search

Optware / Optware-ng

280 stars 52 forks source link

freeradius 3.0.10-2 needs extensive tweaks to work - now stuck on radtest #125

Closed Choongkyu closed 7 years ago

Choongkyu commented 8 years ago

Hello. I tried running "radiusd -XX" as "./S55freeradius" and initially got an error which prompted me to install libpcap. I did that and in the absence of other dependencies, I ran both again with the following results:

./S55freeradius: line 5: /opt/bin/pidof: not found
admin@ASUS:/tmp/mnt/entware_etc/optware-ng.arm/etc/init.d# radiusd -XX
Thu Jun  9 16:07:59 2016 : Debug: Server was built with: 
Thu Jun  9 16:07:59 2016 : Debug:   accounting               : yes
Thu Jun  9 16:07:59 2016 : Debug:   authentication           : yes
Thu Jun  9 16:07:59 2016 : Debug:   ascend-binary-attributes : yes
Thu Jun  9 16:07:59 2016 : Debug:   coa                      : yes
Thu Jun  9 16:07:59 2016 : Debug:   control-socket           : yes
Thu Jun  9 16:07:59 2016 : Debug:   detail                   : yes
Thu Jun  9 16:07:59 2016 : Debug:   dhcp                     : yes
Thu Jun  9 16:07:59 2016 : Debug:   dynamic-clients          : yes
Thu Jun  9 16:07:59 2016 : Debug:   osfc2                    : no
Thu Jun  9 16:07:59 2016 : Debug:   proxy                    : yes
Thu Jun  9 16:07:59 2016 : Debug:   regex-pcre               : yes
Thu Jun  9 16:07:59 2016 : Debug:   regex-posix              : no
Thu Jun  9 16:07:59 2016 : Debug:   regex-posix-extended     : no
Thu Jun  9 16:07:59 2016 : Debug:   session-management       : yes
Thu Jun  9 16:07:59 2016 : Debug:   stats                    : yes
Thu Jun  9 16:07:59 2016 : Debug:   tcp                      : yes
Thu Jun  9 16:07:59 2016 : Debug:   threads                  : yes
Thu Jun  9 16:07:59 2016 : Debug:   tls                      : yes
Thu Jun  9 16:07:59 2016 : Debug:   unlang                   : yes
Thu Jun  9 16:07:59 2016 : Debug:   vmps                     : yes
Thu Jun  9 16:07:59 2016 : Debug:   developer                : no
Thu Jun  9 16:07:59 2016 : Debug: Server core libs:
Thu Jun  9 16:07:59 2016 : Debug:   freeradius-server        : 3.0.10
Thu Jun  9 16:07:59 2016 : Debug:   talloc                   : 2.0.*
Thu Jun  9 16:07:59 2016 : Debug:   ssl                      : 1.0.2f release
Thu Jun  9 16:07:59 2016 : Debug:   pcre                     : 8.36 2014-09-26
Thu Jun  9 16:07:59 2016 : Debug: Endianness:
Thu Jun  9 16:07:59 2016 : Debug:   little
Thu Jun  9 16:07:59 2016 : Debug: Compilation flags:
Thu Jun  9 16:07:59 2016 : Info: Copyright (C) 1999-2015 The FreeRADIUS server project and contributors
Thu Jun  9 16:07:59 2016 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Thu Jun  9 16:07:59 2016 : Info: PARTICULAR PURPOSE
Thu Jun  9 16:07:59 2016 : Info: You may redistribute copies of FreeRADIUS under the terms of the
Thu Jun  9 16:07:59 2016 : Info: GNU General Public License
Thu Jun  9 16:07:59 2016 : Info: For more information about these matters, see the file named COPYRIGHT
Thu Jun  9 16:07:59 2016 : Info: Starting - reading configuration files ...
Thu Jun  9 16:07:59 2016 : Debug: including dictionary file /opt/share/freeradius/dictionary
Thu Jun  9 16:07:59 2016 : Debug: including dictionary file /opt/share/freeradius/dictionary.dhcp
Thu Jun  9 16:07:59 2016 : Debug: including dictionary file /opt/share/freeradius/dictionary.vqp
Thu Jun  9 16:07:59 2016 : Debug: including dictionary file /opt/etc/raddb/dictionary
Thu Jun  9 16:07:59 2016 : Debug: including configuration file /opt/etc/raddb/radiusd.conf
Thu Jun  9 16:07:59 2016 : Debug: including configuration file /opt/etc/raddb/proxy.conf
Thu Jun  9 16:07:59 2016 : Debug: including configuration file /opt/etc/raddb/clients.conf
Thu Jun  9 16:07:59 2016 : Debug: including configuration file /opt/etc/raddb/snmp.conf
Thu Jun  9 16:07:59 2016 : Error: Unable to open file "/opt/etc/raddb/snmp.conf": No such file or directory
Thu Jun  9 16:07:59 2016 : Error: Errors reading or parsing /opt/etc/raddb/radiusd.conf

