Upgrade form 3.0.17 to 3.0.19 and error "Unable to set parent list"

Marek Zarychta zarychtam at plan-b.pwste.edu.pl
Sun Apr 14 23:06:38 CEST 2019 

Dear list,

it looks like after upgrade from 3.0.17 to 3.0.19 successfully
authenticated users are rejected in post-auth section with the error
"Unable to set parent list". This applies only to users from our realm
(self-proxied requests).

Should configuration files be updated with regard to this update ?
Almost the same config worked fine for 3.0.14, 3.0.15 and 3.0.17 (3.0.16
had issues with self-proxied requests though, but it had been fixed in
tree just after release date). 


Please see attached diffs:

# diff -U 2 sesjaok
sesjafail                                                                               

--- sesjaok     2019-04-14 22:13:01.784098000 +0200
+++ sesjafail   2019-04-14 22:10:32.664311000 +0200

(...)

@@ -4772,14 +4823,14 @@
 (9) sql:    --> .query
 (9) sql: Using query template 'query'
-rlm_sql (sql): Reserved connection (6)
+rlm_sql (sql): Reserved connection (0)
 (9) sql: EXPAND %{User-Name}
 (9) sql:    --> testuser at realm.tld
 (9) sql: SQL-User-Name set to 'testuser at realm.tld'
 (9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, apid,
authdate) VALUES ( '%{SQL-User-Name}', '%{Calling-Station-Id}',
'%{reply:Packet-Type}', '%{Aruba-Location-Id}', '%S')
-(9) sql:    --> INSERT INTO radpostauth (username, pass, reply, apid,
authdate) VALUES ( 'testuser at realm.tld', '02-00-00-00-00-01',
'Access-Accept', '', '2019-04-14 22:13:01')
-(9) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, apid, authdate) VALUES ( 'testuser at realm.tld',
'02-00-00-00-00-01', 'Access-Accept', '', '2019-04-14 22:13:01')
+(9) sql:    --> INSERT INTO radpostauth (username, pass, reply, apid,
authdate) VALUES ( 'testuser at realm.tld', '02-00-00-00-00-01',
'Access-Accept', '', '2019-04-14 22:10:31')
+(9) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, apid, authdate) VALUES ( 'testuser at realm.tld',
'02-00-00-00-00-01', 'Access-Accept', '', '2019-04-14 22:10:31')
 (9) sql: SQL query returned: success
 (9) sql: 1 record(s) updated
-rlm_sql (sql): Released connection (6)
+rlm_sql (sql): Released connection (0)
 (9)       [sql] = ok
 (9)       if (1) {
@@ -4797,21 +4848,48 @@
 (9)         } # update reply = noop
 (9)         update {
-(9)           &outer.session-state::Chargeable-User-Identity +=
&reply:Chargeable-User-Identity[*] ->
0x63353435653635306130656261383366316437303930663232336264326334373266666533613930
-(9)         } # update = noop
-(9)       } # if (1)  = noop
-(9)     } # post-auth = ok
-(9)   Login OK: [testuser at realm.tld] (from client TEST-NET port 0 cli
02-00-00-00-00-01 via TLS tunnel)
+(9)           ERROR: Unable to set parent list
+(9)         } # update = fail
+(9)       } # if (1)  = fail
+(9)     } # post-auth = fail
+(9)   Using Post-Auth-Type Reject
+(9)   # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+(9)     Post-Auth-Type REJECT {
+(9) sql: EXPAND .query
+(9) sql:    --> .query
+(9) sql: Using query template 'query'
+rlm_sql (sql): Reserved connection (1)
+(9) sql: EXPAND %{User-Name}
+(9) sql:    --> testuser at realm.tld
+(9) sql: SQL-User-Name set to 'testuser at realm.tld'
+(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, apid,
authdate) VALUES ( '%{SQL-User-Name}', '%{Calling-Station-Id}',
'%{reply:Packet-Type}', '%{Aruba-Location-Id}', '%S')
+(9) sql:    --> INSERT INTO radpostauth (username, pass, reply, apid,
authdate) VALUES ( 'testuser at realm.tld', '02-00-00-00-00-01',
'Access-Reject', '', '2019-04-14 22:10:31')
