Re: Configuring to use shadow passwords
Andrew Tait [EMAIL PROTECTED] wrote: I have setup freeradius on another server (actually it was still setup from our previous testing). ... The only thing I noticed was: Module: Loaded System unix: cache = no I'm not sure that the non-caching code in rlm_unix has been well tested. Enable the caching, and it may work. If so, then that there's a bug in the non-caching code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
: user radtest found in hashtable bucket 16015 HASH: user Administrator found in hashtable bucket 86869 HASH: Stored 29 entries from /etc/passwd HASH: Stored 45 entries from /etc/group HASH: user radtest found in hashtable bucket 16015 modcall[authenticate]: module unix returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Sending Access-Reject of id 98 to 127.0.0.1:1028 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 98 with timestamp 3c742166 Nothing to do. Sleeping until we see a request. *** Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 It's the smell! If there is such a thing. Agent Smith - The Matrix - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 21, 2002 2:58 AM Subject: Re: Configuring to use shadow passwords Andrew Tait [EMAIL PROTECTED] wrote: I have setup freeradius on another server (actually it was still setup from our previous testing). ... The only thing I noticed was: Module: Loaded System unix: cache = no I'm not sure that the non-caching code in rlm_unix has been well tested. Enable the caching, and it may work. If so, then that there's a bug in the non-caching code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
Andrew Tait [EMAIL PROTECTED] wrote: The fix was to comment out the shadow = /etc/shadow. No matter what I did I couldn't get it to work, until I decided to go back to the default debian config, and try it again. Use the default config it worked. After uncommenting the shadow line again, it didn't work. Have you read the debug messages to see *why*? The messages will usually be helpful. Were you running the server under the correct uid to read /etc/shadow? Read the comments in the configuration file around the 'shadow' item. If there's a bug in the server, then we need to know what it is, and to fix it. If there's something unclear in the documentation, we need to fix that, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
: compat = no
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile =
/var/log/radiusd-freeradius/radacct/%{Client-IP-Address}/detail
detail: detailperm = 384
detail: dirperm = 493
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radiusd-freeradius/radutmp
radutmp: username = %{User-Name}
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
main: smux_password =
main: snmp_write_access = no
SMUX connect try 1
Can't connect to SNMP agent with SMUX: Connection refused
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1026, id=137, length=62
User-Name = radtest
Password = \002\211V\320H\373\227\223\223\302mr\232\217\016\340
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = 1
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
modcall[authorize]: module suffix returns ok
users: Matched DEFAULT at 144
users: Matched DEFAULT at 163
users: Matched DEFAULT at 175
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type System
modcall: entering group authenticate
modcall[authenticate]: module unix returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 137 to 127.0.0.1:1026
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0
Going to the next request
SMUX connect try 2
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Waking up in 6 seconds...
SMUX connect try 3
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Cleaning up request 0 ID 137 with timestamp 3c72e21c
Nothing to do. Sleeping until we see a request.
***
And the output of radtest
***
sat:/home/andrewt# radtest radtest radpass 127.0.0.1 1 testing123 3
Sending Access-Request of id 137 to 127.0.0.1:1812
User-Name = radtest
Password = \002\211V\320H\373\227\223\223\302mr\232\217\016\340
NAS-IP-Address = sat
NAS-Port-Id = 1
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=137, length=50
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
sat:/home/andrewt#
***
Now, lets try it with the wrong password
***
sat:/home/andrewt# radtest radtest NOTradpass 127.0.0.1 1 testing123 3
Sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = radtest
Password = \315Zl\270i\006l\207:\300\227\310\270C\355\342
NAS-IP-Address = sat
NAS-Port-Id = 1
Framed-Protocol = PPP
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=166, length=20
sat:/home/andrewt#
***
And the output from radiusd -X
***
rad_recv: Access-Request packet from host 127.0.0.1:1026, id=166, length=62
User-Name = radtest
Password = \315Zl\270i\006l\207:\300\227\310\270C\355\342
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = 1
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
modcall[authorize]: module suffix returns ok
users: Matched DEFAULT at 144
users: Matched DEFAULT at 163
users: Matched DEFAULT at 175
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type System
modcall: entering group authenticate
rlm_unix: [radtest]: invalid password
modcall[authenticate]: module unix returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Sending Access-Reject of id 166 to 127.0.0.1:1026
Finished request 0
Going to the next request
SMUX connect try 2
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Waking up in 6 seconds...
