Problems with running freeradius
david at wood2.org.uk
Fri Jan 26 02:12:58 CET 2007
Hi Jacek and everyone,
In message <45B93F8D.5020203 at jpol.waw.pl>, Jacek Burszta
<jacek at jpol.waw.pl> writes
>> I've a problem with my new version FreeRADIUS 1.1.0_2 on FreeBSD 7.0 CURRENT
I got a fuller version of this report from Jacek directly and have sent
a longer reply by private mail. I see Phil's suggestion to follow
doc/bugs, and that is the eventual conclusion of this, but I don't
believe that's the first step.
Running an obsolete version of FreeRADIUS on a development branch of the
underlying operating system is not the best option for stability. At the
very least build the latest version of FreeRADIUS using the latest
version of the port - but if it still doesn't work, my options as the
maintainer are limited, especially as I don't have access to a FreeBSD
amd64 box of any description.
The development FreeBSD -CURRENT branch has unstable ABI / API. It isn't
even guaranteed to compile let alone run, and if it runs it may
malfunction. Further, the environment is different in -CURRENT to the
-STABLE branches supported by the Ports Collection. Most notably,
6-STABLE has stuck with gcc 3.4, whereas 7-CURRENT is using gcc 4.1.
-CURRENT is also different to -STABLE in various other ways (such as
OpenSSL 0.9.8d in the base system).
FreeBSD -RELEASE is recommended for production machines, or -STABLE at a
push. (For those not used to FreeBSD, -STABLE means stable ABI / API -
it's still a development branch and it may not actually be stable).
In this case, FreeRADIUS has segfaulted as it attempts to use OpenLDAP
(comparing to a debug run on an older version of the server), which is
why I suspect an incompatible ABI / API snafu or similar. Updating
/usr/src from the CVS without building and installing that version as
your kernel and user mode should be OK on -STABLE, but can break things
on -CURRENT as you can finish up with headers that don't match the
Only when you've upgraded the ports tree and ensured that everything on
the system (kernel, user land and ports) are compiled from the same CVS
checkout or snapshot of the OS is it time to turn to doc/bugs, and even
then the problem may be down to something not being right in your
development operating system.
My recommended way ahead, which is somewhat more terse than my reply by
FreeRADIUS 1.1.0 has a known security flaw, and 1.1.0_2 is nearly a year
old. The latest version of the port is 1.1.4_1, which should be
retrieved using portsnap(1), csup(1) or another suitable method. I'd
upgrade the whole ports tree, as if you've somehow got 1.1.0_2 on your
box, the rest of the ports tree could be 11 months out of date also, and
that's a lot of fixes and updates.
There is no point proceeding any further until you have the latest
version of the port installed and built.
As I said, FreeRADIUS segfaulted when attempting to use LDAP; I suspect
that something is wrong with the OpenLDAP shared library. Such are the
perils of running FreeBSD -CURRENT - the 'bleeding edge' branch where
the ABI and API can change without warning. -CURRENT is where the
operating system is developed, and isn't even guaranteed to compile, let
alone work properly.
The first stage is to back up everything (level 0 dumps of all
filesystems or similar), as any fixing may make things worse.
If building freeradius-1.1.4_1 doesn't solve the problem, rebuild
FreeRADIUS and all the ports it depends on (portupgrade -fR
net/freeradius or similar). You may have to rebuild all the ports on the
machine if you have problems with incompatible ABI.
Indeed, you may have to rebuild world - make buildworld, make
buildkernel, make installkernel, reboot into single user mode, make
installworld - read the full instructions in the FreeBSD Handbook (you
should use mergemaster at the appropriate points, for example) and make
doubly sure you have good backups first. You have been warned - even if
a checkout of -CURRENT compiles it could panic on boot. When you've done
that, you may need to rebuild all the ports - and I'm still not going to
guarantee it will work.
If that doesn't solve it, the debugging steps to take are in
/usr/local/share/doc/freeradius/bugs, which is the doc/bugs file
referred to Phil's reply. There's no easy way of issuing
--enable-developer via the port - maybe I should add that to the options
in the port. It would likely be a case of getting busy with gdb and
finding out exactly what is causing the segfault. There is, of course,
no point doing this on the obsolete 1.1.0 code.
The ports collection is only guaranteed to work on supported -STABLE
branches, which means 5-STABLE or 6-STABLE at the moment (see
rticle.html#AEN165> ). FreeBSD -CURRENT isn't recommended for a
production machine; indeed, -STABLE isn't really recommended for a
production machine either. At this time, 6.2-RELEASE (which ideally
means tracking RELENG_6_2 to get security fixes and errata) is arguably
the best version to use for production machines, assuming that it
supports all your hardware.
Really, you're on your own with -CURRENT to a large extent; technical
competence is expected, as is following the freebsd-current mailing list
and being able to help troubleshoot your own problems.
As I said in the private reply, I'm particularly limited in what I can
do in this case, as I don't have a FreeBSD amd64 box, nor do I run
-CURRENT. However, I hope this helps.
david at wood2.org.uk
More information about the Freeradius-Users