Hi, I've read the freeradius-users achives and found that other people have problems when using Freeradius on an OS which uses a shadow password file. I too have encountered such problems and have found why this problem occurs but require assistance to fix. Here's a recap of the problem: Auth-Type = Local works fine but Auth-Type = System does not. OS: FreeBSD 6.0 running Freeradius-1.1.1 installed from ports collection users file contents: DEFAULT Auth-Type = System Reply-Message = "System password works" Running radiusd -X produces (see below for greater detail) rlm_unix: [test]: invalid password but I know 100% that the password is correct. What appears to be happening (determined from hours of frustrating testing) is Freeradius (rlm_unix) is looking for the users passwords in the /etc/passwd file but my /etc/passwd file doesn't contain any passwords: test:*:1003:1003:Test User:/home/test:/bin/sh my /etc/master.passwd file does: test:$1$RlHYm4Ca$QhlYcYV7BqIjTF.UQ4pTX/:1003:1003::0:0:Test User:/home/test:/bin/sh if I copy the encrypted password from /etc/master.passwd and replace the "*" in /etc/passwd I can successfully authenticate via Auth-Type = System Login OK: [test] (from client localhost port 0) (more detail below) ******* So my question is what do I need to do so I don't have to manually replace the "*" in /etc/passwd with the encrypted password from /etc/master.passwd for every user I enter in the system? ******* TIA, Shane Output of radiusd -X when /etc/passwd contains "*" for password rad_recv: Access-Request packet from host 127.0.0.1:52869, id=153, length=53 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 688 modcall[authorize]: module "preprocess" returns ok for request 688 radius_xlat: '/var/log/radacct/127.0.0.1/auth-detail-20060531' rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/127.0.0.1/auth-detail-20060531 modcall[authorize]: module "auth_log" returns ok for request 688 modcall[authorize]: module "chap" returns noop for request 688 modcall[authorize]: module "mschap" returns noop for request 688 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 688 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 688 users: Matched entry DEFAULT at line 13 modcall[authorize]: module "files" returns ok for request 688 modcall: leaving group authorize (returns ok) for request 688 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 688 rlm_unix: [test]: invalid password modcall[authenticate]: module "unix" returns reject for request 688 modcall: leaving group authenticate (returns reject) for request 688 auth: Failed to validate the user. Login incorrect: [test/test] (from client localhost port 0) Delaying request 688 for 1 seconds Finished request 688 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 153 to 127.0.0.1 port 52869 Reply-Message = "System password works" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 688 ID 153 with timestamp 447e1534 Nothing to do. Sleeping until we see a request. Output of radiusd -X when /etc/passwd contains encrypted password instead of "*" rad_recv: Access-Request packet from host 127.0.0.1:55703, id=181, length=53 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radacct/127.0.0.1/auth-detail-20060531' rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/127.0.0.1/auth-detail-20060531 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 13 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 radius_xlat: 'System password works' Login OK: [test] (from client localhost port 0) Sending Access-Accept of id 181 to 127.0.0.1 port 55703 Reply-Message = "System password works" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 181 with timestamp 447e1744 Nothing to do. Sleeping until we see a request.
Maillists <maillists@cois.on.ca> wrote:
but I know 100% that the password is correct. What appears to be happening (determined from hours of frustrating testing) is Freeradius (rlm_unix) is looking for the users passwords in the /etc/passwd file but my /etc/passwd file doesn't contain any passwords: test:*:1003:1003:Test User:/home/test:/bin/sh
my /etc/master.passwd file does: test:$1$RlHYm4Ca$QhlYcYV7BqIjTF.UQ4pTX/:1003:1003::0:0:Test User:/home/test:/bin/sh
Read radiusd.conf, and look for "/etc/passwd". Odds are that you enabled caching of /etc/passw. There's a reason it's not enabled by default, it doesn't work on FreeBSD. Which is explicitly documented. Alan DeKok.
Alan DeKok wrote:
Maillists <maillists@cois.on.ca> wrote:
but I know 100% that the password is correct. What appears to be happening (determined from hours of frustrating testing) is Freeradius (rlm_unix) is looking for the users passwords in the /etc/passwd file but my /etc/passwd file doesn't contain any passwords: test:*:1003:1003:Test User:/home/test:/bin/sh
my /etc/master.passwd file does: test:$1$RlHYm4Ca$QhlYcYV7BqIjTF.UQ4pTX/:1003:1003::0:0:Test User:/home/test:/bin/sh
Read radiusd.conf, and look for "/etc/passwd". Odds are that you enabled caching of /etc/passw. There's a reason it's not enabled by default, it doesn't work on FreeBSD. Which is explicitly documented.
Alan DeKok.
No, that isn't the cause as I have the following in radiusd.conf: # Unix /etc/passwd style authentication # unix { # allowed values: {no, yes} cache = no # Reload the cache every 600 seconds (10mins). 0 to # disable. cache_reload = 600 # This is required for some systems, like FreeBSD, # and Mac OSX. passwd = /etc/passwd shadow = /etc/master.passwd group = /etc/group # radwtmp = ${logdir}/radwtmp } I'm assuming the cache_reload=600 doesn't matter as it the cache was disabled earlier in the code. Any other things I should check to get Auth-Type = System working? Shane
Shane <maillists@cois.on.ca> wrote:
Read radiusd.conf, and look for "/etc/passwd". Odds are that you enabled caching of /etc/passw. There's a reason it's not enabled by default, it doesn't work on FreeBSD. Which is explicitly documented.
No, that isn't the cause as I have the following in radiusd.conf: ... unix { # allowed values: {no, yes} cache = no
OK...
# This is required for some systems, like FreeBSD, # and Mac OSX. passwd = /etc/passwd
Those should be commented out. Maybe radiusd doesn't have permission to call getpwent()? See the comments around the "unix" module in radiusd.conf. Alan DeKok.
Alan DeKok wrote:
Shane <maillists@cois.on.ca> wrote:
Read radiusd.conf, and look for "/etc/passwd". Odds are that you enabled caching of /etc/passw. There's a reason it's not enabled by default, it doesn't work on FreeBSD. Which is explicitly documented. No, that isn't the cause as I have the following in radiusd.conf: ... unix { # allowed values: {no, yes} cache = no
OK...
# This is required for some systems, like FreeBSD, # and Mac OSX. passwd = /etc/passwd
Those should be commented out.
Maybe radiusd doesn't have permission to call getpwent()? See the comments around the "unix" module in radiusd.conf.
Alan DeKok.
Thanks Alan. The lines: passwd = /etc/passwd shadow = /etc/shadow group = /etc/group should be commented out for FreeBSD even though in radiusd.conf the comment directly above states "This is required for some systems, like FreeBSD, and Mac OS" I missed the comment previous to this one which totally changes the meaning of the quoted comment above. Maybe that blank line should be removed between such comments to help some other newbie avoid similar problems. Thanks again, Shane
participants (3)
-
Alan DeKok -
Maillists -
Shane