Re: Problems System Auth with FreeRadius (/etc/shadow)
Min, I have instaled FreeRadius from a RPM. I amd running FreeRadius as user radiusd and group root. Att, Nataniel Klug - Original Message - From: "Min Qiu" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Thursday, January 26, 2006 7:16 PM Subject: RE: Problems System Auth with FreeRadius (/etc/shadow) > You may read the doc wrong. The group you should look for is > "radiusd". When you create user "radiusd", the group "radiusd" > should also be created if you use adduser command to do the job. > You don't what user "radiusd" belong to group "root". Do > "chgrp radiusd /etc/shadow". > > Min > > > -Original Message- > > From: > > [EMAIL PROTECTED] > > freeradius.org > > [mailto:freeradius-users-bounces+mqiu=globalinternetworking.co > > [EMAIL PROTECTED] On Behalf Of Nataniel Klug > > Sent: Thursday, January 26, 2006 3:57 PM > > To: FreeRadius users mailing list > > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > > > > > > Alan, > > > > Now you have gived me a tip... At my Fedora there is no group > > shadow, so I > > put radius to run as group "root" so it could read > > /etc/shadow only if I set > > +r to group at shadow files. > > > > Att, > > > > Nataniel Klug > > > > - Original Message - > > From: "Alan DeKok" <[EMAIL PROTECTED]> > > To: "FreeRadius users mailing list" > > > > Sent: Thursday, January 26, 2006 3:37 PM > > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > > > > > > > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > > > > I just have installed the package from Fedora Core 3, > > nothing else. > > > > > > Then look at the configuration file. See how it's different from > > > what is shipped with FreeRADIUS. > > > > > > And setting "a+rw" on /etc/passwd and /etc/shadow is probaby the > > > single worst thing you can do to your system. EVER. Rather than > > > doing that, read raddb/radiusd.conf, it talks about issues with > > > reading /etc/shadow, and describes suggested fixes won't > > destroy your > > > system. > > > > > > Honestly, I don't understand why it's so hard to read the > > > configuration files. > > > > > > Alan DeKok. > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, The server is running as user radiusd and group root. Att, Nataniel Klug - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Thursday, January 26, 2006 8:26 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > > Now you have gived me a tip... At my Fedora there is no group shadow > > $ vi /etc/group > > add "shadow" ?? > > > so I put radius to run as group "root" so it could read /etc/shadow > > only if I set +r to group at shadow files. > > It's usually better to *not* run the server as root. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
"Nataniel Klug" <[EMAIL PROTECTED]> wrote: > Now you have gived me a tip... At my Fedora there is no group shadow $ vi /etc/group add "shadow" ?? > so I put radius to run as group "root" so it could read /etc/shadow > only if I set +r to group at shadow files. It's usually better to *not* run the server as root. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems System Auth with FreeRadius (/etc/shadow)
You may read the doc wrong. The group you should look for is "radiusd". When you create user "radiusd", the group "radiusd" should also be created if you use adduser command to do the job. You don't what user "radiusd" belong to group "root". Do "chgrp radiusd /etc/shadow". Min > -Original Message- > From: > [EMAIL PROTECTED] > freeradius.org > [mailto:freeradius-users-bounces+mqiu=globalinternetworking.co > [EMAIL PROTECTED] On Behalf Of Nataniel Klug > Sent: Thursday, January 26, 2006 3:57 PM > To: FreeRadius users mailing list > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > > > Alan, > > Now you have gived me a tip... At my Fedora there is no group > shadow, so I > put radius to run as group "root" so it could read > /etc/shadow only if I set > +r to group at shadow files. > > Att, > > Nataniel Klug > > - Original Message - > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: "FreeRadius users mailing list" > > Sent: Thursday, January 26, 2006 3:37 PM > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > > > > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > > > I just have installed the package from Fedora Core 3, > nothing else. > > > > Then look at the configuration file. See how it's different from > > what is shipped with FreeRADIUS. > > > > And setting "a+rw" on /etc/passwd and /etc/shadow is probaby the > > single worst thing you can do to your system. EVER. Rather than > > doing that, read raddb/radiusd.conf, it talks about issues with > > reading /etc/shadow, and describes suggested fixes won't > destroy your > > system. > > > > Honestly, I don't understand why it's so hard to read the > > configuration files. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, Now you have gived me a tip... At my Fedora there is no group shadow, so I put radius to run as group "root" so it could read /etc/shadow only if I set +r to group at shadow files. Att, Nataniel Klug - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Thursday, January 26, 2006 3:37 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > > I just have installed the package from Fedora Core 3, nothing else. > > Then look at the configuration file. See how it's different from > what is shipped with FreeRADIUS. > > And setting "a+rw" on /etc/passwd and /etc/shadow is probaby the > single worst thing you can do to your system. EVER. Rather than > doing that, read raddb/radiusd.conf, it talks about issues with > reading /etc/shadow, and describes suggested fixes won't destroy your > system. > > Honestly, I don't understand why it's so hard to read the > configuration files. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
