subject:"Pre\-release of Version 2.1.8"

Re: Pre-release of Version 2.1.8

2009-12-21 Thread Bjørn Mork

I'm probably stupid as I never learn, but I'm going to take my chances
reporting succcess again

The v2.1.x branch from github up to and including commit
1d80707880c1bf94ad1e87be74221a6c7b4cb4c7 has now been running stable for
more than 5 days for me.  All the previously reported problems seem to
be gone.  So I'd say it makes a good 2.1.8 release for Christmas.



Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-21 Thread Alan Buxey

Hi,

 The v2.1.x branch from github up to and including commit
 1d80707880c1bf94ad1e87be74221a6c7b4cb4c7 has now been running stable for
 more than 5 days for me.  All the previously reported problems seem to
 be gone.  So I'd say it makes a good 2.1.8 release for Christmas.

aye - there were some questions relating to getting some of the older
requested patches put into 2.1.8 too - has that been addressed?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-21 Thread Alan DeKok

Alan Buxey wrote:
 aye - there were some questions relating to getting some of the older
 requested patches put into 2.1.8 too - has that been addressed?

  Which patches?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-21 Thread Alan DeKok

Bjørn Mork wrote:
 The v2.1.x branch from github up to and including commit
 1d80707880c1bf94ad1e87be74221a6c7b4cb4c7 has now been running stable for
 more than 5 days for me.  All the previously reported problems seem to
 be gone.  So I'd say it makes a good 2.1.8 release for Christmas.

  Thanks.  I've added a bunch more minor changes (docs, checks from
static analysis tools, etc.)  But no more code changes.

  It should be good to go...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-21 Thread Alan Buxey

Hi,
 Alan Buxey wrote:
  aye - there were some questions relating to getting some of the older
  requested patches put into 2.1.8 too - has that been addressed?
 
   Which patches?

there were a couple cant remember exactly - i know one was '17' - the CHAP one. 
I applied it locally to my pre 2.1.8 - it didnt go in 100% clean because
it was written some time backthings appear to be okay after it went in.

wasnt there also an SQL one and a proxy one?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-21 Thread Alexander Clouter

Alan DeKok al...@deployingradius.com wrote:

  I've put a pre-release of version 2.1.8 on the web site:
 
 http://git.freeradius.org/pre/
 
  Please do some sanity checks, and see if it works for you.
 
  This version is from the new v2.1.x branch, which is Version 2.1.7,
 plus *only* bug fixes.  The stable branch is now planned to become
 version 2.2.0 in January.  It will include TCP transport, among other
 new features.
 
  If there are no major issues, we can release 2.1.8 next week.
 
Not quite on the pre-release but running 
f691b0ec7d4c92919bdd4dc81e8a86b211c00832 from the stable branch I got 
these after a 'hiccup' this morning on the network:

Program received signal SIGPIPE, Broken pipe.
[Switching to Thread 0x411b9950 (LWP 18045)]
0x7fa8a156b75b in write () from /lib/libpthread.so.0
(gdb) bt
#0  0x7fa8a156b75b in write () from /lib/libpthread.so.0
#1  0x7fa89e51c1a9 in ?? () from /usr/lib/liblber-2.4.so.2
#2  0x7fa89e06f4b9 in _gnutls_io_write_buffered () from 
/usr/lib/libgnutls.so.26
#3  0x7fa89e06c601 in _gnutls_send_int () from /usr/lib/libgnutls.so.26
#4  0x7fa89e08a6e0 in gnutls_alert_send () from /usr/lib/libgnutls.so.26
#5  0x7fa89e06c90f in gnutls_bye () from /usr/lib/libgnutls.so.26
#6  0x7fa89e754c30 in ?? () from /usr/lib/libldap_r-2.4.so.2
#7  0x7fa89e51c6ec in ber_int_sb_close () from /usr/lib/liblber-2.4.so.2
#8  0x7fa89e745f5d in ldap_free_connection () from 
/usr/lib/libldap_r-2.4.so.2
#9  0x7fa89e73c8cf in ldap_ld_free () from /usr/lib/libldap_r-2.4.so.2
#10 0x7fa89e96e1c1 in perform_search (instance=0x1f2a0e0, conn=0x1f2a5b0, 
search_basedn=0x260b3e0 ou=Networks,ou=LanWarden,o=soas, scope=1, 
filter=0x27f6fc0 
((objectClass=lanwardenNetwork)(member=cn=001e4fe171de,ou=users-staff,ou=imported,ou=Hosts,ou=LanWarden,o=soas)),
 attrs=0x2676c70, result=0x411b7050) at rlm_ldap.c:811
#11 0x7fa89e96f6ab in ldap_xlat (instance=0x1f2a0e0, 
request=0x7fa894002530, 
fmt=0x2de8ae0 
ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:MAC-Address-LdapDn})),
 out=0x411b7840 , freespace=254, func=0x42ba4c xlat_copy) at rlm_ldap.c:1199
#12 0x0042b89b in decode_attribute (from=0x411b76d0, to=0x411b76c8, 
freespace=254, open_p=0x411b765c, 
request=0x7fa894002530, func=0x42ba4c xlat_copy) at xlat.c:911
#13 0x0042bd4f in radius_xlat (out=0x411b7840 , outlen=254, 
fmt=0x2288d30 
%{ldap_autz_soasauth-nd1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:MAC-Address-LdapDn}))},
 request=0x7fa894002530, func=0x42ba4c xlat_copy) at xlat.c:1086
#14 0x7fa89be8b4bb in do_attr_rewrite (instance=0x2288680, 
request=0x7fa894002530) at rlm_attr_rewrite.c:179
#15 0x7fa89be8c0c8 in attr_rewrite_postauth (instance=0x2288680, 
request=0x7fa894002530)
at rlm_attr_rewrite.c:453
#16 0x00420655 in call_modsingle (component=7, sp=0x2288540, 
request=0x7fa894002530) at modcall.c:297
#17 0x004214ac in modcall (component=7, c=0x2287f50, 
request=0x7fa894002530) at modcall.c:669
#18 0x0041ec68 in indexed_modcall (comp=7, idx=0, 
request=0x7fa894002530) at modules.c:691
#19 0x004200ff in module_post_auth (postauth_type=0, 
request=0x7fa894002530) at modules.c:1533
#20 0x0040a148 in rad_postauth (request=0x7fa894002530) at auth.c:421
#21 0x0040ac45 in rad_authenticate (request=0x7fa894002530) at 
auth.c:811
#22 0x00434ef7 in radius_handle_request (request=0x7fa894002530, 
fun=0x40a194 rad_authenticate)
at event.c:4097
#23 0x00426cb3 in request_handler_thread (arg=0x7fa8940023d0) at 
threads.c:492
#24 0x7fa8a1564fc7 in start_thread () from /lib/libpthread.so.0
#25 0x7fa8a08af5ad in clone () from /lib/libc.so.6
#26 0x in ?? ()
(gdb) 


