Re: Configuring to use shadow passwords
Andrew Tait [EMAIL PROTECTED] wrote: I have setup freeradius on another server (actually it was still setup from our previous testing). ... The only thing I noticed was: Module: Loaded System unix: cache = no I'm not sure that the non-caching code in rlm_unix has been well tested. Enable the caching, and it may work. If so, then that there's a bug in the non-caching code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
: user radtest found in hashtable bucket 16015 HASH: user Administrator found in hashtable bucket 86869 HASH: Stored 29 entries from /etc/passwd HASH: Stored 45 entries from /etc/group HASH: user radtest found in hashtable bucket 16015 modcall[authenticate]: module unix returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Sending Access-Reject of id 98 to 127.0.0.1:1028 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 98 with timestamp 3c742166 Nothing to do. Sleeping until we see a request. *** Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 It's the smell! If there is such a thing. Agent Smith - The Matrix - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 21, 2002 2:58 AM Subject: Re: Configuring to use shadow passwords Andrew Tait [EMAIL PROTECTED] wrote: I have setup freeradius on another server (actually it was still setup from our previous testing). ... The only thing I noticed was: Module: Loaded System unix: cache = no I'm not sure that the non-caching code in rlm_unix has been well tested. Enable the caching, and it may work. If so, then that there's a bug in the non-caching code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
Andrew Tait [EMAIL PROTECTED] wrote: The fix was to comment out the shadow = /etc/shadow. No matter what I did I couldn't get it to work, until I decided to go back to the default debian config, and try it again. Use the default config it worked. After uncommenting the shadow line again, it didn't work. Have you read the debug messages to see *why*? The messages will usually be helpful. Were you running the server under the correct uid to read /etc/shadow? Read the comments in the configuration file around the 'shadow' item. If there's a bug in the server, then we need to know what it is, and to fix it. If there's something unclear in the documentation, we need to fix that, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
: compat = no Module: Instantiated files (files) Module: Loaded detail detail: detailfile = /var/log/radiusd-freeradius/radacct/%{Client-IP-Address}/detail detail: detailperm = 384 detail: dirperm = 493 Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/radiusd-freeradius/radutmp radutmp: username = %{User-Name} radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) main: smux_password = main: snmp_write_access = no SMUX connect try 1 Can't connect to SNMP agent with SMUX: Connection refused Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1026, id=137, length=62 User-Name = radtest Password = \002\211V\320H\373\227\223\223\302mr\232\217\016\340 NAS-IP-Address = 255.255.255.255 NAS-Port-Id = 1 Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok users: Matched DEFAULT at 144 users: Matched DEFAULT at 163 users: Matched DEFAULT at 175 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns ok modcall: group authenticate returns ok Sending Access-Accept of id 137 to 127.0.0.1:1026 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 Going to the next request SMUX connect try 2 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Waking up in 6 seconds... SMUX connect try 3 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Cleaning up request 0 ID 137 with timestamp 3c72e21c Nothing to do. Sleeping until we see a request. *** And the output of radtest *** sat:/home/andrewt# radtest radtest radpass 127.0.0.1 1 testing123 3 Sending Access-Request of id 137 to 127.0.0.1:1812 User-Name = radtest Password = \002\211V\320H\373\227\223\223\302mr\232\217\016\340 NAS-IP-Address = sat NAS-Port-Id = 1 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=137, length=50 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP sat:/home/andrewt# *** Now, lets try it with the wrong password *** sat:/home/andrewt# radtest radtest NOTradpass 127.0.0.1 1 testing123 3 Sending Access-Request of id 166 to 127.0.0.1:1812 User-Name = radtest Password = \315Zl\270i\006l\207:\300\227\310\270C\355\342 NAS-IP-Address = sat NAS-Port-Id = 1 Framed-Protocol = PPP rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=166, length=20 sat:/home/andrewt# *** And the output from radiusd -X *** rad_recv: Access-Request packet from host 127.0.0.1:1026, id=166, length=62 User-Name = radtest Password = \315Zl\270i\006l\207:\300\227\310\270C\355\342 NAS-IP-Address = 255.255.255.255 NAS-Port-Id = 1 Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok users: Matched DEFAULT at 144 users: Matched DEFAULT at 163 users: Matched DEFAULT at 175 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate rlm_unix: [radtest]: invalid password modcall[authenticate]: module unix returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Sending Access-Reject of id 166 to 127.0.0.1:1026 Finished request 0 Going to the next request SMUX connect try 2 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Waking up in 6 seconds... SMUX connect try 3 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Cleaning up request 0 ID 166 with timestamp 3c72e309 Nothing to do. Sleeping until we see a request. ** - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 20, 2002 2:51 AM Subject: Re: Configuring to use shadow passwords Andrew Tait [EMAIL PROTECTED] wrote: The fix was to comment out the shadow = /etc/shadow. No matter what I did I couldn't get it to work, until I
RE: Configuring to use shadow passwords
We have the same problem. I'm not sure if it is a bug with 0.4 or not? We had no problem with 0.3 so I went back to that version. Tom -Original Message- From: Robert Bess [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sun, 17 Feb 2002 18:18:34 -0700 Subject: RE: Configuring to use shadow passwords When running radiusd in debug mode I get the following errors after trying to authenticate user bob: auth: No Auth-Type configuration for the request, rejecting the user auth: Failed to validate the user. I'm not sure what this means. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Bess Sent: Sunday, February 17, 2002 5:44 PM To: [EMAIL PROTECTED] Subject: Configuring to use shadow passwords I have freeRadius 0.4 on Linux-Mandrake 8.1 Radius seems to be running. When I run radtest with a username that exists in the /etc/raddb/users file it works if I specify a password. i.e. bob Password = bob but not if I try to use a real system user. i.e. bob Auth-Type = Unix When I do that radtest says: Access-Reject packet from host . I was wondering if the problem is with the /etc/shadow file. I uncommented the line in radius.conf where it specifies my shadow file is in /etc/shadow and I have tried setting radiusd to run with group name shadow in the radius.conf file. Is there something special I need to do when compiling radius to let it know I use shadow passwords? Is there any other reason my server might be rejecting the users in my system password file? Thanks for any help. : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
IH - Net Admin [EMAIL PROTECTED] wrote: We have the same problem. I'm not sure if it is a bug with 0.4 or not? We had no problem with 0.3 so I went back to that version. It's not a bug, it's a feature. And the way 0.3 works *is* a bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
Robert Bess [EMAIL PROTECTED] wrote: I use Auth-Type = System. I have also tried Auth-Type = Unix. I am migrating my user file from Livingston Radius 2.01. Has anything changed in the user file? Yes, some subtle differences to make it more configurable, and easier to use. See 'man users'. Please also read the 'users' file which comes with FreeRADIUS. Compare it to your Livingston 'users' file, and see what the differences and new features are. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring to use shadow passwords
When running radiusd in debug mode I get the following errors after trying to authenticate user bob: auth: No Auth-Type configuration for the request, rejecting the user auth: Failed to validate the user. I'm not sure what this means. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Bess Sent: Sunday, February 17, 2002 5:44 PM To: [EMAIL PROTECTED] Subject: Configuring to use shadow passwords I have freeRadius 0.4 on Linux-Mandrake 8.1 Radius seems to be running. When I run radtest with a username that exists in the /etc/raddb/users file it works if I specify a password. i.e. bob Password = bob but not if I try to use a real system user. i.e. bob Auth-Type = Unix When I do that radtest says: Access-Reject packet from host . I was wondering if the problem is with the /etc/shadow file. I uncommented the line in radius.conf where it specifies my shadow file is in /etc/shadow and I have tried setting radiusd to run with group name shadow in the radius.conf file. Is there something special I need to do when compiling radius to let it know I use shadow passwords? Is there any other reason my server might be rejecting the users in my system password file? Thanks for any help. : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html