I managed to fix the "line 5: /opt/bin/pidof: not found" error by changing the path in the init script from "/opt/bin/pidof" to "/bin/pidof"

I also fixed the error "Error: Unable to open file "/opt/etc/raddb/snmp.conf": No such file or directory" by commenting out the "$INCLUDE ${confdir}/snmp.conf" in radiusd.conf. I had also commented out $INCLUDE ${confdir}/sql.conf

But once those are addressed, I get a bit further until I get the following error from running radiusd -XX (as well as -XC and just -X):

Thu Jun  9 16:05:16 2016 : Error: /opt/etc/raddb/radiusd.conf[273]: Configuration item "allow_core_dumps" is deprecated radiusd: Error: Failed to parse user/group information.

And then that started a line of commenting out or flat out removing chunks of radiusd.conf that made references to deprecated commands.

Thankfully, the lines of deprecated code was limited to around 50 lines, but then now I'm trying to run radtest and I ran it as suggested the freeradius wiki:

radtest testing password localhost 0 testing123

and the the echoed prompt:

admin@ASUS:/tmp/home/root# radtest Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname] -d RADIUS_DIR Set radius directory -t Set authentication method type can be pap, chap, mschap, or eap-md5 -P protocol Select udp (default) or tcp -x Enable debug output -4 Use IPv4 for the NAS address (default) -6 Use IPv6 for the NAS address

Unfortunately, that yielded

admin@ASUS:/tmp/home/root# radtest testing password localhost 0 testing123 /opt/bin/radtest: line 116: hostname: not found (0) Error parsing "stdin": Failed to get value

I was, however, able to take a stab in the dark and enter more arguments until something gave:

admin@ASUS:/tmp/home/root# radtest testing password localhost 0 testing123 0 localhost Sent Access-Request Id 1 from 0.0.0.0:37082 to 127.0.0.1:1812 length 77 User-Name = "testing" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "password" Sent Access-Request Id 1 from 0.0.0.0:37082 to 127.0.0.1:1812 length 77 User-Name = "testing" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "password" Sent Access-Request Id 1 from 0.0.0.0:37082 to 127.0.0.1:1812 length 77 User-Name = "testing" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "password" (0) No reply from server for ID 1 socket 3

I tried reading the script /opt/bin/radtest but I only know so much bash that I wasn't able to decipher through all the if statements why I needed to add 2 more arguments with that particular syntax.

I had tried looking up the error verbatim in various combos as well as scoured the README files in each directory in /opt/etc/raddb with no answer in sight. Thank you so much for making available freeradius on optware! Please let me know if you need any other information for troubleshooting this as I'd love to get freeradius to be up and running.

alllexx88 commented 8 years ago

Hi! Thanks a lot for your effort in debugging freeradius Optware issues! I hope they should be fixed now, please run these commands to test:

rm -f /opt/etc/raddb/radiusd.conf
ipkg update
ipkg install freeradius

This is what I've done (see f89943fb41a5476a9ecbc9e3bd808ab70e4cfc77):

The problematic part of radtest that you stumbled on is this:

if [ "$7" ]
then
        nas=$7
else
        nas=`hostname`
fi

You're missing hostname program on your firmware, hence unless you pass 7th argument (the second 'localhost' in your second radtest invocation), this yields empty 'nas' variable, leading to further issues. I've added busybox-base dependency and changed hostname to /opt/bin/busybox hostname, so this should now work regardless of whether a firmware has hostname, or not.

Also, I strongly advise to generate your own certificates after freeradius install, if you're planning to use it on a daily basis. Note that it'll take a very long time, so you better save /opt/etc/raddb/certs dir somewhere safe after you're done. Edit /opt/etc/raddb/certs/passwords.mk, and then run

ipkg update
ipkg install make
cd /opt/etc/raddb/certs
rm -f `ls | egrep -v '.cnf$|bootstrap|Makefile|README|xpextensions|passwords.mk'`
make
Choongkyu commented 8 years ago

thanks for addressing this! It's working much better now! radtest is up and running and I can run radiusd -XX (debug mode) with no issues!