Then shortly after restarting it:

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x4f492950 (LWP 23808)]
0x7f0060554ed5 in raise () from /lib/libc.so.6
(gdb) wher
#0  0x7f0060554ed5 in raise () from /lib/libc.so.6
#1  0x7f00605563f3 in abort () from /lib/libc.so.6
#2  0x004281f2 in rad_assert_fail (file=0x4455ef threads.c, line=406, 
expr=0x445628 (*request)-magic == REQUEST_MAGIC) at util.c:363
#3  0x00426adf in request_dequeue (request=0x7f004c006f30, 
fun=0x4f491d30) at threads.c:406
#4  0x00426c3d in request_handler_thread (arg=0x7f004c006f00) at 
threads.c:483
#5  0x7f00612a7fc7 in start_thread () from /lib/libpthread.so.0
#6  0x7f00605f25ad in clone () from /lib/libc.so.6
#7  0x in ?? ()
(gdb) 


The former one I have seen before and assuemd it was a bug in libldap, 
however I guess maybe freeradius should be catching the SIGPIPE there?

As for the latter one, that's new to me.  Alas it is going to be 
difficult to repeat this 'experiment' as I would have to turn power off 
to one of our server rooms...tends to annoy

Re: Pre-release of Version 2.1.8

2009-12-21 Thread Alan DeKok

Alexander Clouter wrote:
 Not quite on the pre-release but running 
 f691b0ec7d4c92919bdd4dc81e8a86b211c00832 from the stable branch I got 
 these after a 'hiccup' this morning on the network:
 
 Program received signal SIGPIPE, Broken pipe.
 [Switching to Thread 0x411b9950 (LWP 18045)]
 0x7fa8a156b75b in write () from /lib/libpthread.so.0
 (gdb) bt
 #0  0x7fa8a156b75b in write () from /lib/libpthread.so.0
 #1  0x7fa89e51c1a9 in ?? () from /usr/lib/liblber-2.4.so.2
 #2  0x7fa89e06f4b9 in _gnutls_io_write_buffered () from 
 /usr/lib/libgnutls.so.26

  Ugh.

 Then shortly after restarting it:
 
 Program received signal SIGABRT, Aborted.
 [Switching to Thread 0x4f492950 (LWP 23808)]
 0x7f0060554ed5 in raise () from /lib/libc.so.6
 (gdb) wher
 #0  0x7f0060554ed5 in raise () from /lib/libc.so.6
 #1  0x7f00605563f3 in abort () from /lib/libc.so.6
 #2  0x004281f2 in rad_assert_fail (file=0x4455ef threads.c, 
 line=406, 
 expr=0x445628 (*request)-magic == REQUEST_MAGIC) at util.c:363
 #3  0x00426adf in request_dequeue (request=0x7f004c006f30, 
 fun=0x4f491d30) at threads.c:406

  That shouldn't happen... ever!

  In fact, I've never seen it happen.  It can occur only when memory is
free'd, and still used.

 The former one I have seen before and assuemd it was a bug in libldap, 
 however I guess maybe freeradius should be catching the SIGPIPE there?

  Nope.  The libraries usually re-set the signal handlers.

 As for the latter one, that's new to me.  Alas it is going to be 
 difficult to repeat this 'experiment' as I would have to turn power off 
 to one of our server rooms...tends to annoy the yokels.

  It should either happen a lot, or not at all.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-21 Thread Alexander Clouter

Alan DeKok al...@deployingradius.com wrote:
 
 Then shortly after restarting it:
 
 Program received signal SIGABRT, Aborted.
 [Switching to Thread 0x4f492950 (LWP 23808)]
 0x7f0060554ed5 in raise () from /lib/libc.so.6
 (gdb) wher
 #0  0x7f0060554ed5 in raise () from /lib/libc.so.6
 #1  0x7f00605563f3 in abort () from /lib/libc.so.6
 #2  0x004281f2 in rad_assert_fail (file=0x4455ef threads.c, 
 line=406, 
 expr=0x445628 (*request)-magic == REQUEST_MAGIC) at util.c:363
 #3  0x00426adf in request_dequeue (request=0x7f004c006f30, 
 fun=0x4f491d30) at threads.c:406
 
  That shouldn't happen... ever!
 
  In fact, I've never seen it happen.  It can occur only when memory is
 free'd, and still used.
 
 [snipped]
 
 As for the latter one, that's new to me.  Alas it is going to be 
 difficult to repeat this 'experiment' as I would have to turn power off 
 to one of our server rooms...tends to annoy the yokels.
 
  It should either happen a lot, or not at all.
 
Well as I said it is the first time I have seen it and I have been 
running this code straight since that commit came out on the 5th.  So we 
cannot say 'not at all'.

Want to put it down to a neutrino burst? :)

Cheers

-- 
Alexander Clouter
.sigmonster says: Shut off engine before fueling.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-21 Thread Alan DeKok

Alexander Clouter wrote:
 Want to put it down to a neutrino burst? :)

  Been there.  Done that.

  http://www.sno.phy.queensu.ca/sno/papers/nim_paper_99.pdf

  9th author, on the first page.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-09 Thread Josip Rodin

On Wed, Dec 09, 2009 at 07:50:05AM +0100, Alan DeKok wrote:
   Then the home servers are *extremely* slow.  Sending 300 packets over
 the course of a second or two wouldn't overload a 486.

AFAIK they are not 486s :) but we're still investigating what made them so.

