Re: Freeradius 3.0 hints, rlm_perl
Hello Arran, > Something was caching the pointer to request->password when it > shouldn't have. Should be fixed now. I pulled the fix and can no longer reproduce the issue, I tried with 100 authentications in a row. Thank you for fixing it. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
On 21 Jul 2013, at 23:47, Susan Brown wrote: > > On 21 Jul 2013, at 23:17, Thomas Glanzmann wrote: > >> Hello Arran, >> >>> Oh I have a pretty good idea of what's gone on. Could you git pull and >>> rebuild. You'll probably see an abort this time round. >> >> I did a >> >> git pull >> # Wipe the working directory clean >> git reset --hard HEAD; git clean -f -x -d >> ./configure --prefix=/local/freeradius-head; make -j; make install >> And yes, I see an ABORT, what is going on? > > Something was caching the pointer to request->password when it shouldn't of. > > Should be fixed now. Interesting. Pretty sure I haven't changed my name to Susan Brown... hmm. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
On 21 Jul 2013, at 23:17, Thomas Glanzmann wrote: > Hello Arran, > >> Oh I have a pretty good idea of what's gone on. Could you git pull and >> rebuild. You'll probably see an abort this time round. > > I did a > > git pull > # Wipe the working directory clean > git reset --hard HEAD; git clean -f -x -d > ./configure --prefix=/local/freeradius-head; make -j; make install > And yes, I see an ABORT, what is going on? Something was caching the pointer to request->password when it shouldn't of. Should be fixed now. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran,
> Oh I have a pretty good idea of what's gone on. Could you git pull and
> rebuild. You'll probably see an abort this time round.
I did a
git pull
# Wipe the working directory clean
git reset --hard HEAD; git clean -f -x -d
./configure --prefix=/local/freeradius-head; make -j; make install
And yes, I see an ABORT, what is going on?
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 47420, id=99, length=43
User-Name = 'bla'
User-Password = 'fasel'
(0) # Executing section authorize from file
/local/freeradius-head/etc/raddb/sites-enabled/smsotp
(0) group authorize {
(0) - entering group authorize {...}
(0) update control {
(0) Auth-Type := perl
(0) } # update control = notfound
(0) Found Auth-Type = perl
(0) # Executing group from file
/local/freeradius-head/etc/raddb/sites-enabled/smsotp
(0) group authenticate {
(0) - entering group authenticate {...}
rlm_perl: Added pair User-Name = bla
rlm_perl: Added pair User-Password = fasel
rlm_perl: Added pair Auth-Type = perl
(0) [perl] = reject
(0) Failed to authenticate the user.
(0) Using Post-Auth-Type Reject
(0) # Executing group from file
/local/freeradius-head/etc/raddb/sites-enabled/smsotp
(0) group REJECT {
(0) - entering group REJECT {...}
(0) attr_filter.access_reject : expand: "%{User-Name}" -> 'bla'
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed reject
Sending Access-Reject of id 99 from 0.0.0.0 port 1812 to 127.0.0.1 port 47420
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 33829, id=101,
length=43
User-Name = 'bla'
User-Password = 'fasel'
(1) # Executing section authorize from file
/local/freeradius-head/etc/raddb/sites-enabled/smsotp
(1) group authorize {
(1) - entering group authorize {...}
(1) update control {
(1) Auth-Type := perl
(1) } # update control = notfound
(1) Found Auth-Type = perl
(1) # Executing group from file
/local/freeradius-head/etc/raddb/sites-enabled/smsotp
(1) group authenticate {
(1) - entering group authenticate {...}
rlm_perl: Added pair User-Name = bla
rlm_perl: Added pair User-Password = fasel
rlm_perl: Added pair Auth-Type = perl
(1) [perl] = reject
(1) Failed to authenticate the user.
Program received signal SIGABRT, Aborted.
