Hey everyone! I'm running into a bit of a snag with my FreeIPA and FreeRADIUS setup. I have everything working great for user-specific authentication on OpenVPN with FreeRADIUS using FreeIPA users. However, I've set up an AD Trust with a Windows AD domain (Windows Server 2025) and can successfully use commands like `getent passwd @`, `id @`, `kinit @`, and `su - @` on my FreeIPA/FreeRADIUS machine, indicating that the AD trust is established correctly. The issue arises when I attempt to use FreeRADIUS for authentication (e.g., running `radtest '@' '' localhost 0 testing123`), which results in the error: `pam: ERROR: pam_authenticate failed: Permission denied`. I'm not sure where I need to adjust permissions to allow FreeRADIUS to authenticate both FreeIPA and Windows AD users. Any insights? Thanks in advance!
2 Answers
It sounds like the issue might be related to the PAM configuration for FreeRADIUS. The first thing to check is how you've set up PAM for the `radiusd` service. You might want to enable verbose logging for PAM to see more detailed error messages. If you haven't already, consider setting the `pam_sss.so` module to be more verbose in your PAM configuration. It could also help to see if `radtest` is logging everything it does. That way, you can pinpoint where things are going south. Let us know what you find!
Yeah, the PAM error is a common stumbling block. Since your Kerberos tests are successful, this strongly suggests that you might need to tweak the PAM settings a bit. Ensure that your `pam_sss` (System Security Services) module is properly configured to handle the AD users. Sometimes, adding a `debug` option to your `pam_sss.so` lines can give you more insight into what's going wrong. Also, double-check the permissions for the service accounts used. Those can trip you up if they're not aligned!
Great tips! I'll definitely try adding the debug option and check those permissions. Thanks for helping me troubleshoot!
Thanks for your input! I'll take a look at the PAM logs and see if there's more detail to work with. Not sure if I need to change the configuration, but I'll check the logging settings for `radtest` as well.