Getting error only when *not* running in debug mode....

[Mark J. Bobak]

Ok, I guess I'll have to do some research on PAM.

But I tried 'sudo service freeradius debug', and it started in debug mode,
and when I tried radtest, it worked.  So, I checked how freeradius is
running (root or freerad) and it's still running as 'freerad':
ubuntu at radius1:~$ ps -ef|grep freerad
root        8784    8497  0 14:19 pts/0    00:00:00 sudo service freeradius
debug
root        8785    8784  0 14:19 pts/0    00:00:00 /bin/sh
/etc/init.d/freeradius debug
freerad     8801    8785  0 14:19 pts/0    00:00:00 /usr/sbin/freeradius -X
ubuntu      8812    8627  0 14:20 pts/1    00:00:00 grep --color=auto
freerad

So, I'm not sure what's going on here.  Running as root works.  Running as
freerad fails.  Running as freerad w/ debug also works.

Help?

-Mark

On Thu, Jun 17, 2021 at 7:02 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Jun 16, 2021, at 7:13 PM, Mark J. Bobak <mark at bobak.net> wrote:
> > So, my new server is running Ubuntu 20.04 and using the NetworkRadius
> > packages to install freeradius 3.0.23.  I have also installed
> > libpam-google-authenticatior, and integrated it according to these steps:
> > https://networkjutsu.com/freeradius-google-authenticator/
>
>   3.0.23 includes a TOTP module.  Which means you can out the TOTP secrets
> into a database, or pretty much anywhere else you want.  And you don't need
> to use PAM.  And, that users don't need to have login accounts.
>
> > This seems to have worked fine.  I was running freeradius manually, with
> > debug (-X) enabled, and everything seemed to be working fine.
> > sudo /usr/sbin/freeradius -X
>
>   i.e. as root.
>
> > So, I killed freeradius (CTRL-C), and tried:
> > sudo service freeradius start
> > It started up fine.
>
>   And runs as user "radiusd".
>
> > But, now when I try authenticating (using radtest):
> > radtest mbobak redacted123456 localhost:1812 0 'redacted'
> >
> > I get Access-Rejected
> > Looking at the log file, /var/log/freeradius/radius.log, I see:
> > Wed Jun 16 22:42:54 2021 : Info: Ready to process requests
> > Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: PAM conversation failed
> > Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: Error "Read-only file
> > system" while writing config
>
>   That seems rather crazy, TBH.  PAM shouldn't be writing *anything*
> during the normal course of operations.
>
> > But, even though it's reporting a read-only filesystem error, I'm
> thinking
> > it could be a permission problem on some file?
>
>   Yes.  User "radiusd" doesn't have permission to write the files.
>
> > But, I'm really baffled by the system working when I run freeradius
> > manually, but only errors when I run it from the service.
>
>   User "root" has permission to write the files.
>
>   You'll have to find out which file / directory is the problem, and then
> change the permissions.  I'm sure that information is buried somewhere in
> the PAM documentation.  It's outside of the scope of FreeRADIUS.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html