SMUX connect try 3
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Cleaning up request 0 ID 166 with timestamp 3c72e309
Nothing to do. Sleeping until we see a request.
**
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, February 20, 2002 2:51 AM
Subject: Re: Configuring to use shadow passwords
Andrew Tait [EMAIL PROTECTED] wrote:
The fix was to comment out the shadow = /etc/shadow.
No matter what I did I couldn't get it to work, until I
RE: Configuring to use shadow passwords
We have the same problem. I'm not sure if it is a bug with 0.4 or not? We had no problem with 0.3 so I went back to that version. Tom -Original Message- From: Robert Bess [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sun, 17 Feb 2002 18:18:34 -0700 Subject: RE: Configuring to use shadow passwords When running radiusd in debug mode I get the following errors after trying to authenticate user bob: auth: No Auth-Type configuration for the request, rejecting the user auth: Failed to validate the user. I'm not sure what this means. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Bess Sent: Sunday, February 17, 2002 5:44 PM To: [EMAIL PROTECTED] Subject: Configuring to use shadow passwords I have freeRadius 0.4 on Linux-Mandrake 8.1 Radius seems to be running. When I run radtest with a username that exists in the /etc/raddb/users file it works if I specify a password. i.e. bob Password = bob but not if I try to use a real system user. i.e. bob Auth-Type = Unix When I do that radtest says: Access-Reject packet from host . I was wondering if the problem is with the /etc/shadow file. I uncommented the line in radius.conf where it specifies my shadow file is in /etc/shadow and I have tried setting radiusd to run with group name shadow in the radius.conf file. Is there something special I need to do when compiling radius to let it know I use shadow passwords? Is there any other reason my server might be rejecting the users in my system password file? Thanks for any help. : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
IH - Net Admin [EMAIL PROTECTED] wrote: We have the same problem. I'm not sure if it is a bug with 0.4 or not? We had no problem with 0.3 so I went back to that version. It's not a bug, it's a feature. And the way 0.3 works *is* a bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
Robert Bess [EMAIL PROTECTED] wrote: I use Auth-Type = System. I have also tried Auth-Type = Unix. I am migrating my user file from Livingston Radius 2.01. Has anything changed in the user file? Yes, some subtle differences to make it more configurable, and easier to use. See 'man users'. Please also read the 'users' file which comes with FreeRADIUS. Compare it to your Livingston 'users' file, and see what the differences and new features are. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring to use shadow passwords
When running radiusd in debug mode I get the following errors after trying to authenticate user bob: auth: No Auth-Type configuration for the request, rejecting the user auth: Failed to validate the user. I'm not sure what this means. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Bess Sent: Sunday, February 17, 2002 5:44 PM To: [EMAIL PROTECTED] Subject: Configuring to use shadow passwords I have freeRadius 0.4 on Linux-Mandrake 8.1 Radius seems to be running. When I run radtest with a username that exists in the /etc/raddb/users file it works if I specify a password. i.e. bob Password = bob but not if I try to use a real system user. i.e. bob Auth-Type = Unix When I do that radtest says: Access-Reject packet from host . I was wondering if the problem is with the /etc/shadow file. I uncommented the line in radius.conf where it specifies my shadow file is in /etc/shadow and I have tried setting radiusd to run with group name shadow in the radius.conf file. Is there something special I need to do when compiling radius to let it know I use shadow passwords? Is there any other reason my server might be rejecting the users in my system password file? Thanks for any help. : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
