newbie on radiustesting !

Si St sigbj-st at operamail.com
Thu Apr 17 12:29:26 CEST 2008


> ----- Original Message -----
> From: "Si St" <sigbj-st at operamail.com>
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Subject: Re: newbie on radiustesting
> Date: Thu, 17 Apr 2008 11:04:46 +0100
> 
> 
> > ----- Original Message -----
> > From: A.L.M.Buxey at lboro.ac.uk
> > To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> > Subject: Re: newbie on radiustesting
> > Date: Wed, 16 Apr 2008 21:52:38 +0100
> >
> >
> > Hi,
> >
> > > A: All running, both radiusd -X and rcradiusd start, is done as 
> > > root, and unfortunately all messages comes from the user root.
> >
> > okay. so definately a permission issue for a non root user.
> > ...its late now so if noone else steps in you'll have to wait
> > to hear from me again. (in radiusd.conf the user is set to
> > radiusd, yes?)
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See 
> > http://www.freeradius.org/list/users.html
> 
> YES, the user is set to radiusd in radiusd.conf:
> 
> # user/group: The name (or #number) of the user/group to run radiusd as.
> #
> #   If these are commented out, the server will run as the user/group
> #   that started it.  In order to change to a different user/group, you
> #   MUST be root ( or have root privleges ) to start the server.
> #
> #   We STRONGLY recommend that you run the server with as few permissions
> #   as possible.  That is, if you're not using shadow passwords, the
> #   user and group items below should be set to 'nobody'.
> #
> #    On SCO (ODT 3) use "user = nouser" and "group = nogroup".
> #
> #  NOTE that some kernels refuse to setgid(group) when the value of
> #  (unsigned)group is above 60000; don't use group nobody on these systems!
> #
> #  On systems with shadow passwords, you might have to set 'group = shadow'
> #  for the server to be able to read the shadow password file.  If you can
> #  authenticate users while in debug mode, but not in daemon mode, it may be
> #  that the debugging mode server is running as a user that can read the
> #  shadow info, and the user listed below can not.
> #
> user = radiusd
> group = radiusd
> .......................................
> 
> By the way does this excerpt from the top page of radiusd.conf tell 
> anything about the problem?
> 
> If the server builds and installs, but fails at execution time
> #   with an 'undefined symbol' error, then you can use the libdir
> #   directive to work around the problem.
> #
> #   The cause is usually that a library has been installed on your
> #   system in a place where the dynamic linker CANNOT find it.  When
> #   executing as root (or another user), your personal environment MAY
> #   be set up to allow the dynamic linker to find the library.  When
> #   executing as a daemon, FreeRADIUS MAY NOT have the same
> #   personalized configuration.
> 
> 
> ...Remembering now that the output of rcradiusd start with the 
> uncomment eap.conf\TLS partis:
> 
> linux:/etc/raddb # rcradiusd start
> Starting RADIUS daemon 8188:error:0200100D:system 
> library:fopen:Permission 
> denied:bss_file.c:104:fopen('/etc/raddb/certs/demoCA/cacert.pem','r')
> 8188:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
> 8188:error:0B084002:x509 certificate 
> routines:X509_load_cert_crl_file:system lib:by_file.c:274:
> startproc:  exit status of parent of /usr/sbin/radiusd: 1
>                                                                        failed
> ....which is pretty much identical to the error messages from radiusd -X:
> 
> 8215:error:0200100D:system library:fopen:Permission 
> denied:bss_file.c:104:fopen('/etc/raddb/certs/demoCA/cacert.pem','r')
> 8215:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
> 8215:error:0B084002:x509 certificate 
> routines:X509_load_cert_crl_file:system lib:by_file.c:274:
> rlm_eap_tls: Error reading Trusted root CA list
> rlm_eap: Failed to initialize type tls
> radiusd.conf[9]: eap: Module instantiation failed.
> 
> Does this help you?

WAIT A SEC!

While changing the eap.conf by accident the group was changed to root instead staying on group radiusd.( I changed betw 2 files: the orig eap.conf and changed eap.conf)
So after doing chgrp radiusd eap.conf now the error message has changed to this:

linux:/etc/raddb # rcradiusd start
Starting RADIUS daemon 8682:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/raddb/certs/demoCA/cacert.pem','r')
8682:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
8682:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:
startproc:  exit status of parent of /usr/sbin/radiusd: 1
                                                                      failed
 REALLY SORRY FOR THIS, but I did not notice it immediately

-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze




More information about the Freeradius-Users mailing list