OKay, so I think I know why the tests weren't working. The radiusd service
isn't running.
[root@pf-zen-esx ~]# service radiusd status
radiusd is stopped
[root@pf-zen-esx ~]# service radiusd start
Starting radiusd: [FAILED]
When I run the radiusd -X command, the end indicates that it is "Refusing
to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in range
1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed)". I tried to
update it using the yum install openssl 1.0.1g but that failed. Indicating
that the package was not available.
[root@pf-zen-esx ~]# radiusd -X
radiusd: FreeRADIUS Version 2.2.5, for host x86_64-redhat-linux-gnu, built
on Apr 29 2014 at 09:18:14
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/cache
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/dhcp_sqlippool
including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/radrelay
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in
range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
I am now officially stumped. Are there any other files that I should be
checking in order to get this sorted?
Rich:
I do not know enough about Linux or Samba for the error messages to be much
use. Is there something in particular that I should be looking for?
Carla
On Wed, Jun 4, 2014 at 4:30 PM, Louis Munro <[email protected]> wrote:
> Hi Carla,
>
> No, this file is not part of PacketFence.
> I doubt that is really the issue. That file is mostly used to authenticate
> local users.
> I believe pam.d/common-auth is only on Debian (and maybe Ubuntu) so if you
> have a RedHat based system that will not apply in any case.
>
> What you are trying to achieve is authentication of external (i.e. RADIUS)
> users via ntlm_auth.
> All FreeRadius really cares about is the return code from ntlm_auth.
>
> I have never had to change pam settings to get ntlm_auth working.
>
>
> Regards,
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 *125 :: +1 (866) 353-6153
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On 2014-06-04, at 15:27 , Carla Nurse <[email protected]> wrote:
>
> Louis,
>
> I am currently working with the Samba mail list. One person has indicated
> it may be a lack of a file /etc/pam.d/common-auth.
> Is this file usually found on PacketFence? And if so, can you give me an
> idea of the configuration required for it?
>
> Carla
>
>
> On Mon, Jun 2, 2014 at 5:17 PM, Carla Nurse <[email protected]> wrote:
>
>> Louis,
>>
>> I will check with them and see if there is anything that can be done. I
>> will continue to work on the configuration during that time.
>>
>> Thank you for your assistance.
>>
>> Carla
>>
>>
>> On Mon, Jun 2, 2014 at 5:04 PM, Louis Munro <[email protected]> wrote:
>>
>>> wbinfo -u should return the list of users in the domain.
>>>
>>> This would seem to indicate an issue with either the rights of the user
>>> doing the query or the AD configuration.
>>>
>>> You might be better helped by the samba mailing list as this issue is
>>> really more with winbind/AD than with PacketFence.
>>>
>>> Best regards,
>>>
>>> --
>>> Louis Munro
>>> [email protected] :: www.inverse.ca
>>> +1.514.447.4918 *125 :: +1 (866) 353-6153
>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>>> www.packetfence.org)
>>>
>>> On 2014-06-02, at 16:50 , Carla Nurse <[email protected]> wrote:
>>>
>>> Hi Louis,
>>>
>>> When I run *wbinfo -u* it goes straight back to prompt. I tried *wbinfo
>>> -p* and the ping to winbindd succeeded.
>>>
>>>
>>> On Mon, Jun 2, 2014 at 4:36 PM, Louis Munro <[email protected]> wrote:
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their
>>> applications. Written by three acclaimed leaders in the field,
>>> this first edition is now available. Download your free book today!
>>> http://p.sf.net/sfu/NeoTech
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
