So I suddenly had a new version of Freeradius (3.0.17), where support for mschap/peap0 authentication was gone... "Failed to link to module 'rlm_mschap': /usr/lib64/rlm_mschap.so: cannot open shared object file: No such file or directory" and the reason for this is that support for mschap/peap0 suddenly relies on USE flag "samba" (?!). This makes zero sense, as support for mschap/peap0 authentication has nothing to do with having samba installed on a radius server.
It has always silently relied on samba, per bug https://bugs.gentoo.org/638396. The USE flag simply removes the mysteriousness. While I'm inclined to agree with you, it does make some sense. Mschap is a Microsoft thing (https://en.wikipedia.org/wiki/MS-CHAP). Freeradius is likely relying on samba's implementation of it. I'm curious in what situation you're seeing that linking error.
In what way does /usr/lib64/rlm_mschap.so rely on samba? $> ldd /usr/lib64/rlm_mschap.so linux-vdso.so.1 (0x00007ffd555b9000) libc.so.6 => /lib64/libc.so.6 (0x00007f75201b4000) /lib64/ld-linux-x86-64.so.2 (0x00007f752057e000) I never, ever had samba installed on any freeradius server. The above module is for clients that use MSCHAPv2 for authentication, which indeed is a Microsoft protocol, but that is where it ends. Please read doc/modules/mschap.rst for info, and please remove the dependency for samba, as I have _zero_ interest in having Samba installed on my radius servers - I still rely on freeradius being able to authenticate EAP/PEAPv0 and EAP/TTLS with MSCHAPv2.
(In reply to Kolbjørn Barmen from comment #2) > In what way does /usr/lib64/rlm_mschap.so rely on samba? > > > $> ldd /usr/lib64/rlm_mschap.so > linux-vdso.so.1 (0x00007ffd555b9000) > libc.so.6 => /lib64/libc.so.6 (0x00007f75201b4000) > /lib64/ld-linux-x86-64.so.2 (0x00007f752057e000) > > > I never, ever had samba installed on any freeradius server. The above module > is for clients that use MSCHAPv2 for authentication, which indeed is a > Microsoft protocol, but that is where it ends. Please read > doc/modules/mschap.rst for info, and please remove the dependency for samba, > as I have _zero_ interest in having Samba installed on my radius servers - I > still rely on freeradius being able to authenticate EAP/PEAPv0 and EAP/TTLS > with MSCHAPv2. Same here. No samba, rlm_mschap.so works great, 3.0.15
(In reply to Herb Miller Jr. from comment #1) > I'm curious in what situation you're seeing that linking error. During startup of radiusd, as I have a configuration that relies on rlm_mschap.so.
I seem to remember it linking with samba if samba is installed, but your snippet shows clearly it doesn't if it's not. That would be a weird issue with the upstream build system, I would think. I'll dive into this Monday, 9/20.
Hi, as shared on ml I will take care of freeradius packages. I will investigate on this asap. G.
Thanks!
It's still there in 3.0.18-r1. Any progress on this please?
Sorry for so long delay. It isn't wrong use of samba use flag but there is an issue about how it's used probably and must be disable linking to Samba library if samba use flag is disable. See: http://lists.freeradius.org/pipermail/freeradius-devel/2019-October/013758.html I will investigate a bit in the next weeks.
(In reply to Geaaru from comment #9) > Sorry for so long delay. > > It isn't wrong use of samba use flag but there is an issue about how it's > used probably and must be disable linking to Samba library if samba use flag > is disable. > > See: > http://lists.freeradius.org/pipermail/freeradius-devel/2019-October/013758. > html > > I will investigate a bit in the next weeks. Yes - as stated in the ML - link... "In both cases, internal MSCHAP auth will work. It just affects externally authenticating against AD." The problem we have here is that the samba use-flag is used wrongly - instead of enabling/disabling authentication against AD (a feature that Freeradius configure determines on its own, depending on whether samba is installed or not, regardless of the samba use-flag), the samba use-flag pulls in samba if set, and pointlessly deletes the unrelated MSCHAP auth module when unset.
Yeah, i know. But we need also avoid linking of samba libraries when -samba is set but samba libraries are installed on rootfs. It's right drop current remove of mschap directory but it's needed ensure that if -samba this use flags is follow correctly and i'm not sure that is configurable via configure. I need investigate on this a bit. If i can for 3.0.19 I will bump release without remove mschap and then i will fix this issue in all ebuilds when i found a clean solution.
Created attachment 814243 [details, diff] patch for freeradius 3.0.25-r2 ebuild
Here's my PoC patch to fix this issue.
