Authorize section not getting called

Fri Feb 2 14:49:09 CET 2018

> On Feb 2, 2018, at 12:27 AM, Michael Sartain <mikesart at fastmail.com> wrote:
> From what I can tell, group authorize was never called, so who/what/where is
> nacking this username?

  The debug log shows it running the "authorize" section.

>> Any reason you’re using 2.2.10 for what I presume is a new build? You 
>> should use 3.0.16 if you can.
> 
> Unfortunately, this is the build that Synology is currently shipping:
> 
> https://www.synology.com/en-us/dsm/packages/RadiusServer
> 
> So it's the path of least resistance to get this older version working. If this
> isn't possible, I'll look at running a newer version in a docker instance, but
> that's a decent bit more work.

  2.2.10 is old, but it should work...

> rad_recv: Access-Request packet from host 10.10.10.10 port 36379, id=65, length=48
>        User-Name = "mikesart"
>        User-Password = "password"
> # Executing section authorize from file /usr/local/synoradius/rad_site_def_local
> +group authorize {

  That's the "authorize" section...

> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "mikesart", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] = noop
> rlm_unix: Find real name [mikesart] -> [mikesart]
> ++[unix] = updated
> ++[files] = noop
> [smbpasswd] Added LM-Password: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' to config_items 
> [smbpasswd] Added NT-Password: '8846F7EAEE8FB117AD06BDD830B7586C' to config_items 
> [smbpasswd] Added SMB-Account-CTRL-TEXT: '[U          ]' to config_items 
> ++[smbpasswd] = ok
> ++[expiration] = noop
> ++[logintime] = noop
> [pap] Normalizing LM-Password from base64 encoding
> [pap] Normalizing NT-Password from hex encoding
> ++[pap] = updated
> +} # group authorize = updated
> Found Auth-Type = PAP
> # Executing group from file /usr/local/synoradius/rad_site_def_local
> +group PAP {
> [pap] login attempt with password "password"
> [pap] Using CRYPT password "$6$tTVl/E3frQR2gIJl$RXuU9/AT0F2SLYRRbcJ.NeF5cOLBLL5u7uws7JIqMTMm.Ws7cIbiyPhit3.94TXEyOO4CSTXRrDiXeHELhZbN1"
> [pap] User authenticated successfully

  That's good.

> rad_recv: Access-Request packet from host 10.10.10.10 port 51390, id=195, length=45
>        User-Name = "alice"
>        User-Password = "passme"
> ##
> ## Mike: where could this Login incorrect be coming from?
> ##
> Login incorrect: Incorrect user name (input name [alice], full name [alice])

  That's a change made by Synology.  There is no such text "input name / full name" in the default config or source code.

  Ask Synology why they've broken the server, and how to fix it.

  Alan DeKok.