On Tue, Apr 23, 2013 at 03:44:20PM +0200, Ondra Hujňák wrote:
Hi,
I added RADIUS client part to rad provider. It communicates with
server now and gets response (Access-Accept or Access-Reject).
All changes are available in rad branch of my github repository:
https://github.com/hujon/sssd.git
I used completely new krad library from Kerberos, so it depends
on krb5-libs and verto now. Because in f19 updates there is old
version with different API you need to install packages from koji:
http://koji.fedoraproject.org/koji/buildinfo?buildID=410384
However when I get response, callback is correctly called,
I call be_req_terminate but the result doesn't reach su, so it
just timeouts and denies access every time.
This is a part of my log:
[be_pam_handler] (0x0100): Got request with the following data
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE
[pam_print_data] (0x0100): domain: RAD
[pam_print_data] (0x0100): user: test
[sssd[be[RAD]]] [pam_print_data] (0x0100): service: su
[sssd[be[RAD]]] [pam_print_data] (0x0100): tty: pts/0
[sssd[be[RAD]]] [pam_print_data] (0x0100): ruser: ondra
[sssd[be[RAD]]] [pam_print_data] (0x0100): rhost:
[sssd[be[RAD]]] [pam_print_data] (0x0100): authtok type: 1
[sssd[be[RAD]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[RAD]]] [pam_print_data] (0x0100): priv: 0
[sssd[be[RAD]]] [pam_print_data] (0x0100): cli_pid: 14218
[sssd[be[RAD]]] [rad_auth_send] (0x0400): Sending request
[sssd[be[RAD]]] [rad_auth_done] (0x0400): Permission granted for user test.
[sssd[be[RAD]]] [rad_auth_done] (0x0400): Callback terminating be_req.
[sssd[be[RAD]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0,
<NULL>) [Success]
[sssd[be[RAD]]] [be_pam_handler_callback] (0x0100): Sending result [0][RAD]
[sssd[be[RAD]]] [be_pam_handler_callback] (0x0100): Sent result [0][RAD]
[sssd[be[RAD]]] [rad_auth_done] (0x0400): Callback freeing req.
If you have any idea what's wrong or any other comments about
my code I'll be glad to know ;)
Ondrej
According to the log, the backend sent the return code back to the
sssd_pam frontend. If you put debug_level=10 into the [pam] section, do
you see anything logged there?
Other comments about the code:
* You can use the standard HOST_NAME_MAX instead of HOSTNAME_LEN_MAX
* Please don't use space after opening "("
* rad_req_free() should be a talloc destructor. See how we use
talloc_set_destructor elsewhere. Then because rad_req is allocated on
top of be_req, you won't have to free it explicitly at all, it's
going to be freed when be_req goes away.
* I think there should be a utility function that would reduce code
duplication of this block:
tmp = string2data(pass);
kerr = krad_attrset_add(rad_req->attrs,
krad_attr_name2num("User-Password"),
&tmp);
free(tmp.data);
* And most importanly: I don't really like libverto requests mixed with
tevent requests in the code. At the very least, the libverto
krad_client_send request should be wrapped in a tevent request. The
main rad_auth.c module would call:
subreq = sss_rad_auth_send(parameters);
if (subreq == NULL) {
/* error */
}
tevent_req_callback(subreq, rad_auth_done, rad_req);
Then sss_rad_auth_send should do the libverto stuff internally. To be
honest, I'm not sure how safe it is to combine libverto and libtevent
in a single process, we should check with tevent/libverto experts,
maybe it would be safer to move the authentication into a separate
process that would use libverto.
Also is there any howto on setting the environment? I admit I have never
used radius, so I'm really at loss on how to configure it.