Re: Loading fails without reporting an error
Lovaas,Steven wrote: Thanks, Adam... this got me looking at the right thing. I had a mismatch between the type of the home_server localhost (auth), and the attribute used in one of the realms pointing to the pool that references that home server (pool, instead of auth_pool). Changing the type of the localhost home_server allowed FR to complete loading. If you have a simple config that can reproduce it, I'd like to fix the problem. It's likely just adding a printed error message in the home server code. But knowing exactly where to add it would be useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
On Fri, Jul 12, 2013 at 11:19:00AM +0200, Alan DeKok wrote: Lovaas,Steven wrote: Thanks, Adam... this got me looking at the right thing. I had a mismatch between the type of the home_server localhost (auth), and the attribute used in one of the realms pointing to the pool that references that home server (pool, instead of auth_pool). Changing the type of the localhost home_server allowed FR to complete loading. If you have a simple config that can reproduce it, I'd like to fix the problem. It's likely just adding a printed error message in the home server code. But knowing exactly where to add it would be useful. I've sent a pull request. It's easy to trigger - take a standard 2.x config and apply the following patch to the config: diff --git a/raddb/proxy.conf b/raddb/proxy.conf index 413fc14..6ceb5cb 100644 --- a/raddb/proxy.conf +++ b/raddb/proxy.conf @@ -613,6 +613,7 @@ realm example.com { # and acct_pool. auth_pool = my_auth_failover + acct_pool = my_auth_failover # acct_pool = acct # There are a distinct lack of errors printed out in realms.c when it returns. I'm guessing there may be better error messages or locations to print them, but the pull request will give the right starting pointers :-) Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
On Fri, Jul 12, 2013 at 11:24:54AM +0100, Matthew Newton wrote: On Fri, Jul 12, 2013 at 11:19:00AM +0200, Alan DeKok wrote: Lovaas,Steven wrote: I had a mismatch between the type of the home_server localhost (auth), and the attribute used in one of the realms pointing to the pool that references that home server (pool, instead of auth_pool). Changing the type of the localhost home_server allowed FR to complete loading. It's likely just adding a printed error message in the home server code. But knowing exactly where to add it would be useful. It's easy to trigger - take a standard 2.x config and apply the following patch to the config: To add to that, the same config error on v3 does give an error message, but although it's technically true (a home server being defined by its name *and* type), it's not entirely helpful- raddb/proxy.conf[593]: Unknown home_server localhost. Don't know if there are any ways to improve that message - I guess there are a number of reasons that the home_server might not be found. The line number should point to the problem section, though. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Loading fails without reporting an error
Certainly! Here's the complete proxy.conf, configured with the mismatch (line 6: type = auth, and line 60: pool = csu-auth) such that FR exits before completely loading in debug mode. Changing either of these to match (or just omitting that pool definition and letting that realm be local) allows FR to load completely. Thanks for all you do to keep FreeRADIUS working, Steve proxy server { default_fallback = no } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1812 secret = thisisnotmyrealsecret require_message_authenticator = yes response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 max_outstanding = 65536 } home_server tlrs1-eduroam-us { type= auth+acct ipaddr = 64.57.22.74 port= 1812 secret = thisisnotmyrealsecreteither require_message_authenticator = yes response_window = 20 zombie_period = 40 check_interval = 30 num_answers_to_alive= 3 } home_server tlrs2-eduroam-us { type= auth+acct ipaddr = 64.57.22.78 port= 1812 secret = noristhisonemyrealsecret require_message_authenticator = yes response_window = 20 zombie_period = 40 check_interval = 30 num_answers_to_alive= 3 } home_server_pool csu-auth { type= fail-over home_server = localhost } home_server_pool EDUROAM { type= fail-over home_server = tlrs1-eduroam-us home_server = tlrs2-eduroam-us } realm NULL { } realm ~(.*\\.)*(colostate|COLOSTATE)\\.(edu|EDU)$ { pool = csu-auth } realm ~.+$ { pool= EDUROAM nostrip } realm LOCAL { } realm DEFAULT { } EOF -Original Message- From: freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org [mailto:freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, July 12, 2013 3:19 AM To: FreeRadius users mailing list Subject: Re: Loading fails without reporting an error Lovaas,Steven wrote: Thanks, Adam... this got me looking at the right thing. I had a mismatch between the type of the home_server localhost (auth), and the attribute used in one of the realms pointing to the pool that references that home server (pool, instead of auth_pool). Changing the type of the localhost home_server allowed FR to complete loading. If you have a simple config that can reproduce it, I'd like to fix the problem. It's likely just adding a printed error message in the home server code. But knowing exactly where to add it would be useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
Lovaas,Steven wrote: Hello again, I've successfully gotten to the point where local authentication is working well for all modes, using multiple SSIDs through two virtual servers, so I felt confident jumping into the less familiar world of proxying. Not that the concept is hard to understand, it's just always seemed like there were many moving parts (realms and such). With the simpler realm configuration (all in proxy.conf) offered by 2.x, it seems logically laid out and should just work. But now when I load freerad in debug mode, it simply stops loading with no error, after one of my two home_server_pool stanzas. At that point, it has successfully loaded the basic proxy server, all three home_server stanzas, and the first home_server_pool. It just seems to stall. Hmm... it looks like there's a problem with the file. It doesn't stop, it *exits*. See doc/bugs. That should help finding out where it's exiting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