  Can any conclusions be drawn from this? I send over the detailed logs if
  necessary.
 
   The home servers are pathetic.
 
   Also, the proxy  fail-over algorithms in 2.1.x are much better than
 2.0.4.

Yes, I plan to upgrade. 2.1.x did need some ironing out first, as you know :)

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Bjørn Mork

Alan DeKok al...@deployingradius.com writes:
 Bjørn Mork wrote:
 Bjørn Mork bj...@mork.no writes:
 The server had been running for 45 hours when this happened.  I haven't
 got the faintest idea where to start looking for the bug.
 
 I have to correct myself after looking over the logs:  The server
 stopped answering authentication requsts, but it continued to answer
 accounting requests.

   Found, fixed, pushed to v2.1.x on github.

Yes, now it continues to answer both authentication and accounting
requests, but it still stops proxying after a while (where a while
might be something like 20+ hours and 1+ million auth requests - I have
no indication that these values are fixed).  

The symptoms are that all home servers are marked dead/zombie.  Typical
obfuscated home_server list in this state:

server(bjorn) ~ 71$ radmin -e show home_server list
192.168.8.120   1812authalive   0
192.168.8.120   1813acctalive   0
192.168.8.246   1812authalive   0
192.168.8.246   1813acctalive   0
192.168.8.132   1645authdead0
192.168.8.132   1646acctalive   0
192.168.8.132   1645authdead3
192.168.8.132   1646acctalive   0
192.168.8.141812authalive   0
192.168.8.141813acctzombie  0
192.168.8.101812authalive   0
192.168.8.101813acctzombie  0
192.168.8.210   1812authalive   0
192.168.8.210   1813acctalive   0
192.168.8.501812authzombie  0
192.168.8.501813acctalive   0
192.168.8.201812authzombie  0
192.168.8.201813acctalive   0
192.168.8.401812authzombie  0
192.168.8.401813acctalive   0
192.168.8.441812authalive   0
192.168.8.441813acctalive   0
192.168.8.216   1812authzombie  0
192.168.8.216   1813acctzombie  0
192.168.8.218   1812authalive   0
192.168.8.218   1813acctzombie  0
192.168.8.1 1645authzombie  0
192.168.8.1 1646acctzombie  4
192.168.8.137   1645authalive   1
192.168.8.137   1646acctdead0
192.168.8.150   1812authzombie  0
192.168.8.150   1813acctalive   0
192.168.8.158   1812authzombie  0
192.168.8.158   1813acctzombie  0
192.168.8.222   1812authzombie  0
192.168.8.222   1813acctzombie  0
192.168.8.6 1812authzombie  6
192.168.8.6 1813acctalive   0
192.168.8.271812authzombie  2
192.168.8.271813acctzombie  0
192.168.8.158   1812authzombie  0
192.168.8.158   1813acctzombie  0
192.168.8.4 1812authalive   0
192.168.8.4 1813acctzombie  0
192.168.9.6 1812authzombie  4
192.168.9.6 1813acctzombie  0



There are a number of servers marked alive, but these are all servers
which have been revived after the fixed period.  When used, they will be
marked dead/zombie again.

I'm running the v2.1.x branch from github, with
cbbcb5232261c5b28093c3a97d6da2a16c9e06af being the last commit.


Now, I wish I could say than I was sure that some other version did not
have the same problem, but I'm not.  I'm afraid I haven't been running
any of them continuously for a long enough period to be completely sure.

But I will test that now, starting with the stable branch from
git.freeradius.org, commit d7b4f003477644978f3fefa694305dce9b5dc8bf,
which was the last point where things seemed to work



Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Josip Rodin

On Tue, Dec 08, 2009 at 10:10:11AM +0100, Bj??rn Mork wrote:
 The symptoms are that all home servers are marked dead/zombie.  Typical
 obfuscated home_server list in this state:
 
 server(bjorn) ~ 71$ radmin -e show home_server list
 192.168.8.120   1812authalive   0
 192.168.8.246   1812authalive   0
 192.168.8.132   1645authdead0
 192.168.8.132   1645authdead3
 192.168.8.141812authalive   0
 192.168.8.101812authalive   0
 192.168.8.210   1812authalive   0
 192.168.8.501812authzombie  0
 192.168.8.201812authzombie  0
 
 There are a number of servers marked alive, but these are all servers
 which have been revived after the fixed period.  When used, they will be
 marked dead/zombie again.

What does the log file say? There should be many messages marked 'Proxy'
in the v2.1.x branch since a couple of weeks ago, and definitely in your
case if they keep changing state so often.

 But I will test that now, starting with the stable branch from
 git.freeradius.org, commit d7b4f003477644978f3fefa694305dce9b5dc8bf,
 which was the last point where things seemed to work

BTW you could probably do a git bisect.

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Bjørn Mork

Josip Rodin j...@entuzijast.net writes:
 On Tue, Dec 08, 2009 at 10:10:11AM +0100, Bj??rn Mork wrote:
 The symptoms are that all home servers are marked dead/zombie.  Typical
 obfuscated home_server list in this state:
 
 server(bjorn) ~ 71$ radmin -e show home_server list
 192.168.8.120   1812authalive   0
 192.168.8.246   1812authalive   0
 192.168.8.132   1645authdead0
 192.168.8.132   1645authdead3
 192.168.8.141812authalive   0
 192.168.8.101812authalive   0
 192.168.8.210   1812authalive   0
 192.168.8.501812authzombie  0
 192.168.8.201812authzombie  0
 
 There are a number of servers marked alive, but these are all servers
 which have been revived after the fixed period.  When used, they will be
 marked dead/zombie again.

 What does the log file say? There should be many messages marked 'Proxy'
 in the v2.1.x branch since a couple of weeks ago, and definitely in your
 case if they keep changing state so often.

Sure.  You'll find all Proxy: prefixed messages sinc log rotation at
midnight here: http://www.mork.no/~bjorn/fr-218-prerelease-proxying.log
(It's 300 kB, so it was a little over the limit for this list)

The addresses have been replaced using the same pattern as for the
home_server list, so they are directly comparable.

You'll notice that some of the home servers are truly unavailable.  This
is unfortunately something we have to live with.  There are also some
servers which are unavailable at certain times, but mostly available.

