Getting error only when *not* running in debug mode....
Alan DeKok
aland at deployingradius.com
Thu Jun 17 13:01:58 CEST 2021
On Jun 16, 2021, at 7:13 PM, Mark J. Bobak <mark at bobak.net> wrote:
> So, my new server is running Ubuntu 20.04 and using the NetworkRadius
> packages to install freeradius 3.0.23. I have also installed
> libpam-google-authenticatior, and integrated it according to these steps:
> https://networkjutsu.com/freeradius-google-authenticator/
3.0.23 includes a TOTP module. Which means you can out the TOTP secrets into a database, or pretty much anywhere else you want. And you don't need to use PAM. And, that users don't need to have login accounts.
> This seems to have worked fine. I was running freeradius manually, with
> debug (-X) enabled, and everything seemed to be working fine.
> sudo /usr/sbin/freeradius -X
i.e. as root.
> So, I killed freeradius (CTRL-C), and tried:
> sudo service freeradius start
> It started up fine.
And runs as user "radiusd".
> But, now when I try authenticating (using radtest):
> radtest mbobak redacted123456 localhost:1812 0 'redacted'
>
> I get Access-Rejected
> Looking at the log file, /var/log/freeradius/radius.log, I see:
> Wed Jun 16 22:42:54 2021 : Info: Ready to process requests
> Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: PAM conversation failed
> Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: Error "Read-only file
> system" while writing config
That seems rather crazy, TBH. PAM shouldn't be writing *anything* during the normal course of operations.
> But, even though it's reporting a read-only filesystem error, I'm thinking
> it could be a permission problem on some file?
Yes. User "radiusd" doesn't have permission to write the files.
> But, I'm really baffled by the system working when I run freeradius
> manually, but only errors when I run it from the service.
User "root" has permission to write the files.
You'll have to find out which file / directory is the problem, and then change the permissions. I'm sure that information is buried somewhere in the PAM documentation. It's outside of the scope of FreeRADIUS.
Alan DeKok.
More information about the Freeradius-Users
mailing list