Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, The server is running as user radiusd and group root. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 26, 2006 8:26 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Nataniel Klug [EMAIL PROTECTED] wrote: Now you have gived me a tip... At my Fedora there is no group shadow $ vi /etc/group add shadow ?? so I put radius to run as group root so it could read /etc/shadow only if I set +r to group at shadow files. It's usually better to *not* run the server as root. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Min, I have instaled FreeRadius from a RPM. I amd running FreeRadius as user radiusd and group root. Att, Nataniel Klug - Original Message - From: Min Qiu [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 26, 2006 7:16 PM Subject: RE: Problems System Auth with FreeRadius (/etc/shadow) You may read the doc wrong. The group you should look for is radiusd. When you create user radiusd, the group radiusd should also be created if you use adduser command to do the job. You don't what user radiusd belong to group root. Do chgrp radiusd /etc/shadow. Min -Original Message- From: [EMAIL PROTECTED] freeradius.org [mailto:freeradius-users-bounces+mqiu=globalinternetworking.co [EMAIL PROTECTED] On Behalf Of Nataniel Klug Sent: Thursday, January 26, 2006 3:57 PM To: FreeRadius users mailing list Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Alan, Now you have gived me a tip... At my Fedora there is no group shadow, so I put radius to run as group root so it could read /etc/shadow only if I set +r to group at shadow files. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 26, 2006 3:37 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Nataniel Klug [EMAIL PROTECTED] wrote: I just have installed the package from Fedora Core 3, nothing else. Then look at the configuration file. See how it's different from what is shipped with FreeRADIUS. And setting a+rw on /etc/passwd and /etc/shadow is probaby the single worst thing you can do to your system. EVER. Rather than doing that, read raddb/radiusd.conf, it talks about issues with reading /etc/shadow, and describes suggested fixes won't destroy your system. Honestly, I don't understand why it's so hard to read the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Mark, I tryed using just read option, did not work. I had to set rw permission in both files... But now it is working and I am very happy... hehehe... Thanks. Att, Nataniel Klug - Original Message - From: Mark Tunnell [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, January 25, 2006 9:54 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) I'm glad it's working but it's not necessary to give radius write permissions to either of those files. All radius needs to be able to do is read them. Mark Nataniel Klug wrote: Mark, It works! Thanks... I set a+rw permission on the files passwd and shadow. Att, Nataniel Klug - Original Message - From: Mark Tunnell [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, January 25, 2006 5:25 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) I had the same issue. My problem turned out to be that radius didn't have read access to the shadow password file. Mark Alan DeKok wrote: Nataniel Klug [EMAIL PROTECTED] wrote: rlm_unix: [nata]: invalid password modcall[authenticate]: module unix returns reject for request 1 ... I could not understand what is going on. The password is correct for this user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, I just have installed the package from Fedora Core 3, nothing else. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, January 25, 2006 8:58 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Nataniel Klug [EMAIL PROTECTED] wrote: Ok, it disagrees but I am SURE that I have set the password to user nata. How can this FreeRadius deny? where it is looking? Why when I install Cistron Radius it works fine? Because FreeRADIUS is more configurable than Cistron, so there's more potential for misconfiguration. You didn't say how you configured the unix module. But in the default config, that error message occurs *only* when the password is incorrect. If you've edited the configuration for the unix module, then all bets are off. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Nataniel Klug [EMAIL PROTECTED] wrote: I just have installed the package from Fedora Core 3, nothing else. Then look at the configuration file. See how it's different from what is shipped with FreeRADIUS. And setting a+rw on /etc/passwd and /etc/shadow is probaby the single worst thing you can do to your system. EVER. Rather than doing that, read raddb/radiusd.conf, it talks about issues with reading /etc/shadow, and describes suggested fixes won't destroy your system. Honestly, I don't understand why it's so hard to read the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, Now you have gived me a tip... At my Fedora there is no group shadow, so I put radius to run as group root so it could read /etc/shadow only if I set +r to group at shadow files. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 26, 2006 3:37 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Nataniel Klug [EMAIL PROTECTED] wrote: I just have installed the package from Fedora Core 3, nothing else. Then look at the configuration file. See how it's different from what is shipped with FreeRADIUS. And setting a+rw on /etc/passwd and /etc/shadow is probaby the single worst thing you can do to your system. EVER. Rather than doing that, read raddb/radiusd.conf, it talks about issues with reading /etc/shadow, and describes suggested fixes won't destroy your system. Honestly, I don't understand why it's so hard to read the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems System Auth with FreeRadius (/etc/shadow)
You may read the doc wrong. The group you should look for is radiusd. When you create user radiusd, the group radiusd should also be created if you use adduser command to do the job. You don't what user radiusd belong to group root. Do chgrp radiusd /etc/shadow. Min -Original Message- From: [EMAIL PROTECTED] freeradius.org [mailto:freeradius-users-bounces+mqiu=globalinternetworking.co [EMAIL PROTECTED] On Behalf Of Nataniel Klug Sent: Thursday, January 26, 2006 3:57 PM To: FreeRadius users mailing list Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Alan, Now you have gived me a tip... At my Fedora there is no group shadow, so I put radius to run as group root so it could read /etc/shadow only if I set +r to group at shadow files. