http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c13
--- Comment #13 from Reinhard Max
I tried to remove the auth-nocache option on the client config but the result is the same. Not sure that the problem is similar as yours.
Sorry, I was drawing wrong conclusions. The fact that PAM succeeds shows that auth-nocache is not the problem. But I think I found the reason why it fails for you: it is the chroot option that you are using in your server config in combination with the deferred PAM authentication that got added by Nirmoy's patch. For deferred authentication, openvpn forks a background process that gets authentication requests through a socket and hands back the result via a temporary file. When the chroot option is being used, only the "worker" process actually chroots to the given directory, but the "authenticator" stays outside. Now the authenticater writes the result to a file under /tmp, but the worker expects it under the /tmp directory relativ to its chroot dir, where it never arrives and hence it times out. As soon as I turn off chroot in a configuration that closely resembles yours or manuall move the result file (openvpn_acf_*.tmp) from /tmp/ to /var/lib/openvpn/jail/tmp/ the connection succeeds. I don't know if that split root operation is intended by upstream or not, and why they use temp files rather than the already existing socket to hand back auth results.
But with the package you provided (https://download.opensuse.org/repositories/home:/rmax:/branches:/ OBS_Maintained:/openvpn/openSUSE_Leap_42.3_Update) it’s work like a charm!
Sure, that one doesn't use deferred authentication, so it doesn't have the background process and file handover. BTW, did you have to copy any PAM and/or RADIUS stuff to your chroot directory in order to get your setup to work initially? -- You are receiving this mail because: You are on the CC list for the bug.