kill -HUP sometimes causes "rlm_pap: mschap xlat failed"
mcn4 at leicester.ac.uk
Thu Apr 12 16:32:37 CEST 2012
On Thu, Apr 12, 2012 at 03:59:56PM +0200, Jan Weiher wrote:
> I've got a strange problem with FR 2.1.12, sometimes (not always) when
> logrotate ran, freeradius goes bonkers and responds to every pap request
> with "mschap xlat failed". Restarting FR fixes this magically and all
> works fine again. I created a small and hackish script, which restarts
> FR when this happens. The output showed that about every second week
> (logrotate runs weekly) this happens. Because FR works fine again after
> a restart, restarting FR in debug mode is not an option to get more
> information. But here is a snipped from my radiusd.log showing the symptom:
We've been hitting the same problem for a while, on just one (of
three) radius server. Every couple of weeks, at FR logrotation
time, all auths fail. In this case, it's EAP/MS-CHAPv2. After
logrotation, the auths all give
Thu Apr 12 15:21:31 2012 : Auth: Login incorrect (mschap: External
script says NT_STATUS_WRONG_PASSWORD: Wrong Password
(0xc000006a)): [xxxxx at leicester.ac.uk] (from client WLC5508-CC-1
port 13 cli 58-1f-aa-50-59-ef via TLS tunnel)
I've been meaning to try and sort this for a while, so you
prompted me to look at it. I had been thinking that it was winbind
being restarted at the same time, and was going to blame winbind.
However, it seems winbind isn't being restarted, so it's unlikely
to be that.
Our logrotate -HUPs the server, not stop/start.
I've just replicated the problem by repeatedly HUPping freeradius,
with about 10 second gaps between. On the 8th or so try, the same
issue hit. Stopping and starting FR fixed it.
I'm wondering if the mschap module somehow gets its internal state
muddled on a HUP, and starts sending the wrong challenge response.
ntlm_auth from the command line works fine when FR has a problem.
I'll dig a bit more, but the easy solution is to change the
logrotate script to restart, rather than reload/HUP.
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users