At approximately 08:40 something happens, and a lot of servers are
flagged as dead or zombie.  

This could of course have been caused by network problems, but there was
no such problem at this time. Proxying goes over the same interface as
the rest of the traffic, and non-proxied authentication and accounting
continued to work without problems.  The home servers are in a number of
different networks, and any network incident taking them all out would
be very visible.

The server was restarted at 09:35 and you'll see that only the usual
suspects are logged as zombies after this.

 But I will test that now, starting with the stable branch from
 git.freeradius.org, commit d7b4f003477644978f3fefa694305dce9b5dc8bf,
 which was the last point where things seemed to work

 BTW you could probably do a git bisect.

Yes, if I can verify the good versions...  

As I said, I'm not entirely sure that there actually was a good version.
And it looks like each positive test will have to take 3+ days.  Unless
I can find out what triggers this.


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Alan DeKok

Bjørn Mork wrote:
 Yes, now it continues to answer both authentication and accounting
 requests, but it still stops proxying after a while (where a while
 might be something like 20+ hours and 1+ million auth requests - I have
 no indication that these values are fixed).  

  Look for the message:

Failed creating new proxy socket: server is too busy and home servers
appear to be down

  It *should* continue to proxy after that, but it *won't* create new
outgoing sockets.  And it *won't* proxy any more requests until the
current requests have timed out.

  If the upstream servers really are that bad, I suggest configuring
local detail files, as in raddb/sites-available/robust-proxy-accounting.
   This should make the server log packets locally, and *not* track them
in memory (which appears to be the problem).

 There are a number of servers marked alive, but these are all servers
 which have been revived after the fixed period.  When used, they will be
 marked dead/zombie again.

  Configure status_check.  Really.  Get the upstream servers to permit
status-checks for a test user.  It will make your network *much* more
robust.

  And why are the upstream servers dying so consistently?  You're really
in a corner case where you're testing FreeRADIUS in situations where the
network Just Doesn't Work.  The suggestions above should help work
around most of those issues.

 But I will test that now, starting with the stable branch from
 git.freeradius.org, commit d7b4f003477644978f3fefa694305dce9b5dc8bf,
 which was the last point where things seemed to work

  If that works, we could do a git bisect to find the issue.  There
are only 26 commits since them, and many of those don't have code
changes.  It shouldn't be too hard to track down the offending commit.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Pre-release of Version 2.1.8

2009-12-08 Thread Garber, Neal

 At approximately 08:40 something happens, and a lot of servers are
 flagged as dead or zombie.  

 This could of course have been caused by network problems, but there was
 no such problem at this time. Proxying goes over the same interface as

When it fails, is it always at night?  If so, could it be related to network 
load - perhaps backups that are running?  You could try capturing the output 
from a continuous ping to see if you start getting timeouts or really long 
response times between FR and one of the proxy servers that are having problems 
(obviously you'd want to check before, during and after the problem occurs).  

Said differently, maybe this isn't a FreeRadius problem..

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Alan DeKok

Garber, Neal wrote:
 When it fails, is it always at night?  If so, could it be related to network 
 load - perhaps backups that are running?  You could try capturing the output 
 from a continuous ping to see if you start getting timeouts or really long 
 response times between FR and one of the proxy servers that are having 
 problems (obviously you'd want to check before, during and after the problem 
 occurs).  
 
 Said differently, maybe this isn't a FreeRadius problem..

  The log messages show a lot of:

No outstanding request was found for reply ...

  This indicates that the home server responded MANY seconds after the
request.  This indicates one (or more of)

a) extremely bad network connection

b) a home server on a *very* slow box

c) an overloaded home server (1000's of packets/s)

  There is *nothing* you can do to the proxy that will solve those issues.

  Get the upstream home servers to run properly.  Poking at FreeRADIUS
should be a lower priority.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Bjørn Mork

Alan DeKok al...@deployingradius.com writes:
 Garber, Neal wrote:
 When it fails, is it always at night?  If so, could it be related to network 
 load - perhaps backups that are running?  You could try capturing the output 
 from a continuous ping to see if you start getting timeouts or really long 
 response times between FR and one of the proxy servers that are having 
 problems (obviously you'd want to check before, during and after the problem 
 occurs).  
 
 Said differently, maybe this isn't a FreeRadius problem..

Backups and other management activity is done on a separate network
(separate NIC, separate switch etc), so it won't affect operation.

   The log messages show a lot of:

 No outstanding request was found for reply ...

   This indicates that the home server responded MANY seconds after the
 request.  This indicates one (or more of)

 a) extremely bad network connection

 b) a home server on a *very* slow box

 c) an overloaded home server (1000's of packets/s)

   There is *nothing* you can do to the proxy that will solve those issues.

Yes, these are (all?) true for some of the home servers, and there is of
course nothing my servers can do about those.  I realize that FreeRADIUS
can't do magic :-)

That's not a problem.  You provide a bad/buggy/lousy home radius server
for your users, then you get bad/buggy/lousy radius service.

My problem is that this affects *all* proxied realms, including those
with perfect radius servers.  I know, because one of those realms is our
own, running FreeRADIUS on another set of servers.

You'll notice that all the No outstanding request was found  messages
were caused by only 2 slow servers in 2 different realms. That shouldn't
bring down proxying for the other 20 realms.

   Get the upstream home servers to run properly.  Poking at FreeRADIUS
 should be a lower priority.

I have to agree.  But that's the ideal world.

In real life, I need FreeRADIUS to survive anything a home server does
without any effect on other realms than the one served by the bad home
server.


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Alan Buxey

Hi,

 My problem is that this affects *all* proxied realms, including those
 with perfect radius servers.  I know, because one of those realms is our
 own, running FreeRADIUS on another set of servers.

oh - thats a perfect system for doing the status server queries on.
it would be good to show that there are no issues on that server
(as part of the bigger picture) when you have the status server stuff enabled
on it that still wont fix the bigger picture but might get you
some leverage.

 You'll notice that all the No outstanding request was found  messages
 were caused by only 2 slow servers in 2 different realms. That shouldn't
 bring down proxying for the other 20 realms.

hmmm, true.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Alan DeKok

Bjørn Mork wrote:
 My problem is that this affects *all* proxied realms, including those
 with perfect radius servers.  I know, because one of those realms is our
 own, running FreeRADIUS on another set of servers.
 
