Problem with rlm_mschap from CVS
Hello, I'm using Freeradius from CVS (checked out today) to do WPA-EAP+Radius +PEAP+ntlm_auth because I can't get rlm_eap_peap from 1.0.5 to build on debian. When trying to authenticate everything seems to be fine, but fails when executing ntlm_auth. Here's the debugging log. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN \user" rlm_realm: Found realm "MYDOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Proxying request from user user to realm MYDOMAIN rlm_realm: Adding Realm = "MYDOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password freeradius: symbol lookup error: /usr/lib/freeradius/rlm_mschap-1.1.0-pre0.so: undefined symbol: radius_exec_program Is this a configuration issue or a bug? thanks -- Luca Corti PGP Key ID 1F38C091 BOFH excuse of the moment: We are Microsoft. What you are experiencing is not a problem; it is an undocumented feature.
It's a configuration issue. You didn't configure the rlm_exec module, which is called to execute ntlm_auth. --Mike Luca Corti wrote:
Hello,
I'm using Freeradius from CVS (checked out today) to do WPA-EAP+Radius +PEAP+ntlm_auth because I can't get rlm_eap_peap from 1.0.5 to build on debian.
When trying to authenticate everything seems to be fine, but fails when executing ntlm_auth.
Here's the debugging log.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN \user" rlm_realm: Found realm "MYDOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Proxying request from user user to realm MYDOMAIN rlm_realm: Adding Realm = "MYDOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password freeradius: symbol lookup error: /usr/lib/freeradius/rlm_mschap-1.1.0-pre0.so: undefined symbol: radius_exec_program
Is this a configuration issue or a bug?
thanks
Michael Griego wrote:
It's a configuration issue. You didn't configure the rlm_exec module, which is called to execute ntlm_auth.
I think it was working in version 1.0.x without rlm_exec module instantiated. Moreover, I'm not sure if the linker is able to find the missing symbol in a different module on all systems... -- Nicolas Baradakis
Nicolas Baradakis wrote:
I think it was working in version 1.0.x without rlm_exec module instantiated. Moreover, I'm not sure if the linker is able to find the missing symbol in a different module on all systems...
It was working with 1.0.x and in CVS until the changes you mentioned. In my case, I didn't have the rlm_exec module configured until I needed it for ntlm_auth. Once I configured it, ntlm_auth started working again. This is on a Fedora Linux system. --Mike
On Mon, 2005-11-14 at 11:09 -0600, Michael Griego wrote:
It's a configuration issue. You didn't configure the rlm_exec module, which is called to execute ntlm_auth.
Is anything else needed besides exec { wait = yes input_pairs = request } and instantiate { exec ... } ? If the above is correct, it's a bug. thanks
--Mike
Luca Corti wrote:
Hello,
I'm using Freeradius from CVS (checked out today) to do WPA-EAP+Radius +PEAP+ntlm_auth because I can't get rlm_eap_peap from 1.0.5 to build on debian.
When trying to authenticate everything seems to be fine, but fails when executing ntlm_auth.
Here's the debugging log.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN \user" rlm_realm: Found realm "MYDOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Proxying request from user user to realm MYDOMAIN rlm_realm: Adding Realm = "MYDOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password freeradius: symbol lookup error: /usr/lib/freeradius/rlm_mschap-1.1.0-pre0.so: undefined symbol: radius_exec_program
Is this a configuration issue or a bug?
thanks
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Luca Corti PGP Key ID 1F38C091 BOFH excuse of the moment: Jan 9 16:41:27 huber su: 'su root' succeeded for .... on /dev/pts/1
Luca Corti wrote:
On Mon, 2005-11-14 at 11:09 -0600, Michael Griego wrote:
It's a configuration issue. You didn't configure the rlm_exec module, which is called to execute ntlm_auth.
Is anything else needed besides
exec { wait = yes input_pairs = request }
and
instantiate { exec ... }
?
If the above is correct, it's a bug.
It should be fixed now. Please do a "cvs update" or get the nightly CVS snapshot tomorrow. -- Nicolas Baradakis
Luca Corti wrote:
When trying to authenticate everything seems to be fine, but fails when executing ntlm_auth.
[...]
error: /usr/lib/freeradius/rlm_mschap-1.1.0-pre0.so: undefined symbol: radius_exec_program
Is this a configuration issue or a bug?
It's a bug. It seems I removed too many things when deleting support for the deprecated Exec-Program attribute. The problem is the function radius_exec_program is now used by only two modules : rlm_exec and rlm_mschap. The possible solutions are: 1. Reverse previous changes and move the file exec.c back to src/main. 2. Copy the file exec.c into src/modules/rlm_mschap, too. 3. In rlm_mschap.c, use "exec_xlat" from rlm_exec instead of "radius_exec_program". It adds a dependancy between the modules, though. For example, we could have in radiusd.conf: ntlm_auth = "%{exec:/path/to/ntlm_auth ... }" -- Nicolas Baradakis
Nicolas Baradakis <nbk@sitadelle.com> wrote:
The possible solutions are: 1. Reverse previous changes and move the file exec.c back to src/main.
Maybe. If other modules need it, that's where it should go.
2. Copy the file exec.c into src/modules/rlm_mschap, too.
No.
3. In rlm_mschap.c, use "exec_xlat" from rlm_exec instead of "radius_exec_program". It adds a dependancy between the modules, though. For example, we could have in radiusd.conf: ntlm_auth = "%{exec:/path/to/ntlm_auth ... }"
That's an option. I'm a big fan of "just making it work". If that means moving exec.c back to src/main, fine. Alan DeKok.
Another possibility for "linking" between modules without truly linking would be to change rlm_mschap to use radius_xlat with the %{exec:...} xlat. Just depends on what others thing. I'm not opposed to moving exec.c back into the server core. -Mike Alan DeKok wrote:
Nicolas Baradakis <nbk@sitadelle.com> wrote:
The possible solutions are: 1. Reverse previous changes and move the file exec.c back to src/main.
Maybe. If other modules need it, that's where it should go.
2. Copy the file exec.c into src/modules/rlm_mschap, too.
No.
3. In rlm_mschap.c, use "exec_xlat" from rlm_exec instead of "radius_exec_program". It adds a dependancy between the modules, though. For example, we could have in radiusd.conf: ntlm_auth = "%{exec:/path/to/ntlm_auth ... }"
That's an option.
I'm a big fan of "just making it work". If that means moving exec.c back to src/main, fine.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok wrote:
The possible solutions are: 1. Reverse previous changes and move the file exec.c back to src/main.
Maybe. If other modules need it, that's where it should go.
I've moved this file because it isn't used by the server core anymore, but I didn't noticed the module rlm_chap used it, too.
2. Copy the file exec.c into src/modules/rlm_mschap, too.
No.
3. In rlm_mschap.c, use "exec_xlat" from rlm_exec instead of "radius_exec_program". It adds a dependancy between the modules, though. For example, we could have in radiusd.conf: ntlm_auth = "%{exec:/path/to/ntlm_auth ... }"
That's an option.
I'm a big fan of "just making it work". If that means moving exec.c back to src/main, fine.
I was thinking we could have "rlm_exec" do all the external programs execution (like we delegate SQL statement execution to "rlm_sql") but it makes the setup a little more difficult. For now, I'll just move exec.c back to src/main, that's a lot easier. -- Nicolas Baradakis
participants (4)
-
Alan DeKok -
Luca Corti -
Michael Griego -
Nicolas Baradakis