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 26, 2006 3:37 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Nataniel Klug [EMAIL PROTECTED] wrote: I just have installed the package from Fedora Core 3, nothing else. Then look at the configuration file. See how it's different from what is shipped with FreeRADIUS. And setting a+rw on /etc/passwd and /etc/shadow is probaby the single worst thing you can do to your system. EVER. Rather than doing that, read raddb/radiusd.conf, it talks about issues with reading /etc/shadow, and describes suggested fixes won't destroy your system. Honestly, I don't understand why it's so hard to read the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Nataniel Klug [EMAIL PROTECTED] wrote: Now you have gived me a tip... At my Fedora there is no group shadow $ vi /etc/group add shadow ?? so I put radius to run as group root so it could read /etc/shadow only if I set +r to group at shadow files. It's usually better to *not* run the server as root. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, I tryed it in full debug mode, returns this: rad_recv: Access-Request packet from host 127.0.0.1:32773, id=46, length=62 Service-Type = Login-User User-Name = nata User-Password = nata0405 NAS-IP-Address = 200.163.208.4 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = nata, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched DEFAULT at 152 users: Matched DEFAULT at 216 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_unix: [nata]: invalid password modcall[authenticate]: module unix returns reject for request 1 modcall: group authenticate returns reject for request 1 auth: Failed to validate the user. Login incorrect: [nata/nata0405] (from client localhost port 0) Sending Access-Reject of id 46 to 127.0.0.1:32773 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 46 with timestamp 43d7232a Nothing to do. Sleeping until we see a request. I could not understand what is going on. The password is correct for this user. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, January 24, 2006 3:21 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Nataniel Klug [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] radius]# tail radius.log -n 2 Tue Jan 24 01:24:02 2006 : Auth: rlm_unix: [nata]: invalid password Nice. Is there any particular reason you're refusing to run the server in debugging mode, as suggested in the README, FAQ, and INSTALL? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Nataniel Klug [EMAIL PROTECTED] wrote: rlm_unix: [nata]: invalid password modcall[authenticate]: module unix returns reject for request 1 ... I could not understand what is going on. The password is correct for this user. The code running on your machine disagrees. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
I had the same issue. My problem turned out to be that radius didn't have read access to the shadow password file. Mark Alan DeKok wrote: Nataniel Klug [EMAIL PROTECTED] wrote: rlm_unix: [nata]: invalid password modcall[authenticate]: module unix returns reject for request 1 ... I could not understand what is going on. The password is correct for this user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Mark, Finaly something that could be happening for sure! I will try to set up permission on this file. Thanx! Att, Nataniel Klug - Original Message - From: Mark Tunnell [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, January 25, 2006 5:25 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) I had the same issue. My problem turned out to be that radius didn't have read access to the shadow password file. Mark Alan DeKok wrote: Nataniel Klug [EMAIL PROTECTED] wrote: rlm_unix: [nata]: invalid password modcall[authenticate]: module unix returns reject for request 1 ... I could not understand what is going on. The password is correct for this user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Alan, Ok, it disagrees but I am SURE that I have set the password to user nata. How can this FreeRadius deny? where it is looking? Why when I install Cistron Radius it works fine? Please, give me an answer not only what I already know. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, January 25, 2006 4:25 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Nataniel Klug [EMAIL PROTECTED] wrote: rlm_unix: [nata]: invalid password modcall[authenticate]: module unix returns reject for request 1 ... I could not understand what is going on. The password is correct for this user. The code running on your machine disagrees. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Mark, It works! Thanks... I set a+rw permission on the files passwd and shadow. Att, Nataniel Klug - Original Message - From: Mark Tunnell [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, January 25, 2006 5:25 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) I had the same issue. My problem turned out to be that radius didn't have read access to the shadow password file. Mark Alan DeKok wrote: Nataniel Klug [EMAIL PROTECTED] wrote: rlm_unix: [nata]: invalid password modcall[authenticate]: module unix returns reject for request 1 ... I could not understand what is going on. The password is correct for this user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Nataniel Klug [EMAIL PROTECTED] wrote: Ok, it disagrees but I am SURE that I have set the password to user nata. How can this FreeRadius deny? where it is looking? Why when I install Cistron Radius it works fine? Because FreeRADIUS is more configurable than Cistron, so there's more potential for misconfiguration. You didn't say how you configured the unix module. But in the default config, that error message occurs *only* when the password is incorrect. If you've edited the configuration for the unix module, then all bets are off. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
I'm glad it's working but it's not necessary to give radius write permissions to either of those files. All radius needs to be able to do is read them. Mark Nataniel Klug wrote: Mark, It works! Thanks... I set a+rw permission on the files passwd and shadow. Att, Nataniel Klug - Original Message - From: Mark Tunnell [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, January 25, 2006 5:25 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) I had the same issue. My problem turned out to be that radius didn't have read access to the shadow password file. Mark Alan DeKok wrote: Nataniel Klug [EMAIL PROTECTED] wrote: rlm_unix: [nata]: invalid password modcall[authenticate]: module unix returns reject for request 1 ... I could not understand what is going on. The password is correct for this user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems System Auth with FreeRadius (/etc/shadow)
Nataniel Klug [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] radius]# tail radius.log -n 2 Tue Jan 24 01:24:02 2006 : Auth: rlm_unix: [nata]: invalid password Nice. Is there any particular reason you're refusing to run the server in debugging mode, as suggested in the README, FAQ, and INSTALL? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html