 You'll notice that all the No outstanding request was found  messages
 were caused by only 2 slow servers in 2 different realms. That shouldn't
 bring down proxying for the other 20 realms.

  Quite possibly, yes.  The issue is that FreeRADIUS has a limited
amount of packets it can proxy without receiving a response.  Once that
limit is reached, proxying starts having issues.

  This limit is around 8K packets in 2.1.x, and will be 64K packets in
2.2.x.  So if you're getting 500 packets/s for a home server, 16s after
it goes down, all 8k slots will be used.

 In real life, I need FreeRADIUS to survive anything a home server does
 without any effect on other realms than the one served by the bad home
 server.

  If you can verify that commit d7b4f003477 works, then that should help
track down the issue.

  Until then, configuring status-checks  local detail files will
definitely help.  I would recommend doing that *anyways* for network
stability.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Bjørn Mork

Alan DeKok al...@deployingradius.com writes:
 Bjørn Mork wrote:
 Yes, now it continues to answer both authentication and accounting
 requests, but it still stops proxying after a while (where a while
 might be something like 20+ hours and 1+ million auth requests - I have
 no indication that these values are fixed).  

   Look for the message:

 Failed creating new proxy socket: server is too busy and home servers
 appear to be down

Yes, I got one of those:

Tue Dec  8 08:49:22 2009 : Proxy: Marking home server 192.168.8.216 port 1812 
as dead.
Tue Dec  8 08:49:22 2009 : Error: Failed creating new proxy socket: server is 
too busy and home servers appear to be down

   It *should* continue to proxy after that, but it *won't* create new
 outgoing sockets.  And it *won't* proxy any more requests until the
 current requests have timed out.

So it's possible that a few failing home servers end up tying up all
sockets available for proxying?  Or am I misunderstanding this?  For how
long?  The server was not responding to requests going to a proxy at all
between 08:43:27 and 09:35:46.  That's a very long time to sit waiting
for available resources...

What's the actual limit here?  The number of open files left after the
sql module and others have taken their share?  Then increasing it, and
trying to tune the timeouts might help I geuss.

But I still believe sharing these resources in a way which let a few bad
servers steal them all, is wrong.  It should be possible to isolate two
independent realms from each other, even if they use the same proxy
radius. 

   If the upstream servers really are that bad, I suggest configuring
 local detail files, as in raddb/sites-available/robust-proxy-accounting.
This should make the server log packets locally, and *not* track them
 in memory (which appears to be the problem).

Thanks, I'll look into that.  I do have to live with failing proxy
authentication as well, but I guess removing the accounting might take
some load off this.

 There are a number of servers marked alive, but these are all servers
 which have been revived after the fixed period.  When used, they will be
 marked dead/zombie again.

   Configure status_check.  Really.  Get the upstream servers to permit
 status-checks for a test user.  It will make your network *much* more
 robust.

On my TODO list.  Thanks.

   And why are the upstream servers dying so consistently?  You're really
 in a corner case where you're testing FreeRADIUS in situations where the
 network Just Doesn't Work.  The suggestions above should help work
 around most of those issues.

Some of the upstream servers are just not very well mangaged, if managed
at all.  I wish I could ignore them, but I can't.  

 But I will test that now, starting with the stable branch from
 git.freeradius.org, commit d7b4f003477644978f3fefa694305dce9b5dc8bf,
 which was the last point where things seemed to work

   If that works, we could do a git bisect to find the issue.  There
 are only 26 commits since them, and many of those don't have code
 changes.  It shouldn't be too hard to track down the offending commit.

Given that I can actually trigger the problem in a test enviroment.  I
don't think I can.


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Pre-release of Version 2.1.8

2009-12-08 Thread Garber, Neal

 This limit is around 8K packets in 2.1.x, and will be 64K packets in
 2.2.x.  So if you're getting 500 packets/s for a home server, 16s after
 it goes down, all 8k slots will be used.

I'm not sure if this is feasible and/or easy to implement, but I thought I'd 
ask..  As a suggestion, can there be a separate pool for each home server?  It 
seems like increasing the limit of a shared pool just lengthens the time before 
the same problem can occur.  If each home server had a separate pool, then one 
home server could not affect the others, regardless of the size of the pool.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Alan DeKok

Garber, Neal wrote:
 This limit is around 8K packets in 2.1.x, and will be 64K packets in
 2.2.x.  So if you're getting 500 packets/s for a home server, 16s after
 it goes down, all 8k slots will be used.
 
 I'm not sure if this is feasible and/or easy to implement, but I thought I'd 
 ask..  As a suggestion, can there be a separate pool for each home server?  
 It seems like increasing the limit of a shared pool just lengthens the time 
 before the same problem can occur.  If each home server had a separate pool, 
 then one home server could not affect the others, regardless of the size of 
 the pool.

  Yes and no.  Let me explain in more detail.

  In 2.1.x, there are a limited number of UDP sockets that can be used
for proxied traffic.  This number is limited to 32, in src/lib/packet.c,
 macro MAX_SOCKETS.

  Due to the unconnected nature of UDP, each socket can be used to
send packets to *multiple* home servers at the same time.  So this means
that the limitation isn't really 32 sockets *total*, but (semantically)
32 sockets for every home server.

  Due to RADIUS limitations, it can only have 256 packets outstanding
for any combination of (src/ds IP/port).  So each socket can send 256
packets to every home server.

  Since there are 32 sockets and 256 packets/s, a proxy can handle 8192
packets sent to *each* home server.  If you have 13 home servers, then
the proxy can send 13*8192 = ~100K packets.

  Packets are added to the outstanding list when proxied, and removed
a short time after a response is received from the home server.  If no
response is received from the home server, the packets are removed 30s
after they were received.

  Once a packet has been removed from the outstanding list, its place
can be used by a new packet that is proxied using the same socket/id to
the same home server.

  To answer your question: Yes, there is a separate pool for each home
server.  However, they share a global set of sockets.

