Bug#810884: freeradius: auth-user-pass with file credentials not re-read when tunnel re-start if auth-nocache enabled

2016-01-13 Thread MikeB 
Package: freeradius
Version: 2.2.5+dfsg-0.2
Severity: normal

Dear Maintainer,

Freeradius package should be upgraded accrding to those upstream bugs:
https://community.openvpn.net/openvpn/ticket/225 (main)
https://community.openvpn.net/openvpn/ticket/308 (duplicate)
https://community.openvpn.net/openvpn/ticket/248 (duplicate)

This problem occurs when package from Jessie is used. Problem doesn't occur 
when upstream latest package is used.

Regards,
Mike

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freeradius depends on:
ii  adduser3.113+nmu3
ii  ca-certificates20141019
ii  freeradius-common  2.2.5+dfsg-0.2
ii  libc6  2.19-18+deb8u1
ii  libfreeradius2 2.2.5+dfsg-0.2
ii  libgdbm3   1.8.3-13.1
ii  libltdl7   2.4.2-1.11
ii  libpam0g   1.1.8-3.1
ii  libperl5.205.20.2-3+deb8u2
ii  libpython2.7   2.7.9-2
ii  libssl1.0.01.0.1k-3+deb8u2
ii  lsb-base   4.1+Debian13+nmu1
ii  ssl-cert   1.0.35

Versions of packages freeradius recommends:
ii  freeradius-utils  2.2.5+dfsg-0.2

Versions of packages freeradius suggests:
pn  freeradius-krb5
pn  freeradius-ldap
pn  freeradius-mysql   
pn  freeradius-postgresql  

-- Configuration Files:
/etc/freeradius/clients.conf changed [not included]
/etc/freeradius/eap.conf changed [not included]
/etc/freeradius/experimental.conf changed [not included]
/etc/freeradius/modules/inner-eap changed [not included]
/etc/freeradius/users changed [not included]

-- no debconf information

Bug#779557: Including additional users file doesn't work without full path to the file in the INCLUDE statement

2015-03-02 Thread MikeB 
Package: freeradius
Version: 2.1.12+dfsg-1.2
Severity: normal

Dear maintainer,

There is a small problem with including another 'users' file with '$INCLUDE 
users.other'. Just take a look at my simple setup.

Working directory:
(root@poligon freeradius)# pwd
/etc/freeradius

Two 'users' files:
(root@poligon freeradius)# ls -l users*
-rw-r--r-- 1 root root6618 Mar  2 10:17 users
-rw-r--r-- 1 root freerad   34 Mar  2 10:04 users.login

One user defined in the standard 'users' file (at the beginning of the file):
(root@poligon freeradius)# grep bob users
bob Cleartext-Password := "hello"

One user defined in the additional 'users' file:
(root@poligon freeradius)# cat users.login 
ben Cleartext-Password := "hello"

Including without full path:
$INCLUDE users.login

Effect:
(r...@poligon.test.local ~)# radtest ben hello localhost 0 testing123 
Sending Access-Request of id 250 to 127.0.0.1 port 1812
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=250, length=20

Including with full path:
$INCLUDE /etc/freeradius/users.login

Authorization is working fine:
(root@poligon ~)# radtest ben hello localhost 0 testing123 
Sending Access-Request of id 136 to 127.0.0.1 port 1812
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=136, length=20

I believe this is some bug, as I don't see such behavior on CentOS/RHEL 6 
native package and vanilla build on Slackware.

There are two debug logs attached.

Regards,
Mike
POLANDrad_recv: Access-Request packet from host 127.0.0.1 port 37290, id=246, 
length=73
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x5edf5dc66d82c3ff177f3143b2c6fc49
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "ben", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry ben at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "hello"
[pap] Using clear text password "hello"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [ben] (from client localhost port 0)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 246 to 127.0.0.1 port 37290
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 246 with timestamp +3
Ready to process requests.rad_recv: Access-Request packet from host 127.0.0.1 port 45288, id=64, length=73
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0xf74c34ed60a5138376e0ffbbf72f088a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "ben", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the 
user
Failed to authenticate the user.
Login incorrect: [ben/hello] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> ben
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 64 to 127.0.0.1 port 45288
Waking up in 4.9 seconds.
Cleaning up request 0 ID 64 with timestamp +3
Ready to process requests.