+(9) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, apid, authdate) VALUES ( 'testuser at realm.tld',
'02-00-00-00-00-01', 'Access-Reject', '', '2019-04-14 22:10:31')
+(9) sql: SQL query returned: success
+(9) sql: 1 record(s) updated
+rlm_sql (sql): Released connection (1)
+(9)       [sql] = ok
+(9) inner_auth_log: EXPAND inner_auth_log.%{%{reply:Packet-Type}:-format}
+(9) inner_auth_log:    --> inner_auth_log.Access-Reject
+(9) inner_auth_log: EXPAND
user-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown
Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access
Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local
User}#RESULT=FAIL#
+(9) inner_auth_log:    -->
user-auth#VISINST=1realm.tld#USER=testuser at realm.tld#CSI=02-00-00-00-00-01#NAS=Unknown
Access
Point#CUI=0x63353435653635306130656261383366316437303930663232336264326334373266666533613930#RESULT=FAIL#
+(9)       [inner_auth_log] = ok
+(9) attr_filter.access_reject: EXPAND %{User-Name}
+(9) attr_filter.access_reject:    --> testuser at realm.tld
+(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
+(9)       [attr_filter.access_reject] = updated
+(9)       update outer.session-state {
+(9)         ERROR: Unable to set parent list
+(9)       } # update outer.session-state = fail
+(9)     } # Post-Auth-Type REJECT = fail
+(9)   Rejected in post-auth: [testuser at realm.tld] (from client TEST-NET
port 0 cli 02-00-00-00-00-01 via TLS tunnel)
+(9)   Login incorrect (Unable to set parent list): [testuser at realm.tld]
(from client TEST-NET port 0 cli 02-00-00-00-00-01 via TLS tunnel)
 (9) } # server inner-tunnel
 (9) Virtual server sending reply
-(9)   Chargeable-User-Identity :=
0x63353435653635306130656261383366316437303930663232336264326334373266666533613930
-(9) eap_peap: Got tunneled reply code 2
-(9) eap_peap:   Chargeable-User-Identity :=
0x63353435653635306130656261383366316437303930663232336264326334373266666533613930
-(9) eap_peap: Got tunneled reply RADIUS code 2
-(9) eap_peap:   Chargeable-User-Identity :=
0x63353435653635306130656261383366316437303930663232336264326334373266666533613930
-(9) eap_peap: Tunneled authentication was successful
-(9) eap_peap: SUCCESS
-(9) eap_peap: Saving tunneled attributes for later
+(9) eap_peap: Got tunneled reply code 3
+(9) eap_peap: Got tunneled reply RADIUS code 3
+(9) eap_peap: Tunneled authentication was rejected
+(9) eap_peap: FAILURE
 (9) eap: Sending EAP Request (code 1) ID 10 length 43
-(9) eap: EAP session adding &reply:State = 0x21a3f50328a9ec83
+(9) eap: EAP session adding &reply:State = 0xabcbb745a2c1aea2
 (9)     [eap] = handled
 (9)   } # authenticate = handled
@@ -4819,6 +4897,4 @@
 (9) # Executing group from file
/usr/local/etc/raddb/sites-enabled/radius.realm.tld
 (9)   Challenge { ... } # empty sub-section is ignored
-(9) session-state: Saving cached attributes
-(9)   Chargeable-User-Identity +=
0x63353435653635306130656261383366316437303930663232336264326334373266666533613930
 (9) Finished internally proxied request.
 (9) Clearing existing &reply: attributes
@@ -4830,5 +4906,5 @@
 (9) post_proxy_log:
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
expands to /var/log/radacct/172.x.y.z/post-proxy-detail-20190414
 (9) post_proxy_log: EXPAND %t
-(9) post_proxy_log:    --> Sun Apr 14 22:13:01 2019
+(9) post_proxy_log:    --> Sun Apr 14 22:10:31 2019
 (9)       [post_proxy_log] = ok
 (9) attr_filter.post-proxy: EXPAND %{Realm}

-- 
Marek Zarychta


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190414/5d1ff9ec/attachment.sig>

More information about the Freeradius-Users mailing list