There's just one minor thing that I'm unsure about: I've been kind of puzzling over the S55freeradius file which gives me this error when running it with the "check" argument:

 Checking radiusd... /opt/etc/init.d/S55freeradius: /opt/etc/init.d/rc.func: line 115: pidof: not found
             dead.

I personally managed to pull a replacement from here, but it's a bit too verbose for my taste and I liked the brevity of the one you supplied. Not to mention that the S55freeradius on that site relies on an /opt/bin/resolve_dhcp which I have no clue about. Hopefully, I'll be able to brush up on bash so that I can be more involved in this project, which is AWESOME! Had I known a bit more and not so intimidated by the and preponderance of $ signs I would've dived in sooner. Anyway, I digress. Thanks again for your sharing your know-how and being prompt to boot!

I'm a bit hesitant to consider this case resolved only because the radiusd -XX doesn't quite work "out of the box" which is contrary to what's advised by the devs as the expected behavior. But then again, they also mention that this one's a lot more involved with regards to incremental progressive changes by the user than your average package. Personally, I, being the novice that I am, think that this is as out-of-the-box as you can get, but you and equally seasoned folks will probably be a better judge of that.

alllexx88 commented 8 years ago 
 Checking radiusd... /opt/etc/init.d/S55freeradius: /opt/etc/init.d/rc.func: line 115: pidof: not found
             dead.

Hmm, I can't imagine how you can get this kind of output. It should work like this (as it does for me):

DiskStation> /opt/etc/init.d/S55freeradius check
FreeRADIUS is not running
DiskStation> /opt/etc/init.d/S55freeradius start
Starting FreeRADIUS:radiusd
DiskStation> /opt/etc/init.d/S55freeradius check
FreeRADIUS is running
DiskStation> /opt/etc/init.d/S55freeradius stop
Stopping FreeRADIUS
DiskStation> /opt/etc/init.d/S55freeradius check
FreeRADIUS is not running

This Checking radiusd... message should never be echoed, here's the relevant portion of the script:

  check)
        if [ -n "`/opt/bin/busybox pidof $NAME`" ]; then
           echo "$DESC is running"
        else
           echo "$DESC is not running"
        fi
        ;;

I'm a bit hesitant to consider this case resolved only because the radiusd -XX doesn't quite work

What exactly is wrong with radiusd -XX? You wrote earlier that I can run radiusd -XX (debug mode) with no issues. Or, you mean the rc script issues (/opt/etc/init.d/S55freeradius)?

What's the output of cat /opt/etc/init.d/S55freeradius? It should be something like this:

DiskStation> cat /opt/etc/init.d/S55freeradius
#!/bin/sh

DESC="FreeRADIUS"
NAME=radiusd
RADIUSD=/opt/sbin/$NAME
ARGS=""

case "$1" in
  start)
        if [ -n "`/opt/bin/busybox pidof $NAME`" ]; then
            echo "$DESC is already running"
            exit 1
        fi
        if [ ! -d /opt/var/log/radius ] ;  then
            /opt/bin/busybox mkdir -p /opt/var/log/radius
        fi
        echo -n "Starting $DESC:"
        $RADIUSD $ARGS
        echo "radiusd"
        ;;
  stop)
        if [ -n "`/opt/bin/busybox pidof $NAME`" ]; then
           echo "Stopping $DESC"
           /opt/bin/busybox killall radiusd 2>/dev/null
        else
           echo "$DESC is not running"
           exit 1
        fi
        ;;
  restart)
        $0 stop
        /opt/bin/busybox sleep 3
        $0 start
        ;;
  check)
        if [ -n "`/opt/bin/busybox pidof $NAME`" ]; then
           echo "$DESC is running"
        else
           echo "$DESC is not running"
        fi
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|check}"
        exit 1
esac

exit 0

Hopefully, I'll be able to brush up on bash so that I can be more involved in this project, which is AWESOME!

