Hi all! I am trying to authenticate against a smbpasswd file with freeradius-1.0.1 on a fedora core 3 machine. When I start radius in debug mode, it shows me that authentication is progressing perfect (modcall: group authorize returns ok for request 0) However it still returns a accept-reject package. I have the funny feeling I did miss a line somewhere in the radius.conf file. Here is the console output. btw I started radius with with # radiusd -sfxxyz -l stdout Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded DIGEST Module: Instantiated digest (digest) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded attr_filter attr_filter: attrsfile = "/etc/raddb/attrs" rlm_attr_filter: Authorize method will be deprecated. Module: Instantiated attr_filter (attr_filter) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded passwd passwd: filename = "/etc/samba/smbpasswd" passwd: format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" passwd: authtype = "MS-CHAP" passwd: delimiter = ":" passwd: ignorenislike = no passwd: ignoreempty = yes passwd: allowmultiplekeys = no passwd: hashsize = 100 rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no Module: Instantiated passwd (etc_smbpasswd) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=43, length=55 User-Name = "dkr" User-Password = "sleutel" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20050706' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20050706 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 rlm_passwd: Added LM-Password: '84ECA50B0BFCDCBEAAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: '6CC3E48E5B94C5FABEA360744435FBF4' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding "Auth-Type = MS-CHAP" modcall[authorize]: module "etc_smbpasswd" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Login incorrect: [dkr/sleutel] (from client localhost port 1) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 43 to 127.0.0.1:32769 Waking up in 4 seconds...
Ramses van Pinxteren <ramses@niob.knaw.nl> wrote:
When I start radius in debug mode, it shows me that authentication is progressing perfect (modcall: group authorize returns ok for request 0)
However it still returns a accept-reject package.
Did you *read* the debug output?
rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0
What part of that is unclear? It's doing authentication against /etc/passwd, and not using the password from the smbpasswd file. Alan DeKok.
Thanks for this answer. I now start to undaerstand the debugreport. How can I now enable the etc_passwd section? Simply putting etc_passwd in the authorize section is not enough unfortunately. So again: a big HELPP Thanks ramses
Ramses van Pinxteren <ramses@niob.knaw.nl> wrote:
When I start radius in debug mode, it shows me that authentication is progressing perfect (modcall: group authorize returns ok for request 0)
However it still returns a accept-reject package.
Did you *read* the debug output?
rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0
What part of that is unclear?
It's doing authentication against /etc/passwd, and not using the password from the smbpasswd file.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ramses van Pinxteren <ramses@niob.knaw.nl> wrote:
How can I now enable the etc_passwd section? Simply putting etc_passwd in the authorize section is not enough unfortunately.
What's going wrong? The default "radiusd.conf" contains a sample configuration for etc_smbpasswd. Uncomment it, and add "etc_smbpasswd" to the authorization section. It WILL work. If it doesn't, once again, READ THE DEBUG OUTPUT. I hate playing "twenty questions". If you're not going to say what the server is doing, no one here will ever be able to help you. (Or want to help you, for that matter.) Alan DeKok.
participants (2)
-
Alan DeKok -
Ramses van Pinxteren