Re: Re: rlm_counter: Failed to open file /etc/raddb/db.daily:, Permission denied
Hi,
I got the same issue and I solved it modifying the file :
/usr/local/etc/raddb/radiusd.conf
I replaced the line :
db_dir = $(raddbdir)
By :
db_dir = ${raddbdir}
I use freeRadius 2.0.5 on a freeBSD 6.3
[EMAIL PROTECTED] a écrit :
Message: 2
Date: Thu, 13 Nov 2008 18:21:17 -0500
From: Ted Lum <[EMAIL PROTECTED]>
Subject: Re: rlm_counter: Failed to open file /etc/raddb/db.daily:
Permission denied
To: Alan DeKok <[EMAIL PROTECTED]>
Cc: FreeRadius users mailing list
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
The default user and group have not been modified.
The server DOES NOT run as root. It always starts as root, but changes
its self.
...from radiusd.conf
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to radius'.
They are:
user = radiusd
group = radiusd
In fact, the db.daily file was created by the application and this is
the sole reason for the file's ownership being what it is.
In addition I have moved the location to /tmp where everyone has
permission and it still fails.
This is a ps after "service start radiusd":
UIDPID PPID C STIME TTY TIME CMD
radiusd 6909 1 0 Nov12 ?00:00:00 /usr/sbin/radiusd
This is a ps after "/usr/sbin/radiusd -X":
UIDPID PPID C STIME TTY TIME CMD
radiusd 6998 6933 5 15:48 pts/000:00:00 /usr/sbin/radiusd -X
This is a ps after "strace /usr/sbin/radiusd":
UIDPID PPID C STIME TTY TIME CMD
radiusd 7004 1 0 15:50 ?00:00:00 /usr/sbin/radiusd
In all cases its running as radiusd.
So, any more ideas on how to fix this?
-Ted-
Alan DeKok wrote:
Ted Lum wrote:
Any idea how to fix this?
Don't edit the default configuration files to break them.
The default configuration files have the server running as root.
You've changed that to a user who does NOT have permission to read the
configuration files.
Wed Nov 12 21:29:16 2008 : Error: rlm_counter: Failed to open file
/etc/raddb/db.daily: Permission denied
...
/etc/raddb
-rw--- 1 radiusd radiusd 12312 Nov 12 21:29 db.daily
The server isn't running as user "radiusd/radiusd". Fix that.
This works:
# /usr/sbin/radiusd -X
Becuse you're running it as root.
This works:
# strace /usr/sbin/radiusd
Because you're running it as root.
This does not work:
# service radiusd start
Starting RADIUS server:[FAILED]
Because it changes UID's, and does not run as root.
Alan DeKok.
--
Romain Mercier
Université d'Angers -
Direction des Systèmes d'Infrormation
Service Systèmes et Réseaux
Tel/Fax : 02-41-22-67-62/51
@ : [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using counter module
Hi ! I would like to use the counter module (not the sql_counter module) of FreeRadius 2.0.5 and I have questions about it : 1 - If it's possible, how can I display the value of a counter into the reply message ? 2 - I have created a counter based on the Acct-Output-Octets, so when a user reached the threshold, the Reply-Message is remplaced by : "Your maximum daily usage time has been reached". I would like to modify it depending on the threshold reached (I will place 2 or 3 differents counters) because it's in English, I display this Reply-Message on my error page and because the threshold is not depending on time :) Is it possible and how can I do it ? Thank you for your help -- Romain Mercier Université d'Angers Service Systèmes et Réseaux @ : [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Challenge with Avaya
cdc\3d\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3d\2cou\3dpeople\2cdc\3d\2cdc\3dfr rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=,ou=people,dc=,dc=fr, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group perso rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 119 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 23 to port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "364" Reply-Message = "Vous etes sur le reseau personnel" EAP-Message = 0x010300061520 Message-Authenticator = 0x State = 0xad191c63a681aa59b3cad2358e5001c6 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 23 with timestamp 45f7ff88 Nothing to do. Sleeping until we see a request. I've tried to do what AVAYA's support write to configure FreeRadius for 802.1x support but it doesn't work. --- Romain Mercier Université d'Angers - CRI Service Systèmes & Réseaux 40 rue de Rennes 49035 Angers Cedex - France >De : >[EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] >ius.org] De la part de Romain Mercier >Envoyé : mardi 13 mars 2007 12:10 >Ŕ : 'FreeRadius users mailing list' >Objet : Access-Challenge with Avaya > >Hello ! > >I am having troubles with Avaya P334T switch. >I am trying to authenticate users directly connected to ports of the switch. >I have configured the switch well I think because the acces-request is sent >to the radius but then the radius send an access-challenge to the switch and >nothing is done after. >There is no answer of the switch and the user cannot access the network but >it is not rejected by the radius. >I think the problem come from the switch because authentication on a >wireless access-point connected on this switch works fine. > >Did anybody encounter the same problem? Any idea? > >Thanks for your help > >- > >Romain Mercier - Technicien réseau et sécurité > >Université d'Angers - CRI Service Systčmes & Réseaux > >40 rue de Rennes > >49035 Angers Cedex - France > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Challenge with Avaya
