Hi All, I just enabled buffered sql on my server everything seems to be working but I am getting flooded with messages as such and I dont think accounting events are being picked up. FR 3.0.11 Failed opening detail file /var/log/radius/radacct/detail.work: Permission denied detail (/var/log/radius/radacct/detail*): Detail listener state unopened waiting 0.790671 sec I have tried all sorts of permissions on the /var/log/radius folder , it seems like as soon as the detail file is created by FR the errors starts appearing The permissions are as follows: [root@radius radius]# ls -l /var/log/radius/radacct total 8 --wxr----t 1 radiusd radiusd 1605 Jan 10 17:59 detail-20170110 --wxr----t 1 radiusd radiusd 1710 Jan 10 17:56 detail.work Any pointers would be greatly appreciated. Many Thanks Arnab
On Jan 10, 2017, at 1:05 PM, Arnab Roy <arnabroy@mail.com> wrote:
I just enabled buffered sql on my server everything seems to be working but I am getting flooded with messages as such and I dont think accounting events are being picked up.
FR 3.0.11
Failed opening detail file /var/log/radius/radacct/detail.work: Permission denied
Blame the OS. You've set up the server so that it can't read the files it's writing. What UID is the server running under?
detail (/var/log/radius/radacct/detail*): Detail listener state unopened waiting 0.790671 sec
I have tried all sorts of permissions on the /var/log/radius folder , it seems like as soon as the detail file is created by FR the errors starts appearing
Setting random permissions doesn't help. You need to know what UID is being used, and also what the permissions are on the directory.
The permissions are as follows:
[root@radius radius]# ls -l /var/log/radius/radacct total 8 --wxr----t 1 radiusd radiusd 1605 Jan 10 17:59 detail-20170110 --wxr----t 1 radiusd radiusd 1710 Jan 10 17:56 detail.work
That's... weird. It has permission to write the file, but not to read it? And why is the sticky bit set? You've done something to your system to break the permissions. Maybe you've set "umask" to a bizarre value. And perhaps broken the permissions on /var/log/radius and /var/log/radius/radacct When the server is installed / run for the first time, it creates the "radacct" directory, with the correct permissions. There should be no need to change the permissions to "fix" them. You'll need to find out what UID the server is running as, and then set the correct permissions on *all* of the directories. "chmod o+rwx" on the directories should do it. Alan DeKok.
Hi Alan, Thank you for pushing me in the right direction much appreciated. Seems ok now one colleagues had changed the file permissions in the detail module :( .. As a secondary question it seems its not capable of logging post-auth detail log such as a reject ? Is is not supported ? We have a need to log all access requests including rejects into the db , just scared that it will tank FR when put into production as Mysql will struggle to keep up with it so didnt directly want to call sql. Any suggestions are welcome. Many Thanks Arnab Sent: Tuesday, January 10, 2017 at 7:02 PM From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: Permission Denied buffered Sql On Jan 10, 2017, at 1:05 PM, Arnab Roy <arnabroy@mail.com> wrote:
I just enabled buffered sql on my server everything seems to be
but I am getting flooded with messages as such and I dont think accounting events are being picked up.
FR 3.0.11
Failed opening detail file /var/log/radius/radacct/detail.work: Permission denied Blame the OS. You've set up the server so that it can't read the files it's writing. What UID is the server running under? detail (/var/log/radius/radacct/detail*): Detail listener state unopened waiting 0.790671 sec
I have tried all sorts of permissions on the /var/log/radius folder , it seems like as soon as the detail file is created by FR the errors starts appearing Setting random permissions doesn't help. You need to know what UID is being used, and also what the permissions are on the directory. The permissions are as follows:
[root@radius radius]# ls -l /var/log/radius/radacct total 8 --wxr----t 1 radiusd radiusd 1605 Jan 10 17:59 detail-20170110 --wxr----t 1 radiusd radiusd 1710 Jan 10 17:56 detail.work That's... weird. It has permission to write the file, but not to read it? And why is the sticky bit set? You've done something to your system to break the permissions. Maybe you've set "umask" to a bizarre value. And perhaps broken the permissions on /var/log/radius and /var/log/radius/radacct When the server is installed / run for the first time, it creates the "radacct" directory, with the correct permissions. There should be no need to change the permissions to "fix" them. You'll need to find out what UID the server is running as, and then set the correct permissions on *all* of the directories. "chmod o+rwx" on the directories should do it. Alan DeKok.
working - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html References 1. http://www.freeradius.org/list/users.html
On Jan 10, 2017, at 2:22 PM, Arnab Roy <arnabroy@mail.com> wrote:
Thank you for pushing me in the right direction much appreciated. Seems ok now one colleagues had changed the file permissions in the detail module :( ..
It always help to know what you're doing.
As a secondary question it seems its not capable of logging post-auth detail log such as a reject ? Is is not supported ?
Yes. See "Post-Auth-Type Reject". Put modules in there, and they will be run on Access-Reject.
We have a need to log all access requests including rejects into the db , just scared that it will tank FR when put into production as Mysql will struggle to keep up with it so didnt directly want to call sql.
If it's ~100 packets/s, MySQL should keep up. Alan DeKok.
On Jan 10, 2017, at 2:22 PM, Arnab Roy <arnabroy@mail.com> wrote:
Thank you for pushing me in the right direction much appreciated. Seems ok now one colleagues had changed the file permissions in the detail module :( .. It always help to know what you're doing. As a secondary question it seems its not capable of logging post-auth detail log such as a reject ? Is is not supported ? Yes. See "Post-Auth-Type Reject". Put modules in there, and they will be run on Access-Reject. We have a need to log all access requests including rejects into the db , just scared that it will tank FR when put into production as Mysql will struggle to keep up with it so didnt directly want to call sql. If it's ~100 packets/s, MySQL should keep up. Alan DeKok.
Hi Alan, Ok just so that I have it clear in my head did you mean the buffered sql server supports post-auth update i.e. I can define in /etc/raddb/sites-enabled/buffered-sql post-auth { sql } statement in the buffered sql virtual server and then add detail in the Post-Auth-Type REJECT { detail .... } Like so and it will update sql on a buffered basis or you are simply referring to Post-Auth-Type REJECT { sql ... } Apologies before hand I am very new to FR and still getting my head around to all the structure etc. Many Thanks Arnab Sent: Tuesday, January 10, 2017 at 7:34 PM From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: Permission Denied buffered Sql - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html References 1. http://www.freeradius.org/list/users.html
On Jan 10, 2017, at 3:10 PM, Arnab Roy <arnabroy@mail.com> wrote:
Ok just so that I have it clear in my head did you mean the buffered sql server supports post-auth update i.e. I can define in /etc/raddb/sites-enabled/buffered-sql
post-auth { sql }
statement in the buffered sql virtual server and then add detail in the
Post-Auth-Type REJECT { detail .... }
Like so and it will update sql on a buffered basis
No. You can't just list modules and magically expect them to be glued together in the way that you want.
or you are simply referring to
Post-Auth-Type REJECT { sql ... }
Apologies before hand I am very new to FR and still getting my head around to all the structure etc.
The buffered-sql virtual server contains a lot of documentation on how it works, and what it does. I suggest reading it. That will clarify a lot of questions. Alan DeKok.
participants (2)
-
Alan DeKok -
Arnab Roy