On 11 Jul 2013, at 08:40, Alan DeKok al...@deployingradius.com wrote: Lovaas,Steven wrote: Hmm... it looks like there's a problem with the file. It doesn't stop, it *exits*. See doc/bugs. That should help finding out where it's exiting. I think I saw this issue a week or so ago - I've not been able to reproduce this on an out-of-the-box configuration; just dropping the home_server and home_server_pool stanzas into proxy.conf on a new installation doesn't cause the issue. It seems to occur when you have a home server configured with type = auth. Simply changing the home_server type to auth+acct makes the config parser happy again. Debug log follows; I'm building debug symbols at the moment to see if I can get GDB to give anything more useful. Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. [root@orps2 raddb]# radiusd -X FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on May 22 2013 at 10:50:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/nrps/nrps.conf including configuration file /etc/raddb/nrps/nrps-client.conf including configuration file /etc/raddb/nrps/nrps-server.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules-enabled/ including configuration file /etc/raddb/modules-enabled/expiration including configuration file /etc/raddb/modules-enabled/sql_log including configuration file /etc/raddb/modules-enabled/expr including configuration file /etc/raddb/modules-enabled/always including configuration file /etc/raddb/modules-enabled/mschap including configuration file /etc/raddb/modules-enabled/attr_filter including configuration file /etc/raddb/modules-enabled/exec including configuration file /etc/raddb/modules-enabled/ntlm_auth including configuration file /etc/raddb/modules-enabled/files including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/status including configuration file /etc/raddb/sites-enabled/moonshot including configuration file /etc/raddb/preproxy.conf including configuration file /etc/raddb/sites-enabled/transport including configuration file /etc/raddb/preproxy.conf including configuration file /etc/raddb/sites-enabled/power including configuration file /etc/raddb/sites-enabled/eduroam including configuration file /etc/raddb/sites-enabled/ems including configuration file /etc/raddb/preproxy.conf including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/infrastructure including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/preproxy.conf main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = radiusd prefix = /usr localstatedir = /var sbindir = /usr/sbin logdir = /var/log/radius run_dir = /var/run/radiusd libdir = /usr/lib64/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 4096 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server ms-perf0 { ipv6addr = 2001:630:50:d009:250:56ff:fe88:c376 IPv6 address [2001:630:50:d009:250:56ff:fe88:c376] port = 1812 type = auth+acct secret = response_window = 30 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 } home_server ms-perf1 { ipaddr = 193.63.63.244
RE: Loading fails without reporting an error
Thanks, Adam... this got me looking at the right thing. I had a mismatch between the type of the home_server localhost (auth), and the attribute used in one of the realms pointing to the pool that references that home server (pool, instead of auth_pool). Changing the type of the localhost home_server allowed FR to complete loading. Steve -Original Message- From: freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org [mailto:freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org] On Behalf Of Adam Bishop Sent: Thursday, July 11, 2013 4:29 AM To: FreeRadius users mailing list Subject: Re: Loading fails without reporting an error On 11 Jul 2013, at 08:40, Alan DeKok al...@deployingradius.com wrote: Lovaas,Steven wrote: Hmm... it looks like there's a problem with the file. It doesn't stop, it *exits*. See doc/bugs. That should help finding out where it's exiting. I think I saw this issue a week or so ago - I've not been able to reproduce this on an out-of-the-box configuration; just dropping the home_server and home_server_pool stanzas into proxy.conf on a new installation doesn't cause the issue. It seems to occur when you have a home server configured with type = auth. Simply changing the home_server type to auth+acct makes the config parser happy again. Debug log follows; I'm building debug symbols at the moment to see if I can get GDB to give anything more useful. Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. [root@orps2 raddb]# radiusd -X FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on May 22 2013 at 10:50:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/nrps/nrps.conf including configuration file /etc/raddb/nrps/nrps-client.conf including configuration file /etc/raddb/nrps/nrps-server.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules-enabled/ including configuration file /etc/raddb/modules-enabled/expiration including configuration file /etc/raddb/modules-enabled/sql_log including configuration file /etc/raddb/modules-enabled/expr including configuration file /etc/raddb/modules-enabled/always including configuration file /etc/raddb/modules-enabled/mschap including configuration file /etc/raddb/modules-enabled/attr_filter including configuration file /etc/raddb/modules-enabled/exec including configuration file /etc/raddb/modules-enabled/ntlm_auth including configuration file /etc/raddb/modules-enabled/files including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/status including configuration file /etc/raddb/sites-enabled/moonshot including configuration file /etc/raddb/preproxy.conf including configuration file /etc/raddb/sites-enabled/transport including configuration file /etc/raddb/preproxy.conf including configuration file /etc/raddb/sites-enabled/power including configuration file /etc/raddb/sites-enabled/eduroam including configuration file /etc/raddb/sites-enabled/ems including configuration file /etc/raddb/preproxy.conf including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/infrastructure including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/preproxy.conf main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = radiusd prefix = /usr localstatedir = /var sbindir = /usr/sbin logdir = /var/log/radius run_dir = /var/run/radiusd libdir = /usr/lib64/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 4096 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5