"Nataniel Klug" <[EMAIL PROTECTED]> wrote: > I just have installed the package from Fedora Core 3, nothing else. Then look at the configuration file. See how it's different from what is shipped with FreeRADIUS. And setting "a+rw" on /etc/passwd and /etc/shadow is probaby the single worst thing you can do to your system. EVER. Rather than doing that, read raddb/radiusd.conf, it talks about issues with reading /etc/shadow, and describes suggested fixes won't destroy your system. Honestly, I don't understand why it's so hard to read the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, I just have installed the package from Fedora Core 3, nothing else. Att, Nataniel Klug - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, January 25, 2006 8:58 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > > Ok, it disagrees but I am SURE that I have set the password to user nata. > > How can this FreeRadius deny? where it is looking? Why when I install > > Cistron Radius it works fine? > > Because FreeRADIUS is more configurable than Cistron, so there's > more potential for misconfiguration. > > You didn't say how you configured the "unix" module. But in the > default config, that error message occurs *only* when the password is > incorrect. > > If you've edited the configuration for the "unix" module, then all > bets are off. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Mark, I tryed using just read option, did not work. I had to set rw permission in both files... But now it is working and I am very happy... hehehe... Thanks. Att, Nataniel Klug - Original Message - From: "Mark Tunnell" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, January 25, 2006 9:54 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > I'm glad it's working but it's not necessary to give radius write > permissions to either of those files. All radius needs to be able to > do is read them. > > Mark > > Nataniel Klug wrote: > > Mark, > > > > It works! Thanks... > > > > I set a+rw permission on the files passwd and shadow. > > > > Att, > > > > Nataniel Klug > > > > - Original Message - > > From: "Mark Tunnell" <[EMAIL PROTECTED]> > > To: "FreeRadius users mailing list" > > Sent: Wednesday, January 25, 2006 5:25 PM > > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > > > > > >> I had the same issue. My problem turned out to be that radius didn't > >> have read access to the shadow password file. > >> > >> Mark > >> > >> Alan DeKok wrote: > >>> "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > >>>> rlm_unix: [nata]: invalid password > >>>> modcall[authenticate]: module "unix" returns reject for request 1 > >>> ... > >>>> I could not understand what is going on. The password is correct for > > this > >>>> user. > >> - > >> List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > >> > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
I'm glad it's working but it's not necessary to give radius write permissions to either of those files. All radius needs to be able to do is read them. Mark Nataniel Klug wrote: > Mark, > > It works! Thanks... > > I set a+rw permission on the files passwd and shadow. > > Att, > > Nataniel Klug > > - Original Message - > From: "Mark Tunnell" <[EMAIL PROTECTED]> > To: "FreeRadius users mailing list" > Sent: Wednesday, January 25, 2006 5:25 PM > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > > >> I had the same issue. My problem turned out to be that radius didn't >> have read access to the shadow password file. >> >> Mark >> >> Alan DeKok wrote: >>> "Nataniel Klug" <[EMAIL PROTECTED]> wrote: >>>> rlm_unix: [nata]: invalid password >>>> modcall[authenticate]: module "unix" returns reject for request 1 >>> ... >>>> I could not understand what is going on. The password is correct for > this >>>> user. >> - >> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
"Nataniel Klug" <[EMAIL PROTECTED]> wrote: > Ok, it disagrees but I am SURE that I have set the password to user nata. > How can this FreeRadius deny? where it is looking? Why when I install > Cistron Radius it works fine? Because FreeRADIUS is more configurable than Cistron, so there's more potential for misconfiguration. You didn't say how you configured the "unix" module. But in the default config, that error message occurs *only* when the password is incorrect. If you've edited the configuration for the "unix" module, then all bets are off. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Mark, It works! Thanks... I set a+rw permission on the files passwd and shadow. Att, Nataniel Klug - Original Message - From: "Mark Tunnell" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, January 25, 2006 5:25 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > I had the same issue. My problem turned out to be that radius didn't > have read access to the shadow password file. > > Mark > > Alan DeKok wrote: > > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > >> rlm_unix: [nata]: invalid password > >> modcall[authenticate]: module "unix" returns reject for request 1 > > ... > >> I could not understand what is going on. The password is correct for this > >> user. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, Ok, it disagrees but I am SURE that I have set the password to user nata. How can this FreeRadius deny? where it is looking? Why when I install Cistron Radius it works fine? Please, give me an answer not only what I already know. Att, Nataniel Klug - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, January 25, 2006 4:25 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > > rlm_unix: [nata]: invalid password > > modcall[authenticate]: module "unix" returns reject for request 1 > ... > > I could not understand what is going on. The password is correct for this > > user. > > The code running on your machine disagrees. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Mark, Finaly something that could be happening for sure! I will try to set up permission on this file. Thanx! Att, Nataniel Klug - Original Message - From: "Mark Tunnell" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, January 25, 2006 5:25 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > I had the same issue. My problem turned out to be that radius didn't > have read access to the shadow password file. > > Mark > > Alan DeKok wrote: > > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > >> rlm_unix: [nata]: invalid password > >> modcall[authenticate]: module "unix" returns reject for request 1 > > ... > >> I could not understand what is going on. The password is correct for this > >> user. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
I had the same issue. My problem turned out to be that radius didn't have read access to the shadow password file. Mark Alan DeKok wrote: > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: >> rlm_unix: [nata]: invalid password >> modcall[authenticate]: module "unix" returns reject for request 1 > ... >> I could not understand what is going on. The password is correct for this >> user. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
"Nataniel Klug" <[EMAIL PROTECTED]> wrote: > rlm_unix: [nata]: invalid password > modcall[authenticate]: module "unix" returns reject for request 1 ... > I could not understand what is going on. The password is correct for this > user. The code running on your machine disagrees. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, I tryed it in full debug mode, returns this: rad_recv: Access-Request packet from host 127.0.0.1:32773, id=46, length=62 Service-Type = Login-User User-Name = "nata" User-Password = "nata0405" NAS-IP-Address = 200.163.208.4 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "nata", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched DEFAULT at 152 users: Matched DEFAULT at 216 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_unix: [nata]: invalid password modcall[authenticate]: module "unix" returns reject for request 1 modcall: group authenticate returns reject for request 1 auth: Failed to validate the user. Login incorrect: [nata/nata0405] (from client localhost port 0) Sending Access-Reject of id 46 to 127.0.0.1:32773 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 46 with timestamp 43d7232a Nothing to do. Sleeping until we see a request. I could not understand what is going on. The password is correct for this user. Att, Nataniel Klug - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, January 24, 2006 3:21 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) > "Nataniel Klug" <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED] radius]# tail radius.log -n 2 > > Tue Jan 24 01:24:02 2006 : Auth: rlm_unix: [nata]: invalid password > > Nice. Is there any particular reason you're refusing to run the > server in debugging mode, as suggested in the README, FAQ, and > INSTALL? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
"Nataniel Klug" <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] radius]# tail radius.log -n 2 > Tue Jan 24 01:24:02 2006 : Auth: rlm_unix: [nata]: invalid password Nice. Is there any particular reason you're refusing to run the server in debugging mode, as suggested in the README, FAQ, and INSTALL? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems System Auth with FreeRadius (/etc/shadow)
Hello, I am having a big problem with FreeRadius server. It doesnt authenticate my clients using /etc/shadow and /etc/passwd. When I try to use "radlogin" or "radtest" this are the messagens I get: === radlogin === [EMAIL PROTECTED] radius]# radlogin ($Id: radlogin.c,v 1.3 1997/12/29 23:07:25 lf Exp $) - Linux 2.6.13.4 (ns2.cnett.com.br) (port 0) - login: nata Password: RADIUS: Authentication failure local: Authentication failure [EMAIL PROTECTED] radius]# tail radius.log -n 2 Tue Jan 24 01:24:02 2006 : Auth: rlm_unix: [nata]: invalid password Tue Jan 24 01:24:02 2006 : Auth: Login incorrect: [nata/1234] (from client localhost port 0) === radtest === [EMAIL PROTECTED] radius]# radtest nata 1234 localhost:1812 0 local Sending Access-Request of id 126 to 127.0.0.1:1812 User-Name = "nata" User-Password = "1234" NAS-IP-Address = ns2.cnett.com.br NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=126, length=20 [EMAIL PROTECTED] radius]# tail -n 2 radius.log Tue Jan 24 01:26:41 2006 : Auth: rlm_unix: [nata]: invalid password Tue Jan 24 01:26:41 2006 : Auth: Login incorrect: [nata/1234] (from client localhost port 0) I tryed everything I know and it still not working. If I compile and install Cistron Radius it works just fine, but I dont want Cistron... freeradius-1.0.1-1 Fedora Core 3 - Kernel 2.6.13.4 (compiled from source) Waiting for help. Att, Nataniel Klug - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