0xf7fdf430 in __kernel_vsyscall ()
(gdb) bt
#0 0xf7fdf430 in __kernel_vsyscall ()
#1 0xf7b92941 in *__GI_raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xf7b95d72 in *__GI_abort () at abort.c:92
#3 0xf7d47c83 in ?? () from /usr/lib/i386-linux-gnu/libtalloc.so.2
#4 0xf7d498cc in talloc_get_name () from /usr/lib/i386-linux-gnu/libtalloc.so.2
#5 0xf7d4bbde in _talloc_get_type_abort () from
/usr/lib/i386-linux-gnu/libtalloc.so.2
#6 0x08052f97 in rad_authenticate (request=0x863eeb8) at src/main/auth.c:541
#7 0x080741f3 in request_running (request=0x863eeb8, action=1) at
src/main/process.c:1185
#8 0x08073545 in request_queue_or_run (request=0x863eeb8, process=0x8074124
) at src/main/process.c:828
#9 0x08074856 in request_receive (listener=0x8480a98, packet=0x863edb8,
client=0x81e4828, fun=0x8052a0b ) at src/main/process.c:1377
#10 0x0805930c in auth_socket_recv (listener=0x8480a98) at
src/main/listen.c:1449
#11 0x08079b29 in event_socket_handler (xel=0x846f4d8, fd=7, ctx=0x8480a98) at
src/main/process.c:3483
#12 0xf7d7e0cd in fr_event_loop (el=0x846f4d8) at src/lib/event.c:414
#13 0x0807adb1 in radius_event_process () at src/main/process.c:4272
#14 0x0806a3a4 in main (argc=2, argv=0xcc14) at src/main/radiusd.c:475
(gdb) quit
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Alan,
> I bleieve hitns is going the way of the dodo eventually - unlang can
> do the work for you eg
> if (%{User-Name} =~ "^v104([^@]+)" ) {
> update request {
> %{User-Name} := "%{1}@V104.GMVL.DE"
> }
> }
I tried:
server default {
listen {
type = auth
ipaddr = *
}
authenticate {
perl
}
authorize {
update control {
Auth-Type := perl
}
if (%{User-Name} =~ /^v104([^@]+)/ ) {
update request {
%{User-Name} := "%{1}@V104.GMVL.DE"
}
}
}
accounting {
detail
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
}
There was one error I could figure out the right side of the regular
expressions have to be // and not "", I fixed that but it does not
recognize the right hand side "%{1}@V104.GMVL.DE". Accordin to [1] it
should be that, if I understand it correctly.
[1] http://freeradius.org/radiusd/man/unlang.html
> thats more interesting. We run PERL with 3.x here and havent seen such
> an issue wonder if your PERL environment is different
I'm running Debian Wheezy. libperl-dev - 5.14.2-21
> it would be sooo much better for you to be running (or ready to run!)
> 3.x at this point in time
I work on it. :-)
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
On 21 Jul 2013, at 22:33, Thomas Glanzmann wrote:
> Hello Arran,
>
>> Can you provide a backtrace please? I'll see if I can fix it.
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542
> 542 (auth_item->da->attr ==
> PW_USER_PASSWORD)) {
> (gdb) bt
> #0 0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542
> #1 0x080741d3 in request_running (request=0x863f138, action=1) at
> src/main/process.c:1185
> #2 0x08073525 in request_queue_or_run (request=0x863f138, process=0x8074104
> ) at src/main/process.c:828
> #3 0x08074836 in request_receive (listener=0x8480c00, packet=0x863ef30,
> client=0x81e4828, fun=0x8052a0b ) at src/main/process.c:1377
> #4 0x080592ec in auth_socket_recv (listener=0x8480c00) at
> src/main/listen.c:1449
> #5 0x08079b09 in event_socket_handler (xel=0x846f640, fd=7, ctx=0x8480c00)
> at src/main/process.c:3483
> #6 0xf7d7e0cd in fr_event_loop (el=0x846f640) at src/lib/event.c:414
> #7 0x0807ad91 in radius_event_process () at src/main/process.c:4272
> #8 0x0806a384 in main (argc=2, argv=0xcc04) at src/main/radiusd.c:475
> (gdb) p auth_item
> $1 = (VALUE_PAIR *) 0x8482220
> (gdb) p auth_item->da
> $2 = (const DICT_ATTR *) 0x0
>
> I was able to reproduce that on Ubuntu 12.04 (Precise Pangolin) x64 and
> Debian
> Wheezy 32 Bit. If you need exact instruction on howto reproduce or
> access to the system, send me a ssh key or e-mail.
Oh I have a pretty good idea of what's gone on. Could you git pull and rebuild.
You'll probably see an abort this time round.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran,
> Can you provide a backtrace please? I'll see if I can fix it.
Program received signal SIGSEGV, Segmentation fault.