Nobody can help me? - Romain Mercier - Technicien réseau et sécurité Université d'Angers - CRI Service Systèmes & Réseaux 40 rue de Rennes 49035 Angers Cedex - France _ De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ius.org] De la part de Romain Mercier Envoyé : mardi 13 mars 2007 12:10 À : 'FreeRadius users mailing list' Objet : Access-Challenge with Avaya Hello ! I am having troubles with Avaya P334T switch. I am trying to authenticate users directly connected to ports of the switch. I have configured the switch well I think because the acces-request is sent to the radius but then the radius send an access-challenge to the switch and nothing is done after. There is no answer of the switch and the user cannot access the network but it is not rejected by the radius. I think the problem come from the switch because authentication on a wireless access-point connected on this switch works fine. Did anybody encounter the same problem? Any idea? Thanks for your help ----- Romain Mercier - Technicien réseau et sécurité Université d'Angers - CRI Service Systèmes & Réseaux 40 rue de Rennes 49035 Angers Cedex - France - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Challenge with Avaya
Hello ! I am having troubles with Avaya P334T switch. I am trying to authenticate users directly connected to ports of the switch. I have configured the switch well I think because the acces-request is sent to the radius but then the radius send an access-challenge to the switch and nothing is done after. There is no answer of the switch and the user cannot access the network but it is not rejected by the radius. I think the problem come from the switch because authentication on a wireless access-point connected on this switch works fine. Did anybody encounter the same problem? Any idea? Thanks for your help - Romain Mercier - Technicien réseau et sécurité Université d'Angers - CRI Service Systèmes & Réseaux 40 rue de Rennes 49035 Angers Cedex - France - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius + OpenLDAP + VLAN
Im sorry I didnt search far enough into the mail archive of freeradius-users. I have search a bit more and find my answer in a subject called: Assigning VLAN based on LDAP attribute Romain Mercier _ De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ius.org] De la part de Romain Mercier Envoyé : mercredi 14 février 2007 09:55 À : 'FreeRadius users mailing list' Objet : FreeRadius + OpenLDAP + VLAN Hi, I want to assign users to a certain VLAN depending on an attribute stocked in LDAP. At the time, I use files module to do that and it works in a first test but dont take care about the attribute. How can I use the attribute I create? In the ldap.attrmap file I add this line: checkItem Ldap-Group auaStatut In the users file I add these lines: DEFAULT Ldap-Group == Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 1, Fall-Through = 0 Does anybody have an idea? Romain Mercier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + OpenLDAP + VLAN assignation
Hi, I want to assign users to a certain VLAN depending on an attribute stocked in LDAP. At the time, I use files module to do that and it works in a first test but don't take care about the attribute. How can I use the attribute I create? In the ldap.attrmap file I add this line: checkItem Ldap-Group auaStatut In the users file I add these lines: DEFAULT Ldap-Group == "" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 1, Fall-Through = 0 Does anybody have an idea? Romain Mercier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius + OpenLDAP (SMD5) + Windows XP
Thanks a lot Phil for your help. It's OK now.
With SecureW2 and PAP on the user's PC and using ttls
I add these lines to my configuration:
Modules {
...
eap {
default_eap_type = ttls
...
gtc {
auth_type = PAP
}
ttls {
default_eap_type = gtc
}
...
}
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius + OpenLDAP (SMD5) + Windows XP
>Phil Mayers wrote: >You'd still need to install something on the clients. SecureW2 will to >TTLS with PAP inside the tunnel, which would work. I installed SecureW2 and try PAP, but didn't understand that I need TTLS module with PAP. I will try this. Thanks >If your constraint is "no client software", you need the plaintext, >NT/LM passwords or samba+ntlm_auth > >If you install SecureW2 and use TTLS+PAP you can check your passwords >against ANYTHING because PAP supplies the username/password to the >radius server and obviously it can do any kind of hashing or callout >with it. >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
