what is version 8014870 of threads.c?
Excuse me for the most probably stupid question: what is version 8014870 of threads.c and where can it be downloaded from? I'm running freeradius 2.2.1 and get many / Error: WARNING: Unresponsive child for request *, in component <core> module <thread> / log entries. I've found Alan's mail http://lists.cistron.nl/pipermail/freeradius-devel/2013-September/008702.htm... and I could try his advice if I only knew where is the mentioned file. Or maybe 2.2.3 is the way to go? Please advice. Best regards, MU
Hi,
Excuse me for the most probably stupid question: what is version 8014870 of threads.c and where can it be downloaded from?
its a tag in the GIT development repository. but thats old now
Error: WARNING: Unresponsive child for request *, in component <core> module <thread>
first thing first - why is your server or that component slow? I'd advise using 2.2.3 and see if the fixes since 2.2.1 solve anything. alan
A.L.M.Buxey@lboro.ac.uk - 2014-01-08 23:30:
Excuse me for the most probably stupid question: what is version 8014870 of threads.c and where can it be downloaded from? its a tag in the GIT development repository. but thats old now
Actually I found it's substring of the tag...
Error: WARNING: Unresponsive child for request *, in component <core> module <thread> first thing first - why is your server or that component slow?
My server has plenty of RAM and CPU so it shouldn't be a problem.
I'd advise using 2.2.3 and see if the fixes since 2.2.1 solve anything.
Guess what? In fact situation became even worse. MU
On 9 Jan 2014, at 08:42, Maciej Uhlig <maciej.uhlig@us.edu.pl> wrote:
A.L.M.Buxey@lboro.ac.uk - 2014-01-08 23:30:
Excuse me for the most probably stupid question: what is version 8014870 of threads.c and where can it be downloaded from? its a tag in the GIT development repository. but thats old now
Actually I found it's substring of the tag...
It's a git commit hash. And yes, people usually pass around as substring because the full thing is quite long.
I'd advise using 2.2.3 and see if the fixes since 2.2.1 solve anything.
Guess what? In fact situation became even worse.
Woohoo. Well with no description of your configuration, or any idea of how it got worse we can't really help fix it... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi,
Guess what? In fact situation became even worse.
on a live server this will probably be true for a small amount of time because you've stopped the old service, started the new service - meanwhile, your NAS kit has been trying to contact the service so you'll have a slightly higher number of auths to deal with straight away...and you're underlying problem hasnt gone away - eg you've still got some slow component in the authentication path - you need to find out what that is - what modules you call for each auth/post-auth etc - likely a slow DB or somesuch alan
Hi, I have some trouble with the implementation of a WLAN - PEAP Authentification with freeradius and ntlm-auth against a Windows2012 Server. I used the freeradius howto: - The pc can authentificate against the domain: root@rad1-wlan:/etc/freeradius/sites-enabled# /usr/bin/ntlm_auth --request-nt-key --domain=ADINT.DIR --username=peterpan --password=1234567 NT_STATUS_OK: Success (0x0) When I try to connect to the wlan, I was promped for a user/password and after accepting the cert the following log appears: ue Jan 21 15:22:20 2014 : Info: Found Auth-Type = EAP Tue Jan 21 15:22:20 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/wlan Tue Jan 21 15:22:20 2014 : Info: +- entering group eap {...} Tue Jan 21 15:22:20 2014 : Info: [eap] Request found, released from the list Tue Jan 21 15:22:20 2014 : Info: [eap] EAP/mschapv2 Tue Jan 21 15:22:20 2014 : Info: [eap] processing type mschapv2 Tue Jan 21 15:22:20 2014 : Info: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/wlan Tue Jan 21 15:22:20 2014 : Info: [mschapv2] +- entering group MS-CHAP {...} Tue Jan 21 15:22:20 2014 : Info: [mschap] Creating challenge hash with username: peterpan Tue Jan 21 15:22:20 2014 : Info: [mschap] Told to do MS-CHAPv2 for peterpan with NT-Password Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{Stripped-User-Name} -> Tue Jan 21 15:22:20 2014 : Info: [mschap] ... expanding second conditional Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{User-Name} -> peterpan Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{%{User-Name}:-None} -> peterpan Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=peterpan Tue Jan 21 15:22:20 2014 : Info: [mschap] Creating challenge hash with username: peterpan Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{mschap:Challenge} -> 961c5ef0871022f8 Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=961c5ef0871022f8 Tue Jan 21 15:22:20 2014 : Info: [mschap] No NT-Domain was found in the User-Name. Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{mschap:NT-Domain} -> Tue Jan 21 15:22:20 2014 : Info: [mschap] ... expanding second conditional Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: --domain=%{%{mschap:NT-Domain}:-ADINT.DIR} -> --domain=ADINT.DIR Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{mschap:NT-Response} -> 500c5d66631f60e8c22cd8510406cb15c0868eee8d7a9fed Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=500c5d66631f60e8c22cd8510406cb15c0868eee8d7a9fed Tue Jan 21 15:22:20 2014 : Debug: Exec-Program output: Reading winbind reply failed! (0xc0000001) Tue Jan 21 15:22:20 2014 : Debug: Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Tue Jan 21 15:22:20 2014 : Debug: Exec-Program: returned: 1 Tue Jan 21 15:22:20 2014 : Info: [mschap] External script failed. Tue Jan 21 15:22:20 2014 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Tue Jan 21 15:22:20 2014 : Info: ++[mschap] returns reject Tue Jan 21 15:22:20 2014 : Info: [eap] Freeing handler Tue Jan 21 15:22:20 2014 : Info: ++[eap] returns reject Tue Jan 21 15:22:20 2014 : Info: Failed to authenticate the user. Tue Jan 21 15:22:20 2014 : Auth: Login incorrect (mschap: External script says Reading winbind reply failed! (0xc0000001)): [peterpan/<via Auth-Type = EAP>] (from client WLAN port 29 cli 84-3a-4b-7a-6a-2c via TLS tunnel) Does anyone know why this happen? Regards Carsten
The radiusd process can¹t read the response from winbind. http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HO WTO "WARNING!!! When called by radiusd (thus directly setting the challenge value) the ntlm_auth program needs permission to access winbindd's winbindd_privileged directory (somewhere under /var). Read access will usually be sufficient. The radiusd.conf file sets the uid and gid your radiusd process will run as (by the user and group directives, respectively). The ntlm_auth process will have the same identity. If your filesystem containing the winbindd_privileged directory supports POSIX ACLs, you can safely grant ntlm_auth the necessary permissions, in case your disribution's default setting were insufficient. If radiusd runs as the user radiusd for example, then you should use setfacl the following way setfacl -m u:radiusd:rx winbindd_privileged Or something similar. See http://www.suse.de/~agruen/acl/linux-acls/online/ or man setfacl for more information on POSIX ACLs!" Dave Aldwinckle On 1/21/2014, 9:47 AM, "Carsten Czerner" <carsten.czerner@leuphana.de> wrote:
Hi,
I have some trouble with the implementation of a WLAN - PEAP Authentification with freeradius and ntlm-auth against a Windows2012 Server.
I used the freeradius howto:
- The pc can authentificate against the domain:
root@rad1-wlan:/etc/freeradius/sites-enabled# /usr/bin/ntlm_auth --request-nt-key --domain=ADINT.DIR --username=peterpan --password=1234567 NT_STATUS_OK: Success (0x0)
When I try to connect to the wlan, I was promped for a user/password and after accepting the cert the following log appears:
ue Jan 21 15:22:20 2014 : Info: Found Auth-Type = EAP Tue Jan 21 15:22:20 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/wlan Tue Jan 21 15:22:20 2014 : Info: +- entering group eap {...} Tue Jan 21 15:22:20 2014 : Info: [eap] Request found, released from the list Tue Jan 21 15:22:20 2014 : Info: [eap] EAP/mschapv2 Tue Jan 21 15:22:20 2014 : Info: [eap] processing type mschapv2 Tue Jan 21 15:22:20 2014 : Info: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/wlan Tue Jan 21 15:22:20 2014 : Info: [mschapv2] +- entering group MS-CHAP {...