Getting error only when *not* running in debug mode....
Mark J. Bobak
mark at bobak.net
Thu Jun 17 16:23:56 CEST 2021
Ok, I guess I'll have to do some research on PAM.
But I tried 'sudo service freeradius debug', and it started in debug mode,
and when I tried radtest, it worked. So, I checked how freeradius is
running (root or freerad) and it's still running as 'freerad':
ubuntu at radius1:~$ ps -ef|grep freerad
root 8784 8497 0 14:19 pts/0 00:00:00 sudo service freeradius
root 8785 8784 0 14:19 pts/0 00:00:00 /bin/sh
freerad 8801 8785 0 14:19 pts/0 00:00:00 /usr/sbin/freeradius -X
ubuntu 8812 8627 0 14:20 pts/1 00:00:00 grep --color=auto
So, I'm not sure what's going on here. Running as root works. Running as
freerad fails. Running as freerad w/ debug also works.
On Thu, Jun 17, 2021 at 7:02 AM Alan DeKok <aland at deployingradius.com>
> On Jun 16, 2021, at 7:13 PM, Mark J. Bobak <mark at bobak.net> wrote:
> > So, my new server is running Ubuntu 20.04 and using the NetworkRadius
> > packages to install freeradius 3.0.23. I have also installed
> > libpam-google-authenticatior, and integrated it according to these steps:
> > https://networkjutsu.com/freeradius-google-authenticator/
> 3.0.23 includes a TOTP module. Which means you can out the TOTP secrets
> into a database, or pretty much anywhere else you want. And you don't need
> to use PAM. And, that users don't need to have login accounts.
> > This seems to have worked fine. I was running freeradius manually, with
> > debug (-X) enabled, and everything seemed to be working fine.
> > sudo /usr/sbin/freeradius -X
> i.e. as root.
> > So, I killed freeradius (CTRL-C), and tried:
> > sudo service freeradius start
> > It started up fine.
> And runs as user "radiusd".
> > But, now when I try authenticating (using radtest):
> > radtest mbobak redacted123456 localhost:1812 0 'redacted'
> > I get Access-Rejected
> > Looking at the log file, /var/log/freeradius/radius.log, I see:
> > Wed Jun 16 22:42:54 2021 : Info: Ready to process requests
> > Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: PAM conversation failed
> > Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: Error "Read-only file
> > system" while writing config
> That seems rather crazy, TBH. PAM shouldn't be writing *anything*
> during the normal course of operations.
> > But, even though it's reporting a read-only filesystem error, I'm
> > it could be a permission problem on some file?
> Yes. User "radiusd" doesn't have permission to write the files.
> > But, I'm really baffled by the system working when I run freeradius
> > manually, but only errors when I run it from the service.
> User "root" has permission to write the files.
> You'll have to find out which file / directory is the problem, and then
> change the permissions. I'm sure that information is buried somewhere in
> the PAM documentation. It's outside of the scope of FreeRADIUS.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users