I'm glad the project is of use to you :-) No worries here, providing feedback and reporting issues is important enough to make it matter. If you want to get more involved, apart from development, there're other ways, like writing howto's. The articles from http://www.nslu2-linux.org/wiki are largely outdated, so in case you're up to it, we can ask nas-admin guys to set up a wiki host. Of course, I'll be glad to help with the info you'd need for such articles. If you're not into this kind of thing, no worries either :-)

Choongkyu commented 8 years ago

hello again. I just reviewed my S55freeradius file and found the issue and fixed it by just using your script. I thought I had tested it out already but it appears I kept the one that I modded from the first install -- the issue was related to some modifications that I made to it to work with the rc.func that I had moved from a previous install of entware-ng. The install of freeradius I had when first reporting this issue didn't echo the status of the service and usage advice, much like how the current iteration of the S55 has it set up. Incidentally, the previous install of entware had this and after a bit of poking around, I found that it was the rc.func and with some minor tweaking, I got it to do what I wanted it to do.

The drawback to this is that I'm not sure if the original optware-ng install I had a different rc.func or even one at all. In hindsight, I should've gitted the entire /opt/etc folder before tooling around. But for posterity, I have the following in my rc.func:

#!/bin/sh

ACTION=$1
CALLER=$2

ansi_red="\033[1;31m";
ansi_white="\033[1;37m";
ansi_green="\033[1;32m";
ansi_yellow="\033[1;33m";
ansi_blue="\033[1;34m";
ansi_bell="\007";
ansi_blink="\033[5m";
ansi_std="\033[m";
ansi_rev="\033[7m";
ansi_ul="\033[4m";

start() {
    [ "$CRITICAL" != "yes" -a "$CALLER" = "cron" ] && return 7
        [ "$ENABLED" != "yes" ] && return 8
    echo -e -n "$ansi_white Starting $DESC... "
    if [ -n "`pidof $PROC`" ]; then
        echo -e "            $ansi_yellow already running. $ansi_std"
        return 0
    fi
    $PRECMD > /dev/null 2>&1
    $PREARGS $PROC $ARGS > /dev/null 2>&1 &
    #echo $PREARGS $PROC $ARGS 
    COUNTER=0
    LIMIT=10
    while [ -z "`pidof $PROC`" -a "$COUNTER" -le "$LIMIT" ]; do
        sleep 1s;
        COUNTER=`expr $COUNTER + 1`
    done
    $POSTCMD > /dev/null 2>&1

    if [ -z "`pidof $PROC`" ]; then
        echo -e "            $ansi_red failed. $ansi_std"
        logger "Failed to start $DESC from $CALLER."
        return 255
    else
        echo -e "            $ansi_green done. $ansi_std"
        logger "Started $DESC from $CALLER."
        return 0
    fi
}

stop() {
    case "$ACTION" in
        stop | restart)
            echo -e -n "$ansi_white Shutting down $PROC... "
            killall $PROC 2>/dev/null
            COUNTER=0
            LIMIT=10
            while [ -n "`pidof $PROC`" -a "$COUNTER" -le "$LIMIT" ]; do
                sleep 1s;
                COUNTER=`expr $COUNTER + 1`
            done
            ;;
        kill)
            echo -e -n "$ansi_white Killing $PROC... "
            killall -9 $PROC 2>/dev/null
            ;;
    esac

    if [ -n "`pidof $PROC`" ]; then
        echo -e "            $ansi_red failed. $ansi_std"
        return 255
    else
        echo -e "            $ansi_green done. $ansi_std"
        return 0
    fi
}

check() {
    echo -e -n "$ansi_white Checking $DESC... "
    if [ -n "`pidof $PROC`" ]; then
        echo -e "            $ansi_green alive. $ansi_std";
        return 0
    else
        echo -e "            $ansi_red dead. $ansi_std";
        return 1
    fi
}

reconfigure() {
    SIGNAL=SIGHUP
    echo -e "$ansi_white Sending $SIGNAL to $PROC... "
    killall -$SIGNAL $PROC 2>/dev/null
}

for PROC in $PROCS; do
    case $ACTION in
        start)
            start
            ;;
        stop | kill )
            check && stop
            ;;
        restart)
            check > /dev/null && stop
            start
            ;;
        check)
            check
            ;;
        reconfigure)
            reconfigure
            ;;
        *)
            echo -e "$ansi_white Usage: $0 (start|stop|restart|check|kill|reconfigure)$ansi_std"
            exit 1
            ;;
    esac
done

#logger "Leaving ${0##*/}."