0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542
542 (auth_item->da->attr ==
PW_USER_PASSWORD)) {
(gdb) bt
#0 0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542
#1 0x080741d3 in request_running (request=0x863f138, action=1) at
src/main/process.c:1185
#2 0x08073525 in request_queue_or_run (request=0x863f138, process=0x8074104
) at src/main/process.c:828
#3 0x08074836 in request_receive (listener=0x8480c00, packet=0x863ef30,
client=0x81e4828, fun=0x8052a0b ) at src/main/process.c:1377
#4 0x080592ec in auth_socket_recv (listener=0x8480c00) at
src/main/listen.c:1449
#5 0x08079b09 in event_socket_handler (xel=0x846f640, fd=7, ctx=0x8480c00) at
src/main/process.c:3483
#6 0xf7d7e0cd in fr_event_loop (el=0x846f640) at src/lib/event.c:414
#7 0x0807ad91 in radius_event_process () at src/main/process.c:4272
#8 0x0806a384 in main (argc=2, argv=0xcc04) at src/main/radiusd.c:475
(gdb) p auth_item
$1 = (VALUE_PAIR *) 0x8482220
(gdb) p auth_item->da
$2 = (const DICT_ATTR *) 0x0
I was able to reproduce that on Ubuntu 12.04 (Precise Pangolin) x64 and Debian
Wheezy 32 Bit. If you need exact instruction on howto reproduce or
access to the system, send me a ssh key or e-mail.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hi,
> While trying that I also build a 3.0 GIT HEAD and there were a few
> problems, I trippeled about:
>
> - HINTS does not work the way it did before. Especially this no
> longer works for me:
>
> DEFAULT User-Name =~ "^v104([^@]+)"
> User-Name := "%{1}@V104.GMVL.DE"
I bleieve hitns is going the way of the dodo eventually - unlang can do the
work for you eg
if (%{User-Name} =~ "^v104([^@]+)" ) {
update request {
%{User-Name} := "%{1}@V104.GMVL.DE"
}
}
or somesuch.
> Message is: (0) WARNING: Unknown value specified for Post-Auth-Type. Cannot
> perform requested action.
as already said, this is just no reject part on post-auth - this has been
common since 2.2.x
> - freeradius gives me a segmentation fault as soon as I put 'perl' in
> the authorize section and do one authentication request.
thats more interesting. We run PERL with 3.x here and havent seen such an
issue wonder
if your PERL environment is different
it would be sooo much better for you to be running (or ready to run!) 3.x at
this point in time
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran,
> > DEFAULT User-Name =~ "^v104([^@]+)"
> > User-Name := "%{1}@V104.GMVL.DE"
> Can you got some debug output or even just the value of the User-Name?
> It may just be the escaping is less crazy than it used to be.
username is: v104\Administrator but radius puts it internally as
v104\\Administrator.
This is how it looks like in 2.2.0:
rad_recv: Access-Request packet from host 10.104.1.0 port 54489, id=59,
length=58
User-Name = "v104\\Administrator"
User-Password = "Pa$$w0rd"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[control] returns notfound
[preprocess]expand: %{User-Name} -> v104\Administrator
[preprocess] hints: Matched DEFAULT at 1
[preprocess]expand: %{1}@V104.GMVL.DE -> administra...@v104.gmvl.de
++[preprocess] returns ok
Found Auth-Type = perl
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
rlm_perl: Added pair User-Name = administra...@v104.gmvl.de
rlm_perl: Added pair User-Password = Pa$$w0rd
rlm_perl: Added pair NAS-IP-Address = 10.104.1.0
rlm_perl: Added pair Reply-Message = Enter SMS one time password
rlm_perl: Added pair State = 72641523
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = perl
> No. That just means you don't have a reject {} section in Post-Auth,
> it has nothing to do with the perl module.
I see, I'll try that and report back.
> Can you provide a backtrace please? I'll see if I can fix it.
I'll do that.
I found another small bug in the debian packages generated by
debian/rules binary in the 2.2.0 release:
Initscript puts pid file in /var/run/freeradius
But Freeradius wants to put it in /var/run/radius, so it does not start:
Sun Jul 21 19:36:34 2013 : Error: Failed creating PID file
/var/run/radiusd/radiusd.pid: No such file or directory
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
>- HINTS does not work the way it did before. Especially this no
> longer works for me:
>
> DEFAULT User-Name =~ "^v104([^@]+)"
> User-Name := "%{1}@V104.GMVL.DE"
Can you got some debug output or even just the value of the User-Name? It may
just be the escaping is less crazy than it used to be.
>- rlm_perl does not seem to register itself as module correctly
> because I get the following error message as soon as I:
>
> ...
> authorize {
>update control {
>Auth-Type := perl
>}
> }
> ...
>
> Message is: (0) WARNING: Unknown value specified for Post-Auth-Type. Cannot
> perform requested action.
No. That just means you don't have a reject {} section in Post-Auth, it has
nothing to do with the perl module.
>
> Full Log: http://pbot.rmdir.de/IRC6zW11GNEWEFpMx0a13w
>
>- freeradius gives me a segmentation fault as soon as I put 'perl' in
> the authorize section and do one authentication request.
Can you provide a backtrace please? I'll see if I can fix it.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