} Tue Jan 21 15:22:20 2014 : Info: [mschap] Creating challenge hash with username: peterpan Tue Jan 21 15:22:20 2014 : Info: [mschap] Told to do MS-CHAPv2 for peterpan with NT-Password Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{Stripped-User-Name} -> Tue Jan 21 15:22:20 2014 : Info: [mschap] ... expanding second conditional Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{User-Name} -> peterpan Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{%{User-Name}:-None} -> peterpan Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=peterpan Tue Jan 21 15:22:20 2014 : Info: [mschap] Creating challenge hash with username: peterpan Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{mschap:Challenge} -> 961c5ef0871022f8 Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=961c5ef0871022f8 Tue Jan 21 15:22:20 2014 : Info: [mschap] No NT-Domain was found in the User-Name. Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{mschap:NT-Domain} -> Tue Jan 21 15:22:20 2014 : Info: [mschap] ... expanding second conditional Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: --domain=%{%{mschap:NT-Domain}:-ADINT.DIR} -> --domain=ADINT.DIR Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: %{mschap:NT-Response} -> 500c5d66631f60e8c22cd8510406cb15c0868eee8d7a9fed Tue Jan 21 15:22:20 2014 : Info: [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=500c5d66631f60e8c22cd8510406cb15c0868eee8d7a9fed Tue Jan 21 15:22:20 2014 : Debug: Exec-Program output: Reading winbind reply failed! (0xc0000001) Tue Jan 21 15:22:20 2014 : Debug: Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Tue Jan 21 15:22:20 2014 : Debug: Exec-Program: returned: 1 Tue Jan 21 15:22:20 2014 : Info: [mschap] External script failed. Tue Jan 21 15:22:20 2014 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Tue Jan 21 15:22:20 2014 : Info: ++[mschap] returns reject Tue Jan 21 15:22:20 2014 : Info: [eap] Freeing handler Tue Jan 21 15:22:20 2014 : Info: ++[eap] returns reject Tue Jan 21 15:22:20 2014 : Info: Failed to authenticate the user. Tue Jan 21 15:22:20 2014 : Auth: Login incorrect (mschap: External script says Reading winbind reply failed! (0xc0000001)): [peterpan/<via Auth-Type = EAP>] (from client WLAN port 29 cli 84-3a-4b-7a-6a-2c via TLS tunnel)
Does anyone know why this happen?
Regards Carsten
Hi Am 21.01.2014 19:11, schrieb David Aldwinckle:
The radiusd process can¹t read the response from winbind.
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HO WTO
[...]
setfacl -m u:radiusd:rx winbindd_privileged
Or something similar. See http://www.suse.de/~agruen/acl/linux-acls/online/ or man setfacl for more information on POSIX ACLs!"
I remember being in that situation on my first setup with FreeRADIUS. Actually is there something wrong (on Debian and alikes) to simply add the user freerad to the winbindd_privileged group or is there a security risk I don't realize in contrast to setfacl? -- Mat
Hi, thank you so much for your help! :) System Debian7 nano /etc/group winbindd_priv:x:106:freerad just added the freerad user to the winbindd-priv group. Thats it! Regards Carsten Am 21.01.2014 19:44, schrieb Mathieu Simon (Lists):
Hi Am 21.01.2014 19:11, schrieb David Aldwinckle:
The radiusd process can¹t read the response from winbind.
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HO WTO
[...]
setfacl -m u:radiusd:rx winbindd_privileged
Or something similar. See http://www.suse.de/~agruen/acl/linux-acls/online/ or man setfacl for more information on POSIX ACLs!" I remember being in that situation on my first setup with FreeRADIUS. Actually is there something wrong (on Debian and alikes) to simply add the user freerad to the winbindd_privileged group or is there a security risk I don't realize in contrast to setfacl?
-- Mat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Carsten Czerner wrote:
I have some trouble with the implementation of a WLAN - PEAP Authentification with freeradius and ntlm-auth against a Windows2012 Server.
I used the freeradius howto:
- The pc can authentificate against the domain:
root@rad1-wlan:/etc/freeradius/sites-enabled# /usr/bin/ntlm_auth --request-nt-key --domain=ADINT.DIR --username=peterpan --password=1234567 NT_STATUS_OK: Success (0x0)
That's good.
Tue Jan 21 15:22:20 2014 : Debug: Exec-Program output: Reading winbind reply failed! (0xc0000001) Tue Jan 21 15:22:20 2014 : Debug: Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
ntlm_auth is returning a message that tells you what the problem is.
Does anyone know why this happen?
Usually because ntlm_auth doesn't have permission to talk to winbindd. Check the permissions. Odds are when you run "radiusd -X" as *root*, it will work. Alan DeKok.
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Carsten Czerner -
David Aldwinckle -
Maciej Uhlig -
Mathieu Simon (Lists)