I think I had added in a PROC variable, pretty much copying and cherry-picking the bits of code that I thought were going to get me the pretty color-coded prompt. Anyway, it's fixed and it works perfectly...I say this with caution as I'm wont to make some careless move breaking the entire thing revealing just how out of my depth I am.

With regards to radius -XX, I was just mainly alluding to how the issue is resolved for me, but I'm not sure if the resolution occurs at the point that I walk away another satisfied customer or if the ipkg incorporates every single bit that was discussed so that the technically challenged with myself can simply type "ipkg install freeradius" and have it ready to run with an initial test configuration just to demonstrate that it indeed works. Or does an issue warrant closure when the open ticket has all the steps for someone who gets the current version of freeradius to be brought up to speed?

I'm sorry if this getting to be too rambly and noisy as I'm used to IRC, where I can indulge in thinking aloud.

I'd love to try my hand with the/a wiki. After a quick glance at the conceptual description of freeradius, I realized that I'm not super theory-inclined but configuration-inclined and can give limited assistance to show how something works for me. But I'm going to guess that this is fine since I'd be contributing to it rather than finishing it? But definitely, I can reach out to nas-admin and voice interest in updating their wiki.

alllexx88 commented 8 years ago

The old rc script was indeed pretty crippled, but the new one does echo usage, and accepts start|stop|restart|check arguments. It's a kind of a compromise between simplicity and functionality. I could make it better, using start-stop-daemon and the pid file, which would be more robust, but I doubt there should be multiple radiusd processes running on a sane system, so I chose the simpler way. Also, there is no /opt/etc/rc.func in Optware-ng, and rc scripts are actually a mishmash of different approaches, however it requires to much of a manpower to fix this all in one go, though I try to make them more sensible along the way (like with freeradius).

Speaking about a "proper" package, I think a good one is such that requires minimum effort to get up and running. In most cases, ipkg install <pkg> should be enough, but sometimes you do have to tweak things a bit, and there's no way around that, since the actual tweaking depends on your personal conditions/goals/preferences. And that's when a good wiki should kick in, describing how to do this and that. freeradius package, as it is now, should be OK after a clean install, all the tweaks you mentioned so far aren't needed, if you issue these commands, it should be good:

# needed to install the package provided config:
rm -f /opt/etc/raddb/radiusd.conf

ipkg update
ipkg -force-reinstall install freeradius

I'm sorry if this getting to be too rambly and noisy as I'm used to IRC, where I can indulge in thinking aloud.

That's OK as long as it's project-related.

I'd love to try my hand with the/a wiki. After a quick glance at the conceptual description of freeradius, I realized that I'm not super theory-inclined but configuration-inclined and can give limited assistance to show how something works for me. But I'm going to guess that this is fine since I'd be contributing to it rather than finishing it? But definitely, I can reach out to nas-admin and voice interest in updating their wiki.

Being technically savvy in terms of low-level details isn't a must when speaking about being a wiki writer. Besides, if you do happen to make some mistakes (who doesn't make ones?), there're always other people to correct them. I dropped a line to @scoutcamper about the wiki :-)

alllexx88 commented 8 years ago

@zebralight Please register at http://www.optware-project.org/index.php?title=Main_Page, then tell me your nick, so that you can be given full admin to edit or create articles there.

Choongkyu commented 8 years ago

awesome! Thank you! I hope to get that article soon. I tried to create an account but I get this:

Fatal error: Class 'QuestyCaptcha' not found in /var/www/mediawiki-1.26.3/extensions/ConfirmEdit/includes/ConfirmEditHooks.php on line 16

I wasn't able to find any contact information for reporting this issue, but I'll get on it.

alllexx88 commented 8 years ago

@zebralight you're welcome :smiley: I had this issue too, but after one or two page reloads I was able to register. If it doesn't work, please tell me your desired login (and your email address, or, alternatively, send it to me via IRC private message on #optware channel on irc.freenode.net, nickname alllexx), and I'll ask scoutcamper to create your account -- or ask him there directly -- whichever you prefer

Choongkyu commented 8 years ago

hi alllexx88. My router died and I had to deal with a non-wrt based router until I scraped together enough cash for a new one. I had actually reinstalled optware from scratch and it looks like freeradius 3 is on a different version now(3.0.10-4). Unfortunately, I'm getting this message when trying to run "radiusd -X" immediately upon installing freeradius:

/tmp/mnt/sda2/optware-ng.arm/bin/radclient: can't load library 'libreadline.so.6'

any help would be much appreciated. Hope all's well!