  The *intent* is for the pools to not affect each other.  i.e. filling
up all 8K slots for one home server should have no affect on other home
servers.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Alan DeKok

Bjørn Mork wrote:
 Yes, I got one of those:
 
 Tue Dec  8 08:49:22 2009 : Proxy: Marking home server 192.168.8.216 port 1812 
 as dead.
 Tue Dec  8 08:49:22 2009 : Error: Failed creating new proxy socket: server is 
 too busy and home servers appear to be down

  OK.  That indicates that all 32 sockets have been allocated.  All this
means is that no *new* sockets will be allocated from now on.

 So it's possible that a few failing home servers end up tying up all
 sockets available for proxying?

  No.  See my other post for a detailed explanation.

  Or am I misunderstanding this?  For how
 long?  The server was not responding to requests going to a proxy at all
 between 08:43:27 and 09:35:46.  That's a very long time to sit waiting
 for available resources...

  I agree.  You should use radmin to look at the server stats, to see
what it's doing.

 But I still believe sharing these resources in a way which let a few bad
 servers steal them all, is wrong.  It should be possible to isolate two
 independent realms from each other, even if they use the same proxy
 radius. 

  See my other post.  They are isolated, unless they both proxy to the
same home server.  When that happens, they share the home server state.

   If that works, we could do a git bisect to find the issue.  There
 are only 26 commits since them, and many of those don't have code
 changes.  It shouldn't be too hard to track down the offending commit.
 
 Given that I can actually trigger the problem in a test enviroment.  I
 don't think I can.

  ?  You can reproduce it, but can't find the offending commit?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Josip Rodin

On Tue, Dec 08, 2009 at 03:43:14PM +0100, Alan DeKok wrote:
 Garber, Neal wrote:
  This limit is around 8K packets in 2.1.x, and will be 64K packets in
  2.2.x.  So if you're getting 500 packets/s for a home server, 16s after
  it goes down, all 8k slots will be used.
 
   In 2.1.x, there are a limited number of UDP sockets that can be used
 for proxied traffic.  This number is limited to 32, in src/lib/packet.c,
  macro MAX_SOCKETS.
 
   Due to RADIUS limitations, it can only have 256 packets outstanding
 for any combination of (src/ds IP/port).  So each socket can send 256
 packets to every home server.
 
   Packets are added to the outstanding list when proxied, and removed
 a short time after a response is received from the home server.  If no
 response is received from the home server, the packets are removed 30s
 after they were received.
 
   Once a packet has been removed from the outstanding list, its place
 can be used by a new packet that is proxied using the same socket/id to
 the same home server.

Which reminds me - the other day I had a situation where a NAS was rebooted
and ~300 users immediately tried to reconnect and authenticated over a
FreeRADIUS 2.0.4 server, which in turn tried to authenticate them over its
two home_servers set up as fail-over, but neither of them with status_check.

Sadly, this started failing horribly - it seemed to overload the primary
home_server, entering a peculiar pattern - condensed for readability and
some private info obfuscation:

  1  Auth: Login OK: 
 10  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Auth: Login OK: 
  2  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Auth: Login incorrect (Home Server says so): 
  4  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Auth: Login OK: 
  4  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Auth: Login OK: 
  2  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  2  Auth: Login OK: 
  2  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Auth: Login OK: 
 11  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Auth: Login OK: 
 86  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Proxy: No outstanding request was found for proxy reply from home 
server home_server_ip_5 port 1812 - ID 87
 19  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Proxy: No outstanding request was found for proxy reply from home 
server home_server_ip_5 port 1812 - ID 252
  7  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Error: Received Access-Accept packet from client home_server_ip_5 port 
1812 with invalid signature (err=2)!  (Shared secret is incorrect.) Dropping 
packet without response.
  5  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Error: Received Access-Accept packet from client home_server_ip_5 port 
1812 with invalid signature (err=2)!  (Shared secret is incorrect.) Dropping 
packet without response.
 33  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Proxy: No outstanding request was found for proxy reply from home 
server home_server_ip_5 port 1812 - ID 61
  7  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Proxy: No outstanding request was found for proxy reply from home 
server home_server_ip_5 port 1812 - ID 120
  4  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Proxy: No outstanding request was found for proxy reply from home 
server home_server_ip_5 port 1812 - ID 112
  6  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Error: Received Access-Accept packet from client home_server_ip_5 port 
1812 with invalid signature (err=2)!  (Shared secret is incorrect.) Dropping 
packet without response.
  2  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5 port 1812
  1  Error: Received Access-Accept packet from client home_server_ip_5 port 
1812 with invalid signature (err=2)!  (Shared secret is incorrect.) Dropping 
packet without response.
 20  Error: Rejecting request number due to lack of any response from 
home server home_server_ip_5

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Alan Buxey

Hi,

   1  Error: Received Access-Accept packet from client home_server_ip_5 
 port 1812 with invalid signature (err=2)!  (Shared secret is incorrect.) 
 Dropping packet without response.

well, theres a problem with shared secret there that needs to be ironed out

 Can any conclusions be drawn from this? I send over the detailed logs if
 necessary.

in the main it looks like the remote RADIUS server was sloow to respond to
authentications...and the other one likewise after you flipped them across.

but just 300 users caused this?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-08 Thread Alan DeKok

Josip Rodin wrote:
 Which reminds me - the other day I had a situation where a NAS was rebooted
 and ~300 users immediately tried to reconnect and authenticated over a
 FreeRADIUS 2.0.4 server, which in turn tried to authenticate them over its
 two home_servers set up as fail-over, but neither of them with status_check.
 
 Sadly, this started failing horribly - it seemed to overload the primary
 home_server, entering a peculiar pattern - condensed for readability and
 some private info obfuscation:

  Then the home servers are *extremely* slow.  Sending 300 packets over
the course of a second or two wouldn't overload a 486.

   1  Proxy: No outstanding request was found for proxy reply from home 
 server home_server_ip_5 port 1812 - ID 87

  Look at the messages *before* that one.  The proxy:

a) proxies packet 1
b) gives up on it after a time
c) proxies a new packet 2
d) receives a reply for packet 1
e) logs this message as Huh?

 So I tried the poor man's solution - I shuffled them manually, restarted
 FreeRADIUS, and then it started authenticating them, before it seemingly
 DoSed that one and entered a very similar pattern of brokenness.

