Re: Loading fails without reporting an error
Lovaas,Steven wrote: Thanks, Adam... this got me looking at the right thing. I had a mismatch between the type of the home_server localhost (auth), and the attribute used in one of the realms pointing to the pool that references that home server (pool, instead of auth_pool). Changing the type of the localhost home_server allowed FR to complete loading. If you have a simple config that can reproduce it, I'd like to fix the problem. It's likely just adding a printed error message in the home server code. But knowing exactly where to add it would be useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
On Fri, Jul 12, 2013 at 11:19:00AM +0200, Alan DeKok wrote:
Lovaas,Steven wrote:
Thanks, Adam... this got me looking at the right thing.
I had a mismatch between the type of the home_server localhost (auth), and
the attribute used in one of the realms pointing to the pool that
references that home server (pool, instead of auth_pool). Changing the type
of the localhost home_server allowed FR to complete loading.
If you have a simple config that can reproduce it, I'd like to fix the
problem.
It's likely just adding a printed error message in the home server
code. But knowing exactly where to add it would be useful.
I've sent a pull request.
It's easy to trigger - take a standard 2.x config and apply the
following patch to the config:
diff --git a/raddb/proxy.conf b/raddb/proxy.conf
index 413fc14..6ceb5cb 100644
--- a/raddb/proxy.conf
+++ b/raddb/proxy.conf
@@ -613,6 +613,7 @@ realm example.com {
# and acct_pool.
auth_pool = my_auth_failover
+ acct_pool = my_auth_failover
# acct_pool = acct
#
There are a distinct lack of errors printed out in realms.c when
it returns. I'm guessing there may be better error messages or
locations to print them, but the pull request will give the right
starting pointers :-)
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
On Fri, Jul 12, 2013 at 11:24:54AM +0100, Matthew Newton wrote: On Fri, Jul 12, 2013 at 11:19:00AM +0200, Alan DeKok wrote: Lovaas,Steven wrote: I had a mismatch between the type of the home_server localhost (auth), and the attribute used in one of the realms pointing to the pool that references that home server (pool, instead of auth_pool). Changing the type of the localhost home_server allowed FR to complete loading. It's likely just adding a printed error message in the home server code. But knowing exactly where to add it would be useful. It's easy to trigger - take a standard 2.x config and apply the following patch to the config: To add to that, the same config error on v3 does give an error message, but although it's technically true (a home server being defined by its name *and* type), it's not entirely helpful- raddb/proxy.conf[593]: Unknown home_server localhost. Don't know if there are any ways to improve that message - I guess there are a number of reasons that the home_server might not be found. The line number should point to the problem section, though. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Loading fails without reporting an error
Certainly!
Here's the complete proxy.conf, configured with the mismatch (line 6: type =
auth, and line 60: pool = csu-auth) such that FR exits before completely
loading in debug mode. Changing either of these to match (or just omitting that
pool definition and letting that realm be local) allows FR to load completely.
Thanks for all you do to keep FreeRADIUS working,
Steve
proxy server {
default_fallback = no
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = thisisnotmyrealsecret
require_message_authenticator = yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server tlrs1-eduroam-us {
type= auth+acct
ipaddr = 64.57.22.74
port= 1812
secret = thisisnotmyrealsecreteither
require_message_authenticator = yes
response_window = 20
zombie_period = 40
check_interval = 30
num_answers_to_alive= 3
}
home_server tlrs2-eduroam-us {
type= auth+acct
ipaddr = 64.57.22.78
port= 1812
secret = noristhisonemyrealsecret
require_message_authenticator = yes
response_window = 20
zombie_period = 40
check_interval = 30
num_answers_to_alive= 3
}
home_server_pool csu-auth {
type= fail-over
home_server = localhost
}
home_server_pool EDUROAM {
type= fail-over
home_server = tlrs1-eduroam-us
home_server = tlrs2-eduroam-us
}
realm NULL {
}
realm ~(.*\\.)*(colostate|COLOSTATE)\\.(edu|EDU)$ {
pool = csu-auth
}
realm ~.+$ {
pool= EDUROAM
nostrip
}
realm LOCAL {
}
realm DEFAULT {
}
EOF
-Original Message-
From: freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org
[mailto:freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Friday, July 12, 2013 3:19 AM
To: FreeRadius users mailing list
Subject: Re: Loading fails without reporting an error
Lovaas,Steven wrote:
Thanks, Adam... this got me looking at the right thing.
