Problems with running freeradius
Hi !
I've a problem with my new version FreeRADIUS 1.1.0_2 on FreeBSD 7.0 CURRENT
vol2% # /usr/local/sbin/radiusd -X
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radiusd" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "clear" pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/volt.key.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/volt.crt" tls: CA_file = "/usr/local/etc/raddb/certs/ca.crt" tls: private_key_password = "(null)" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = "ldap2.iem.pw.edu.pl"ol2% # /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radiusd" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "clear" pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/volt.key.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/volt.crt" tls: CA_file = "/usr/local/etc/raddb/certs/ca.crt" tls: private_key_password = "(null)" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = "ldap2.iem.pw.edu.pl" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=radius,ou=admin,dc=iem,dc=pw,dc=edu,dc=pl" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "znpk22kd" ldap: basedn = "ou=User,dc=ee,dc=pw,dc=edu,dc=pl" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=sambaSamAccount)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "uid" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password conns: 0x8011e0b00 Module: Instantiated ldap (ldap) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
rad_recv: Access-Request packet from host 194.29.146.140:2067, id=221, length=96 User-Name = "ato" Calling-Station-Id = "00-13-ce-eb-f1-18" EAP-Message = 0x020100080161746f Framed-MTU = 1287 NAS-IP-Address = 194.29.146.140 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xe2ef296f42d9a00f6a6ecc0363ca0f41 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "ato", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ato radius_xlat: '(uid=ato)' radius_xlat: 'ou=User,dc=ee,dc=pw,dc=edu,dc=pl' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap2.iem.pw.edu.pl:389, authentication 0 zsh: segmentation fault sudo /usr/local/sbin/radiusd -X ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=radius,ou=admin,dc=iem,dc=pw,dc=edu,dc=pl" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "znpk22kd" ldap: basedn = "ou=User,dc=ee,dc=pw,dc=edu,dc=pl" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=sambaSamAccount)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "uid" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password conns: 0x8011e0b00 Module: Instantiated ldap (ldap) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
rad_recv: Access-Request packet from host 194.29.146.140:2067, id=221, length=96 User-Name = "ato" Calling-Station-Id = "00-13-ce-eb-f1-18" EAP-Message = 0x020100080161746f Framed-MTU = 1287 NAS-IP-Address = 194.29.146.140 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xe2ef296f42d9a00f6a6ecc0363ca0f41 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "ato", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ato radius_xlat: '(uid=ato)' radius_xlat: 'ou=User,dc=ee,dc=pw,dc=edu,dc=pl' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap2.iem.pw.edu.pl:389, authentication 0 zsh: segmentation fault sudo /usr/local/sbin/radiusd -X
What should I do , because when I started RADIUS it started, and when I want to connect my laptop to server I see segmentation fault Thans for all
Jacek Burszta
Hi Jacek and everyone, In message <45B93F8D.5020203@jpol.waw.pl>, Jacek Burszta <jacek@jpol.waw.pl> writes
Hi !
I've a problem with my new version FreeRADIUS 1.1.0_2 on FreeBSD 7.0 CURRENT
I got a fuller version of this report from Jacek directly and have sent a longer reply by private mail. I see Phil's suggestion to follow doc/bugs, and that is the eventual conclusion of this, but I don't believe that's the first step. In summary: Running an obsolete version of FreeRADIUS on a development branch of the underlying operating system is not the best option for stability. At the very least build the latest version of FreeRADIUS using the latest version of the port - but if it still doesn't work, my options as the maintainer are limited, especially as I don't have access to a FreeBSD amd64 box of any description. The development FreeBSD -CURRENT branch has unstable ABI / API. It isn't even guaranteed to compile let alone run, and if it runs it may malfunction. Further, the environment is different in -CURRENT to the -STABLE branches supported by the Ports Collection. Most notably, 6-STABLE has stuck with gcc 3.4, whereas 7-CURRENT is using gcc 4.1. -CURRENT is also different to -STABLE in various other ways (such as OpenSSL 0.9.8d in the base system). FreeBSD -RELEASE is recommended for production machines, or -STABLE at a push. (For those not used to FreeBSD, -STABLE means stable ABI / API - it's still a development branch and it may not actually be stable). In this case, FreeRADIUS has segfaulted as it attempts to use OpenLDAP (comparing to a debug run on an older version of the server), which is why I suspect an incompatible ABI / API snafu or similar. Updating /usr/src from the CVS without building and installing that version as your kernel and user mode should be OK on -STABLE, but can break things on -CURRENT as you can finish up with headers that don't match the system binaries. Only when you've upgraded the ports tree and ensured that everything on the system (kernel, user land and ports) are compiled from the same CVS checkout or snapshot of the OS is it time to turn to doc/bugs, and even then the problem may be down to something not being right in your development operating system. My recommended way ahead, which is somewhat more terse than my reply by private mail: FreeRADIUS 1.1.0 has a known security flaw, and 1.1.0_2 is nearly a year old. The latest version of the port is 1.1.4_1, which should be retrieved using portsnap(1), csup(1) or another suitable method. I'd upgrade the whole ports tree, as if you've somehow got 1.1.0_2 on your box, the rest of the ports tree could be 11 months out of date also, and that's a lot of fixes and updates. There is no point proceeding any further until you have the latest version of the port installed and built. As I said, FreeRADIUS segfaulted when attempting to use LDAP; I suspect that something is wrong with the OpenLDAP shared library. Such are the perils of running FreeBSD -CURRENT - the 'bleeding edge' branch where the ABI and API can change without warning. -CURRENT is where the operating system is developed, and isn't even guaranteed to compile, let alone work properly. The first stage is to back up everything (level 0 dumps of all filesystems or similar), as any fixing may make things worse. If building freeradius-1.1.4_1 doesn't solve the problem, rebuild FreeRADIUS and all the ports it depends on (portupgrade -fR net/freeradius or similar). You may have to rebuild all the ports on the machine if you have problems with incompatible ABI. Indeed, you may have to rebuild world - make buildworld, make buildkernel, make installkernel, reboot into single user mode, make installworld - read the full instructions in the FreeBSD Handbook (you should use mergemaster at the appropriate points, for example) and make doubly sure you have good backups first. You have been warned - even if a checkout of -CURRENT compiles it could panic on boot. When you've done that, you may need to rebuild all the ports - and I'm still not going to guarantee it will work. If that doesn't solve it, the debugging steps to take are in /usr/local/share/doc/freeradius/bugs, which is the doc/bugs file referred to Phil's reply. There's no easy way of issuing --enable-developer via the port - maybe I should add that to the options in the port. It would likely be a case of getting busy with gdb and finding out exactly what is causing the segfault. There is, of course, no point doing this on the obsolete 1.1.0 code. The ports collection is only guaranteed to work on supported -STABLE branches, which means 5-STABLE or 6-STABLE at the moment (see <http://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributing-ports/a rticle.html#AEN165> ). FreeBSD -CURRENT isn't recommended for a production machine; indeed, -STABLE isn't really recommended for a production machine either. At this time, 6.2-RELEASE (which ideally means tracking RELENG_6_2 to get security fixes and errata) is arguably the best version to use for production machines, assuming that it supports all your hardware. Really, you're on your own with -CURRENT to a large extent; technical competence is expected, as is following the freebsd-current mailing list and being able to help troubleshoot your own problems. As I said in the private reply, I'm particularly limited in what I can do in this case, as I don't have a FreeBSD amd64 box, nor do I run -CURRENT. However, I hope this helps. Best wishes, David -- David Wood david@wood2.org.uk
participants (3)
-
David Wood -
Jacek Burszta -
Phil Mayers