  300 packets is a DoS for a RADIUS server?  Wow... that's a *bad* server.

 Can any conclusions be drawn from this? I send over the detailed logs if
 necessary.

  The home servers are pathetic.

  Also, the proxy  fail-over algorithms in 2.1.x are much better than
2.0.4.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-06 Thread Bjørn Mork

Alan DeKok al...@deployingradius.com writes:
 Bjørn Mork wrote:
 Alan DeKok al...@deployingradius.com writes:
 
   I've put a pre-release of version 2.1.8 on the web site:

 http://git.freeradius.org/pre/
 
 Hmm, they were both a bit small.  I see 14 and 20 bytes. Something
 probably went wrong with the packacking script?

   Yup.  Let me fix that in a bit...

Looks very promising so far.  I've not seen any problems yet. I'd vote
for this as the best FreeRADIUS release ever :-)


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-06 Thread piston

i guess this version also solved ASSERT FAILED event.c[2682]: request-ev != 
NULL issue?

- Original Message 
From: Bjørn Mork bj...@mork.no
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Sun, December 6, 2009 9:46:38 PM
Subject: Re: Pre-release of Version 2.1.8

Alan DeKok al...@deployingradius.com writes:
 Bjørn Mork wrote:
 Alan DeKok al...@deployingradius.com writes:

   I've put a pre-release of version 2.1.8 on the web site:

 http://git.freeradius.org/pre/

 Hmm, they were both a bit small.  I see 14 and 20 bytes. Something
 probably went wrong with the packacking script?

   Yup.  Let me fix that in a bit...

Looks very promising so far.  I've not seen any problems yet. I'd vote
for this as the best FreeRADIUS release ever :-)

Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: Pre-release of Version 2.1.8

2009-12-06 Thread Alan DeKok

Wegener, Norbert wrote:
 Building an rpm on Suse10.3 fails with:

  Fixed, thanks.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-06 Thread Arran Cudbard-Bell

Did you check the XLAT fixes in? I saw commits for a couple of  fixes
but not the modified code in xlat.c...


 i guess this version also solved ASSERT FAILED event.c[2682]: request-ev != 
 NULL issue?



 - Original Message 
 From: Bjørn Mork bj...@mork.no
 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
 Sent: Sun, December 6, 2009 9:46:38 PM
 Subject: Re: Pre-release of Version 2.1.8

 Alan DeKok al...@deployingradius.com writes:
   
 Bjørn Mork wrote:
 
 Alan DeKok al...@deployingradius.com writes:

   
   I've put a pre-release of version 2.1.8 on the web site:

 http://git.freeradius.org/pre/
 
 Hmm, they were both a bit small.  I see 14 and 20 bytes. Something
 probably went wrong with the packacking script?
   
   Yup.  Let me fix that in a bit...
 
 Looks very promising so far.  I've not seen any problems yet. I'd vote
 for this as the best FreeRADIUS release ever :-)


 Bjørn

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


   

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   




signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-06 Thread Alan DeKok

Arran Cudbard-Bell wrote:
 Did you check the XLAT fixes in? I saw commits for a couple of  fixes
 but not the modified code in xlat.c...

  It's in the v2.1.x branch on github.  It will be in 2.1.8.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-06 Thread Alan DeKok

piston wrote:
 i guess this version also solved ASSERT FAILED event.c[2682]: request-ev != 
 NULL issue?

  Yes.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-06 Thread Alan DeKok

Bjørn Mork wrote:
 Looks very promising so far.  I've not seen any problems yet. I'd vote
 for this as the best FreeRADIUS release ever :-)

  Thanks.  We've done burn-in tests with 100's of millions of packets
in a variety of scenarios.  It looks pretty solid.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-06 Thread Bjørn Mork

Bjørn Mork bj...@mork.no writes:

 Looks very promising so far.  I've not seen any problems yet.

Famous Last Words candidate...

It took two more hours, then I got:

 Sun Dec  6 16:23:33 2009 : Proxy: Marking home server 10.10.10.132 port 1645 
as dead.
 Sun Dec  6 16:23:33 2009 : Error: Failed binding to proxy address * port 2727: 
Address already in use 

and the server stopped answering requests. It did not exit, and it did
not hang (at least it responeded to SIGTERM).  It just stopped answering.

The server had been running for 45 hours when this happened.  I haven't
got the faintest idea where to start looking for the bug.


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-06 Thread Bjørn Mork

Bjørn Mork bj...@mork.no writes:
 Bjørn Mork bj...@mork.no writes:

 Looks very promising so far.  I've not seen any problems yet.

 Famous Last Words candidate...

 It took two more hours, then I got:

  Sun Dec  6 16:23:33 2009 : Proxy: Marking home server 10.10.10.132 port 1645 
 as dead.
  Sun Dec  6 16:23:33 2009 : Error: Failed binding to proxy address * port 
 2727: Address already in use 

 and the server stopped answering requests. It did not exit, and it did
 not hang (at least it responeded to SIGTERM).  It just stopped answering.

 The server had been running for 45 hours when this happened.  I haven't
 got the faintest idea where to start looking for the bug.

I have to correct myself after looking over the logs:  The server
stopped answering authentication requsts, but it continued to answer
accounting requests.


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-06 Thread Alan DeKok

Bjørn Mork wrote:
 It took two more hours, then I got:
 
  Sun Dec  6 16:23:33 2009 : Proxy: Marking home server 10.10.10.132 port 1645 
 as dead.
  Sun Dec  6 16:23:33 2009 : Error: Failed binding to proxy address * port 
 2727: Address already in use 
 
 and the server stopped answering requests. It did not exit, and it did
 not hang (at least it responeded to SIGTERM).  It just stopped answering.
 
 The server had been running for 45 hours when this happened.  I haven't
 got the faintest idea where to start looking for the bug.

  It's likely in a busy loop.  I'll do some local tests and see.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-06 Thread Alan DeKok

Bjørn Mork wrote:
 Bjørn Mork bj...@mork.no writes:
 The server had been running for 45 hours when this happened.  I haven't
 got the faintest idea where to start looking for the bug.
 
 I have to correct myself after looking over the logs:  The server
 stopped answering authentication requsts, but it continued to answer
 accounting requests.