I had a mismatch between the type of the home_server localhost (auth), and
the attribute used in one of the realms pointing to the pool that references
that home server (pool, instead of auth_pool). Changing the type of the
localhost home_server allowed FR to complete loading.
If you have a simple config that can reproduce it, I'd like to fix the
problem.
It's likely just adding a printed error message in the home server code. But
knowing exactly where to add it would be useful.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
Lovaas,Steven wrote: Hello again, I've successfully gotten to the point where local authentication is working well for all modes, using multiple SSIDs through two virtual servers, so I felt confident jumping into the less familiar world of proxying. Not that the concept is hard to understand, it's just always seemed like there were many moving parts (realms and such). With the simpler realm configuration (all in proxy.conf) offered by 2.x, it seems logically laid out and should just work. But now when I load freerad in debug mode, it simply stops loading with no error, after one of my two home_server_pool stanzas. At that point, it has successfully loaded the basic proxy server, all three home_server stanzas, and the first home_server_pool. It just seems to stall. Hmm... it looks like there's a problem with the file. It doesn't stop, it *exits*. See doc/bugs. That should help finding out where it's exiting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
On 11 Jul 2013, at 08:40, Alan DeKok al...@deployingradius.com wrote:
Lovaas,Steven wrote:
Hmm... it looks like there's a problem with the file. It doesn't
stop, it *exits*.
See doc/bugs. That should help finding out where it's exiting.
I think I saw this issue a week or so ago - I've not been able to reproduce
this on an out-of-the-box configuration; just dropping the home_server and
home_server_pool stanzas into proxy.conf on a new installation doesn't cause
the issue.
It seems to occur when you have a home server configured with type = auth.
Simply changing the home_server type to auth+acct makes the config parser happy
again.
Debug log follows; I'm building debug symbols at the moment to see if I can get
GDB to give anything more useful.
Adam Bishop
gpg: 0x6609D460
Janet, the UK's research and education network.
[root@orps2 raddb]# radiusd -X
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on May 22
2013 at 10:50:32
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/nrps/nrps.conf
including configuration file /etc/raddb/nrps/nrps-client.conf
including configuration file /etc/raddb/nrps/nrps-server.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules-enabled/
including configuration file /etc/raddb/modules-enabled/expiration
including configuration file /etc/raddb/modules-enabled/sql_log
including configuration file /etc/raddb/modules-enabled/expr
including configuration file /etc/raddb/modules-enabled/always
including configuration file /etc/raddb/modules-enabled/mschap
including configuration file /etc/raddb/modules-enabled/attr_filter
including configuration file /etc/raddb/modules-enabled/exec
including configuration file /etc/raddb/modules-enabled/ntlm_auth
including configuration file /etc/raddb/modules-enabled/files
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/status
including configuration file /etc/raddb/sites-enabled/moonshot
including configuration file /etc/raddb/preproxy.conf
including configuration file /etc/raddb/sites-enabled/transport
including configuration file /etc/raddb/preproxy.conf
including configuration file /etc/raddb/sites-enabled/power
including configuration file /etc/raddb/sites-enabled/eduroam
including configuration file /etc/raddb/sites-enabled/ems
including configuration file /etc/raddb/preproxy.conf
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/infrastructure
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/preproxy.conf
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = radiusd
prefix = /usr
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/radius
run_dir = /var/run/radiusd
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 4096
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server ms-perf0 {
ipv6addr = 2001:630:50:d009:250:56ff:fe88:c376 IPv6 address
[2001:630:50:d009:250:56ff:fe88:c376]
port = 1812
type = auth+acct
secret =
response_window = 30
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server ms-perf1 {
ipaddr = 193.63.63.244
RE: Loading fails without reporting an error
Thanks, Adam... this got me looking at the right thing.
I had a mismatch between the type of the home_server localhost (auth), and the
attribute used in one of the realms pointing to the pool that references that
home server (pool, instead of auth_pool). Changing the type of the localhost
home_server allowed FR to complete loading.
Steve
-Original Message-
From: freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org
[mailto:freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org]
On Behalf Of Adam Bishop
Sent: Thursday, July 11, 2013 4:29 AM
To: FreeRadius users mailing list
Subject: Re: Loading fails without reporting an error
On 11 Jul 2013, at 08:40, Alan DeKok al...@deployingradius.com wrote:
Lovaas,Steven wrote:
Hmm... it looks like there's a problem with the file. It doesn't
stop, it *exits*.
See doc/bugs. That should help finding out where it's exiting.
