(RADIATOR) Problem with AuthBy EXTERNAL when radiusd is running under different uid/gidthan root
Hi Hugh ! I have expirenced problems when when running radiusd under a seperate user account. The server is running Redhat 8.0 The server is configured as Kerberos client and users are authenticated via PAM, it works fine. The config (radius.cfg) is testet when radiusd is running as root and it works as expected. When switching to user radiator I'm getting following error in logfile Wed Apr 2 10:22:38 2003: INFO: Access rejected for dmdpel: Error -1 running EXTERNAL command: No child processes I've found this in the mailing list archives, is this relevant ? To: Radiator Mailinglist [EMAIL PROTECTED] Subject: (RADIATOR) Bug? changing EUID/EGID with User/Group params doesn't work From: Karl Gaissmaier [EMAIL PROTECTED] Date: Wed, 04 Sep 2002 15:39:04 +0200 Below I have included radius.cfg, the script chgrp.sh and logfile Do you need any further to answer my questions ? Regards Per Lütkemeyer DMdata a/s .. From the manual : 6.4.31 User On Unix, this optional parameter sets the effective user ID (UID) that radiusd will run as, provided radiusd starts as a suitably priveleged user (usually as root). The value can be a valid Unix user name or an integer UID. 6.4.32 Group On Unix, this optional parameter sets the effective group ID (GID) that radiusd will run as, provided radiusd starts as a suitably priveleged user (usually as root). The value can be a valid Unix group name or an integer GID. ... Q1: What do you mean by a suitably priveleged user (usually as root) ?? I'v done this 1. created a user called radiator and a group called radiator 2. changed /etc/radiator and all files within to be owned by user=radiator group=radiator 3. changed /var/log/radius and all files within to be owned by user=radiator group=radiator The problem occurs when calling an external script located in /etc/radiator *** radius.cfg *** ### 24/3-03 PEL ### Radius.cfg jumphost der anvender PAM # Foreground # LogStdout # ## User radiator Group radiator # User root # Group root ## AuthPort1645 AcctPort1646 # LogDir /var/log/radius LogFile /var/log/radius/logfile.txt DbDir /etc/radiator # Trace 4 # Clients ### Client DEFAULT Secret mysecret Identifier Default /Client # AuthBy's ### AuthLog FILE Identifier LoginLog Filename %L/loginlog.txt LogSuccess 1 LogFailure 1 SuccessFormat %l:Client-ip=%c:NAS-ip=%N:%U:OK FailureFormat %l:Client-ip=%c:NAS-ip=%N:%U:FAIL:%1 /AuthLog # Handlers ### Handler Client-Identifier = Default AuthByPolicy ContinueWhileAccept # Use /etc/pam.d/login as default # PAM is configured as Kerberos client AuthBy PAM Service login /AuthBy # Checker via script group membership # AuthBy GROUP AuthByPolicy ContinueUntilAccept # Member of Network ? AuthBy EXTERNAL Command %D/chgrp.sh network %u AddToReply Service-Type = Administrative /AuthBy # Member of operations ? AuthBy EXTERNAL Command %D/chgrp.sh operations %u AddToReply Service-Type = NAS-Prompt-User /AuthBy /AuthBy # Log accounting to a detail file AcctLogFileName %L/detail AuthLog LoginLog /Handler ** *** chgrp.sh #!/bin/bash # # 25/3-03 PEL # # Syntax : chgrp.sh groupname username # if grep $1 /etc/group | grep $2 /dev/null; then # echo user $2 is in group $1 exit 0 else # echo Error exit 1 fi logfile Wed Apr 2 10:22:37 2003: DEBUG: Packet dump: *** Received from 10.165.18.49 port 4457 Code:Access-Request Identifier: 217 Authentic: 1234567890123456 Attributes: User-Name = dmdpel Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = 14525412012021e14618889160216}x153 Wed Apr 2 10:22:37 2003: DEBUG: Handling request with Handler 'Client-Identifier = Default' Wed Apr 2 10:22:37 2003: DEBUG: Deleting session for dmdpel, 203.63.154.1, 1234 Wed Apr 2 10:22:37 2003: DEBUG: Handling with PAM service login Wed Apr 2 10:22:37 2003: DEBUG: PAM is asking for 1: 'Password' Wed Apr 2 10:22:38 2003: DEBUG:
(RADIATOR) Problem with AuthBy EXTERNAL
Hi, I originally wrote this email with the software author as the intended recepient, but then I read the Terms of Support (which to say is none), so I'm posting here: Because of certain requirements, we need to use AuthBy EXTERNAL to authenticate our users. Each time I try, however, the Radius client simply times out. We know the external program gets executed, but Radiator can't seem to "see" the external program's reply. We're running Radiator on a Sparc/Solaris 2.6 system. We tried using the ff. test programs: external.c: #include stdio.h #include stdlib.h int main(int argc, char argv[]) { printf("\tUser-Service-Type = Framed-User\n"); printf("\tFramed-Protocol= PPP\n"); exit(0); } and external.pl: #!/opt/perl/bin/perl -w open LOG, "/opt/Radiator/log/external.log" || exit 1; while (STDIN) { print LOG $_; } close LOG; print "\tUser-Service-Type = Framed-User\n". "\tFramed-Protocol= PPP\n"; exit 0; Both programs get executed, but the clients just Times out. In AuthEXTERNAL.pm, in sub handle_request, after waitpid, I get $? = -1 (and $result = $? 8 = 16777215). I am positive that the external program gets executed. Hope someone can help. L L Richi Plana 8^) ,-,-. ,-,-. ,-,-. ,-,-. ,- LL LL Systems Administrator / / \ \ / / \ \ / / \ \ / / \ \ / / L Mosaic Communications, Inc. \ \ / / \ \ / / \ \ / / \ \ / / L mailto:[EMAIL PROTECTED] `-'-' `-'-' `-'-' `-'-' --PGP key http://www2.mozcom.com/~richip/richip.asc === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.