newbie on radiustesting

Ivan Kalik tnt at kalik.net
Thu Apr 17 12:35:47 CEST 2008 

Someoune with same trouble few years back:

http://lists.cistron.nl/pipermail/freeradius-users/2005-April/042507.html

Ivan Kalik
Kalik Informatika ISP


Dana 17/4/2008, "Si St" <sigbj-st at operamail.com> piše:

>> ----- Original Message -----
>> From: A.L.M.Buxey at lboro.ac.uk
>> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
>> Subject: Re: newbie on radiustesting
>> Date: Wed, 16 Apr 2008 21:52:38 +0100
>>
>>
>> Hi,
>>
>> > A: All running, both radiusd -X and rcradiusd start, is done as
>> > root, and unfortunately all messages comes from the user root.
>>
>> okay. so definately a permission issue for a non root user.
>> ...its late now so if noone else steps in you'll have to wait
>> to hear from me again. (in radiusd.conf the user is set to
>> radiusd, yes?)
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>YES, the user is set to radiusd in radiusd.conf:
>
># user/group: The name (or #number) of the user/group to run radiusd as.
>#
>#   If these are commented out, the server will run as the user/group
>#   that started it.  In order to change to a different user/group, you
>#   MUST be root ( or have root privleges ) to start the server.
>#
>#   We STRONGLY recommend that you run the server with as few permissions
>#   as possible.  That is, if you're not using shadow passwords, the
>#   user and group items below should be set to 'nobody'.
>#
>#    On SCO (ODT 3) use "user = nouser" and "group = nogroup".
>#
>#  NOTE that some kernels refuse to setgid(group) when the value of
>#  (unsigned)group is above 60000; don't use group nobody on these systems!
>#
>#  On systems with shadow passwords, you might have to set 'group = shadow'
>#  for the server to be able to read the shadow password file.  If you can
>#  authenticate users while in debug mode, but not in daemon mode, it may be
>#  that the debugging mode server is running as a user that can read the
>#  shadow info, and the user listed below can not.
>#
>user = radiusd
>group = radiusd
>........................................
>
>By the way does this excerpt from the top page of radiusd.conf tell anything about the problem?
>
>If the server builds and installs, but fails at execution time
>#   with an 'undefined symbol' error, then you can use the libdir
>#   directive to work around the problem.
>#
>#   The cause is usually that a library has been installed on your
>#   system in a place where the dynamic linker CANNOT find it.  When
>#   executing as root (or another user), your personal environment MAY
>#   be set up to allow the dynamic linker to find the library.  When
>#   executing as a daemon, FreeRADIUS MAY NOT have the same
>#   personalized configuration.
>
>
>....Remembering now that the output of rcradiusd start with the uncomment eap.conf\TLS partis:
>
>linux:/etc/raddb # rcradiusd start
>Starting RADIUS daemon 8188:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/raddb/certs/demoCA/cacert.pem','r')
>8188:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
>8188:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:
>startproc:  exit status of parent of /usr/sbin/radiusd: 1
>                                                                      failed
>.....which is pretty much identical to the error messages from radiusd -X:
>
>8215:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/raddb/certs/demoCA/cacert.pem','r')
>8215:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
>8215:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:
>rlm_eap_tls: Error reading Trusted root CA list
>rlm_eap: Failed to initialize type tls
>radiusd.conf[9]: eap: Module instantiation failed.
>
>Does this help you?
>
>
>--
>_______________________________________________
>Surf the Web in a faster, safer and easier way:
>Download Opera 9 at http://www.opera.com
>
>Powered by Outblaze
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list