Someoune with same trouble few years back: http://lists.cistron.nl/pipermail/freeradius-users/2005-April/042507.html Ivan Kalik Kalik Informatika ISP Dana 17/4/2008, "Si St" <sigbj-st@operamail.com> piše:
----- Original Message ----- From: A.L.M.Buxey@lboro.ac.uk To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: newbie on radiustesting Date: Wed, 16 Apr 2008 21:52:38 +0100
Hi,
A: All running, both radiusd -X and rcradiusd start, is done as root, and unfortunately all messages comes from the user root.
okay. so definately a permission issue for a non root user. ...its late now so if noone else steps in you'll have to wait to hear from me again. (in radiusd.conf the user is set to radiusd, yes?)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
YES, the user is set to radiusd in radiusd.conf:
# user/group: The name (or #number) of the user/group to run radiusd as. # # If these are commented out, the server will run as the user/group # that started it. In order to change to a different user/group, you # MUST be root ( or have root privleges ) to start the server. # # We STRONGLY recommend that you run the server with as few permissions # as possible. That is, if you're not using shadow passwords, the # user and group items below should be set to 'nobody'. # # On SCO (ODT 3) use "user = nouser" and "group = nogroup". # # NOTE that some kernels refuse to setgid(group) when the value of # (unsigned)group is above 60000; don't use group nobody on these systems! # # On systems with shadow passwords, you might have to set 'group = shadow' # for the server to be able to read the shadow password file. If you can # authenticate users while in debug mode, but not in daemon mode, it may be # that the debugging mode server is running as a user that can read the # shadow info, and the user listed below can not. # user = radiusd group = radiusd ........................................
By the way does this excerpt from the top page of radiusd.conf tell anything about the problem?
If the server builds and installs, but fails at execution time # with an 'undefined symbol' error, then you can use the libdir # directive to work around the problem. # # The cause is usually that a library has been installed on your # system in a place where the dynamic linker CANNOT find it. When # executing as root (or another user), your personal environment MAY # be set up to allow the dynamic linker to find the library. When # executing as a daemon, FreeRADIUS MAY NOT have the same # personalized configuration.
....Remembering now that the output of rcradiusd start with the uncomment eap.conf\TLS partis:
linux:/etc/raddb # rcradiusd start Starting RADIUS daemon 8188:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/raddb/certs/demoCA/cacert.pem','r') 8188:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109: 8188:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274: startproc: exit status of parent of /usr/sbin/radiusd: 1 failed .....which is pretty much identical to the error messages from radiusd -X:
8215:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/raddb/certs/demoCA/cacert.pem','r') 8215:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109: 8215:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274: rlm_eap_tls: Error reading Trusted root CA list rlm_eap: Failed to initialize type tls radiusd.conf[9]: eap: Module instantiation failed.
Does this help you?
-- _______________________________________________ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com
Powered by Outblaze
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html