Hi Hugh !
I have expirenced problems when when running radiusd under a seperate user account.
The server is running Redhat 8.0
The server is configured as Kerberos client and users are authenticated via PAM, it works fine.
The config (radius.cfg) is testet when radiusd is running as root and it works as expected.
When switching to user radiator I'm getting following error in logfile
"Wed Apr 2 10:22:38 2003: INFO: Access rejected for dmdpel: Error -1 running EXTERNAL command: No child processes"
I've found this in the mailing list archives, is this relevant ?
- To: Radiator Mailinglist <[EMAIL PROTECTED]>
- Subject: (RADIATOR) Bug? changing EUID/EGID with User/Group params doesn't work
- From: Karl Gaissmaier <[EMAIL PROTECTED]>
- Date: Wed, 04 Sep 2002 15:39:04 +0200
Below I have included "radius.cfg", the script "chgrp.sh" and "logfile"
Do you need any further to answer my questions ?
Regards
Per L�tkemeyer
DMdata a/s
..........................................
From the manual :
6.4.31 User
On Unix, this optional parameter sets the effective user ID (UID) that radiusd will run
as, provided radiusd starts as a suitably priveleged user (usually as root). The value can
be a valid Unix user name or an integer UID.
6.4.32 Group
On Unix, this optional parameter sets the effective group ID (GID) that radiusd will run
as, provided radiusd starts as a suitably priveleged user (usually as root). The value can
be a valid Unix group name or an integer GID.
.......................................
Q1: What do you mean by "a suitably priveleged user (usually as root)" ??
I'v done this
1. created a user called "radiator" and a group called "radiator"
2. changed /etc/radiator and all files within to be owned by user=radiator group=radiator
3. changed /var/log/radius and all files within to be owned by user=radiator group=radiator
The problem occurs when calling an external script located in /etc/radiator
***********************************
radius.cfg
***********************************
################################################
### 24/3-03 PEL
### Radius.cfg jumphost der anvender PAM
################################################
# Foreground
# LogStdout
#
######################
User radiator
Group radiator
# User root
# Group root
######################
AuthPort 1645
AcctPort 1646
#
LogDir /var/log/radius
LogFile /var/log/radius/logfile.txt
DbDir /etc/radiator
#
Trace 4
################################################
# Clients
###############################################
<Client DEFAULT>
Secret mysecret
Identifier Default
</Client>
################################################
# AuthBy's
###############################################
<AuthLog FILE>
Identifier LoginLog
Filename %L/loginlog.txt
LogSuccess 1
LogFailure 1
SuccessFormat %l:Client-ip=%c:NAS-ip=%N:%U:OK
FailureFormat %l:Client-ip=%c:NAS-ip=%N:%U:FAIL:%1
</AuthLog>
################################################
# Handlers
###############################################
<Handler Client-Identifier = Default>
AuthByPolicy ContinueWhileAccept
# Use /etc/pam.d/login as default
# PAM is configured as Kerberos client
<AuthBy PAM>
Service login
</AuthBy>
# Checker via script group membership
#
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
# Member of Network ?
<AuthBy EXTERNAL>
Command %D/chgrp.sh network %u
AddToReply Service-Type = Administrative
</AuthBy>
# Member of operations ?
<AuthBy EXTERNAL>
Command %D/chgrp.sh operations %u
AddToReply Service-Type = NAS-Prompt-User
</AuthBy>
</AuthBy>
# Log accounting to a detail file
AcctLogFileName %L/detail
AuthLog LoginLog
</Handler>
******************************************************
***********
chgrp.sh
************
#!/bin/bash
#
# 25/3-03 PEL
#
# Syntax : chgrp.sh groupname username
#
if grep $1 /etc/group | grep $2 > /dev/null; then
# echo user $2 is in group $1
exit 0
else
# echo Error
exit 1
fi
********************************************************************
logfile
********************************************************************
Wed Apr 2 10:22:37 2003: DEBUG: Packet dump:
*** Received from 10.165.18.49 port 4457 ....
Code: Access-Request
Identifier: 217
Authentic: 1234567890123456
Attributes:
User-Name = "dmdpel"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = "<145><254>1<201><202>1e<146><188>8<9><160><216>}x<153>"
Wed Apr 2 10:22:37 2003: DEBUG: Handling request with Handler 'Client-Identifier = Default'
Wed Apr 2 10:22:37 2003: DEBUG: Deleting session for dmdpel, 203.63.154.1, 1234
Wed Apr 2 10:22:37 2003: DEBUG: Handling with PAM service login
Wed Apr 2 10:22:37 2003: DEBUG: PAM is asking for 1: 'Password'
Wed Apr 2 10:22:38 2003: DEBUG: Handling with Radius::AuthGROUP
Wed Apr 2 10:22:38 2003: DEBUG: Running command: /etc/radiator/chgrp.sh netw129 dmdpel
Wed Apr 2 10:22:38 2003: DEBUG: Running command: /etc/radiator/chgrp.sh nete129 dmdpel
Wed Apr 2 10:22:38 2003: DEBUG: Running command: /etc/radiator/chgrp.sh pcc153 dmdpel
Wed Apr 2 10:22:38 2003: INFO: Access rejected for dmdpel: Error -1 running EXTERNAL command: No child processes
Wed Apr 2 10:22:38 2003: DEBUG: Packet dump:
*** Sending to 10.165.18.49 port 4457 ....
Code: Access-Reject
Identifier: 217
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
*****************************************************************
