserver. The best way is to change its group to the same group that AOLserver runs as, and make it readable to that group, not to world.

2) On Solaris 7 at least, there must be *both* an 'auth' and an 'account' line in your /etc/pam.conf file.

/Lars

Collapse
Posted by Nima Mazloumi on
Hi Lars,

thank you for your kind reply. I am using SuSE. I found the messages file under /var/log.

This is what it outputs:

Nov 20 18:37:34 dotlrn nsd: PAM unable to resolve symbol: pam_sm_acct_mgmt
Nov 20 18:37:34 dotlrn nsd: pam_radius_auth: unrecognized option 'debug^M'
Nov 20 18:37:34 dotlrn nsd: pam_radius_auth: Could not open configuration file /etc/raddb/server: Permission denied

It seams that it does not recognize the debug option but there must be something else wrong as well, don't you think?

Best wishes,
Nima
Collapse
Posted by Nima Mazloumi on
Oh. I forgot to say. First the file was root:users then I changed it to service0:users (service0=unima0 here in our installation). The I changed the permissions to 777 but nothing helped. It's always the same message.
Collapse
Posted by Nima Mazloumi on

I found out why I had this ^M at the end of the line and deleted it using emacs. Now I get the following message:

Nov 20 18:46:10 dotlrn nsd: PAM unable to resolve symbol: pam_sm_acct_mgmt
Nov 20 18:46:10 dotlrn nsd: pam_radius_auth: Got user name mazloumi
Nov 20 18:46:10 dotlrn nsd: pam_radius_auth: Could not open configuration file /etc/raddb/server: Permission denied
Collapse
Posted by Nima Mazloumi on

I changed the permission to the

server
file. Now the
var/log/messages
file returns the following:

Nov 21 11:42:12 dotlrn nsd: PAM unable to resolve symbol: pam_sm_acct_mgmt
Nov 21 11:42:12 dotlrn nsd: pam_radius_auth: Got user name mazloumi
Nov 21 11:42:12 dotlrn nsd: pam_radius_auth: Sending RADIUS request code 1
Nov 21 11:42:12 dotlrn nsd: pam_radius_auth: Got RADIUS response code 2
Nov 21 11:42:12 dotlrn nsd: pam_radius_auth: authentication succeeded

But the Login-Screen says that the permission is denied.

Has someone an idea why this happens?

Collapse
Posted by Nima Mazloumi on
The log on the remote radius server said the following:

Attributes:
        User-Name = "mazloumi"
        User-Password = "xxxxx"
        NAS-IP-Address = 134.155.51.152
        NAS-Identifier = "aolserver"
        NAS-Port = 26015
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only

Fri Nov 21 11:41:05 2003: DEBUG: AFS_USER: mazloumi
Fri Nov 21 11:41:05 2003: DEBUG: Radius::AuthAFS looks for match with mazloumi Fri Nov 21 11:41:05 2003: DEBUG: Radius::AuthAFS ACCEPT: Fri Nov 21 11:41:05 2003: DEBUG: Access accepted for mazloumi