I think I saw this issue a week or so ago - I've not been able to reproduce
this on an out-of-the-box configuration; just dropping the home_server and
home_server_pool stanzas into proxy.conf on a new installation doesn't cause
the issue.
It seems to occur when you have a home server configured with type = auth.
Simply changing the home_server type to auth+acct makes the config parser happy
again.
Debug log follows; I'm building debug symbols at the moment to see if I can get
GDB to give anything more useful.
Adam Bishop
gpg: 0x6609D460
Janet, the UK's research and education network.
[root@orps2 raddb]# radiusd -X
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on May 22
2013 at 10:50:32 Copyright (C) 1999-2009 The FreeRADIUS server project and
contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the GNU General
Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf including configuration
file /etc/raddb/proxy.conf including configuration file
/etc/raddb/nrps/nrps.conf including configuration file
/etc/raddb/nrps/nrps-client.conf including configuration file
/etc/raddb/nrps/nrps-server.conf including configuration file
/etc/raddb/clients.conf including files in directory
/etc/raddb/modules-enabled/ including configuration file
/etc/raddb/modules-enabled/expiration
including configuration file /etc/raddb/modules-enabled/sql_log
including configuration file /etc/raddb/modules-enabled/expr including
configuration file /etc/raddb/modules-enabled/always including configuration
file /etc/raddb/modules-enabled/mschap including configuration file
/etc/raddb/modules-enabled/attr_filter
including configuration file /etc/raddb/modules-enabled/exec including
configuration file /etc/raddb/modules-enabled/ntlm_auth
including configuration file /etc/raddb/modules-enabled/files including
configuration file /etc/raddb/eap.conf including configuration file
/etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/status including
configuration file /etc/raddb/sites-enabled/moonshot including configuration
file /etc/raddb/preproxy.conf including configuration file
/etc/raddb/sites-enabled/transport
including configuration file /etc/raddb/preproxy.conf including configuration
file /etc/raddb/sites-enabled/power including configuration file
/etc/raddb/sites-enabled/eduroam including configuration file
/etc/raddb/sites-enabled/ems including configuration file
/etc/raddb/preproxy.conf including configuration file
/etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/infrastructure
including configuration file /etc/raddb/sites-enabled/default including
configuration file /etc/raddb/preproxy.conf main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary main {
name = radiusd
prefix = /usr
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/radius
run_dir = /var/run/radiusd
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 4096
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers proxy server {
retry_delay = 5
Loading fails without reporting an error
Hello again, I've successfully gotten to the point where local authentication is working well for all modes, using multiple SSIDs through two virtual servers, so I felt confident jumping into the less familiar world of proxying. Not that the concept is hard to understand, it's just always seemed like there were many moving parts (realms and such). With the simpler realm configuration (all in proxy.conf) offered by 2.x, it seems logically laid out and should just work. But now when I load freerad in debug mode, it simply stops loading with no error, after one of my two home_server_pool stanzas. At that point, it has successfully loaded the basic proxy server, all three home_server stanzas, and the first home_server_pool. It just seems to stall. Should I be looking for an error in the last stanza that successfully displayed, or the first one that fails to load? Or would this happen with a missing dependency? Thanks, Steve Entire debug here: root@freerad13:/etc/freeradius# /usr/sbin/freeradius -X FreeRADIUS Version 2.2.0, for host x86_64-pc-linux-gnu, built on Sep 21 2012 at 05:38:16 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/perl including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/smbpasswd including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/smsotp including configuration file /etc/freeradius/mods-enabled/krb5 including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/ldap including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/rediswho including configuration file /etc/freeradius/mods-enabled/checkval including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/otp including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/cui including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/detail.example.com including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/etc_group including configuration file /etc/freeradius/mods-enabled/redis including configuration file /etc/freeradius/mods-enabled/policy including configuration file /etc/freeradius/mods-enabled/acct_unique including configuration file /etc/freeradius/mods-enabled/pap including configuration file /etc/freeradius/mods-enabled/opendirectory including configuration file /etc/freeradius/mods-enabled/dhcp_sqlippool including configuration file /etc/freeradius/mods-enabled/sql_log including configuration file /etc/freeradius/mods-enabled/mac2ip including configuration file /etc/freeradius/mods-enabled/pam including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/sqlcounter_expire_on_login including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/inner-eap including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/counter including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/radrelay including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/cache including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/attr_rewrite including configuration file /etc/freeradius/mods-enabled/mac2vlan including configuration