  Found, fixed, pushed to v2.1.x on github.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Pre-release of Version 2.1.8

2009-12-04 Thread Alan DeKok

  I've put a pre-release of version 2.1.8 on the web site:

http://git.freeradius.org/pre/

  Please do some sanity checks, and see if it works for you.

  This version is from the new v2.1.x branch, which is Version 2.1.7,
plus *only* bug fixes.  The stable branch is now planned to become
version 2.2.0 in January.  It will include TCP transport, among other
new features.

  If there are no major issues, we can release 2.1.8 next week.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-04 Thread Bjørn Mork

Alan DeKok al...@deployingradius.com writes:

   I've put a pre-release of version 2.1.8 on the web site:

 http://git.freeradius.org/pre/

Hmm, they were both a bit small.  I see 14 and 20 bytes. Something
probably went wrong with the packacking script?


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-04 Thread Bjørn Mork

Bjørn Mork bj...@mork.no writes:
 Alan DeKok al...@deployingradius.com writes:

   I've put a pre-release of version 2.1.8 on the web site:

 http://git.freeradius.org/pre/

 Hmm, they were both a bit small.  I see 14 and 20 bytes. Something
 probably went wrong with the packacking script?

No problem, I thought.  I can just go and checkout the v2.1.x branch.
But there seems to be no such branch:

bj...@canardo:/usr/local/src/git/freeradius$ git branch -v -r
  origin/HEAD  85ec4a8 Sign client certs with CA rather than server cert
  origin/aland e9afde3 Initial revision
  origin/branch_0_7_0  40391e4  Added notes for 0.7.1
  origin/branch_0_93a4bda3  Pull patch from the head.
  origin/branch_1_1205140d  Allow lines at EOF to not have LF.  Patch from 
colubris
  origin/branch_1_1_7  5f715db Make it easier to do a release
  origin/master85ec4a8 Sign client certs with CA rather than server cert
  origin/release_0_8_0 0a23493  Branch is now 0.8.1
  origin/release_1_0   3a81954 Pull from CVS head:  Fix the comments about 
MySQL case sensitive queries.
  origin/stable8c32094 Sign client certs with CA rather than server cert
bj...@canardo:/usr/local/src/git/freeradius$ 


which might explain the empty arhives as well, I guess..


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-04 Thread Alan DeKok

Bjørn Mork wrote:
 Alan DeKok al...@deployingradius.com writes:
 
   I've put a pre-release of version 2.1.8 on the web site:

 http://git.freeradius.org/pre/
 
 Hmm, they were both a bit small.  I see 14 and 20 bytes. Something
 probably went wrong with the packacking script?

  Yup.  Let me fix that in a bit...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-release of Version 2.1.8

2009-12-04 Thread Alan DeKok

Bjørn Mork wrote:
 No problem, I thought.  I can just go and checkout the v2.1.x branch.
 But there seems to be no such branch:

  It's on github.  If there are cries of panic over 2.1.8, we'll make it
an official branch on git.freeradius.org.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Pre-release of Version 2.1.8

2009-12-04 Thread Wegener, Norbert

Building an rpm on Suse10.3 fails with:

Processing files: freeradius-server-dialupadmin-2.1.8-0
Processing files: freeradius-server-devel-2.1.8-0
Processing files: freeradius-server-debuginfo-2.1.8-0
Checking for unpackaged file(s): /usr/lib/rpm/check-files 
/var/tmp/freeradius-server-2.1.8-build
error: Installed (but unpackaged) file(s) found:
   /etc/raddb/sql/ndb/README


RPM build errors:
File listed twice: /usr/sbin/rcfreeradius
File listed twice: /usr/sbin/rcfreeradius-relay
Installed (but unpackaged) file(s) found:
   /etc/raddb/sql/ndb/README

 diff -Nru ../SOURCES/freeradius-server-2.1.8/suse/freeradius.spec 
freeradius-mod.spec
--- ../SOURCES/freeradius-server-2.1.8/suse/freeradius.spec 2009-12-04 
18:56:04.0 +0100
+++ freeradius-mod.spec 2009-12-04 20:20:58.0 +0100
@@ -304,8 +304,6 @@
 /etc/init.d/freeradius-relay
 %config /etc/pam.d/radiusd
 %config /etc/logrotate.d/radiusd
-/usr/sbin/rcfreeradius
-/usr/sbin/rcfreeradius-relay
 %dir %attr(755,radiusd,radiusd) /var/lib/radiusd
 # configs
 %dir %attr(750,-,radiusd) /etc/raddb
@@ -333,6 +331,7 @@
 %attr(640,-,radiusd) %config(noreplace) /etc/raddb/users
 %attr(640,-,radiusd) %config(noreplace) /etc/raddb/experimental.conf
 %dir %attr(750,-,radiusd) /etc/raddb/certs
+/etc/raddb/sql/ndb/README
 /etc/raddb/certs/Makefile
 /etc/raddb/certs/README
 /etc/raddb/certs/xpextensions

solves this.



With best regards,
Norbert Wegener
Siemens AG
Siemens IT Solutions and Services
SIS GO NW PSU SDC ASINS
Bruchstraße 5
45883 Gelsenkirchen, Germany
Tel.: +49 (209) 94565716
Fax: +49 (201) 8165581284
mailto:norbert.wege...@siemens.com

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; 
Managing Board: Peter Loescher, Chairman, President and Chief Executive 
Officer; Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann 
Requardt, Siegfried Russwurm, Peter Y. Solmssen; Registered offices: Berlin and 
Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, 
Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

Von: freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org 
[freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org] im 
Auftrag von Alan DeKok [al...@deployingradius.com]
Gesendet: Freitag, 4. Dezember 2009 18:54
An: FreeRadius users mailing list
Betreff: Re: Pre-release of Version 2.1.8

Bjørn Mork wrote:
 Alan DeKok al...@deployingradius.com writes:

   I've put a pre-release of version 2.1.8 on the web site:

 http://git.freeradius.org/pre/

 Hmm, they were both a bit small.  I see 14 and 20 bytes. Something
 probably went wrong with the packacking script?

  Yup.  Let me fix that in a bit...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

43 matches

Mail list logo