Your message dated Tue, 25 Oct 2016 20:06:43 +0200
with message-id
<CA+fnjVBnMKQEntK=7c9559p11gq+vsq9g9rlvupwd0syyym...@mail.gmail.com>
and subject line Including additional users file doesn't work without full path
to the file in the INCLUDE statement
has caused the Debian Bug report #779557,
regarding Including additional users file doesn't work without full path to the
file in the INCLUDE statement
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
779557: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779557
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: freeradius
Version: 2.1.12+dfsg-1.2
Severity: normal
Dear maintainer,
There is a small problem with including another 'users' file with '$INCLUDE
users.other'. Just take a look at my simple setup.
Working directory:
(root@poligon freeradius)# pwd
/etc/freeradius
Two 'users' files:
(root@poligon freeradius)# ls -l users*
-rw-r--r-- 1 root root 6618 Mar 2 10:17 users
-rw-r--r-- 1 root freerad 34 Mar 2 10:04 users.login
One user defined in the standard 'users' file (at the beginning of the file):
(root@poligon freeradius)# grep bob users
bob Cleartext-Password := "hello"
One user defined in the additional 'users' file:
(root@poligon freeradius)# cat users.login
ben Cleartext-Password := "hello"
Including without full path:
$INCLUDE users.login
Effect:
([email protected] ~)# radtest ben hello localhost 0 testing123
Sending Access-Request of id 250 to 127.0.0.1 port 1812
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=250, length=20
Including with full path:
$INCLUDE /etc/freeradius/users.login
Authorization is working fine:
(root@poligon ~)# radtest ben hello localhost 0 testing123
Sending Access-Request of id 136 to 127.0.0.1 port 1812
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=136, length=20
I believe this is some bug, as I don't see such behavior on CentOS/RHEL 6
native package and vanilla build on Slackware.
There are two debug logs attached.
Regards,
Mike
POLANDrad_recv: Access-Request packet from host 127.0.0.1 port 37290, id=246,
length=73
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x5edf5dc66d82c3ff177f3143b2c6fc49
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "ben", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry ben at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "hello"
[pap] Using clear text password "hello"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [ben] (from client localhost port 0)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 246 to 127.0.0.1 port 37290
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 246 with timestamp +3
Ready to process requests.rad_recv: Access-Request packet from host 127.0.0.1 port 45288, id=64, length=73
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0xf74c34ed60a5138376e0ffbbf72f088a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "ben", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Login incorrect: [ben/hello] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> ben
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 64 to 127.0.0.1 port 45288
Waking up in 4.9 seconds.
Cleaning up request 0 ID 64 with timestamp +3
Ready to process requests.
--- End Message ---
--- Begin Message ---
Fixed in 2.2.5, as confirmed by the reporter in previous comment.
--- End Message ---
