Есть Debian Etch. Настроил на нем комбинацию FreeNibs+FreeRadius. Установил pptpd в качестве VPN сервера. Но пользователи не авторизуются, т.е. через radtest соединение проходит успешно, а при авторизации через VPN клиенту сообщается что неверные логин и пароль. Подскажите как быть?вот логи
системный:
Apr 5 18:07:59 localhost pppd[3294]: Plugin radius.so loaded.
Apr 5 18:07:59 localhost pppd[3294]: RADIUS plugin initialized.
Apr 5 18:07:59 localhost pppd[3294]: Plugin radattr.so loaded.
Apr 5 18:07:59 localhost pppd[3294]: RADATTR plugin initialized.
Apr 5 18:07:59 localhost pppd[3294]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Apr 5 18:07:59 localhost pppd[3294]: pppd 2.4.4 started by root, uid 0
Apr 5 18:07:59 localhost pppd[3294]: Using interface ppp0
Apr 5 18:07:59 localhost pppd[3294]: Connect: ppp0 <--> /dev/pts/2
Apr 5 18:07:59 localhost pppd[3294]: rc_avpair_gen: received unknown attribute 85 of length 4: 0x0000003C
Apr 5 18:07:59 localhost pppd[3294]: Peer alex failed CHAP authentication
Apr 5 18:07:59 localhost pppd[3294]: Connection terminated.
Apr 5 18:07:59 localhost pppd[3294]: Exit.радиуса:
Sat Apr 5 18:05:12 2008 : Auth: Login OK: [alex/123456] (from client localhost port 1812)
Sat Apr 5 18:05:12 2008 : Auth: rlm_nibs (rlm_nibs_postauth): User `alex' login OK [255.255.255.255:1812]
Sat Apr 5 18:07:10 2008 : Info: Using deprecated naslist file. Support for this will go away soon.
Sat Apr 5 18:07:10 2008 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs (rlm_nibs_instantiate): Driver rlm_nibs_mysql (module rlm_nibs_mysql) loaded and linked
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs (rlm_nibs_instantiate): Attempting to connect to freenibs@localhost:3306/freenibs
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #0
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #1
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #2
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #3
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #4
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #5
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #6
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #7
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #8
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #9
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #10
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #11
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #12
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #13
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #14
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs_mysql: Starting connect to MySQL server for #15
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs (nibs_init): Initializing main structures `freenibs'
Sat Apr 5 18:07:10 2008 : Info: rlm_nibs (nibs_init): Initializing group table `packets' done. Found 1 groups
Sat Apr 5 18:07:10 2008 : Info: rlm_anibs (sql_init_prices): No prices configured
Sat Apr 5 18:07:10 2008 : Info: Ready to process requests.
Sat Apr 5 18:07:14 2008 : Auth: Login OK: [alex/123456] (from client localhost port 1812)
Sat Apr 5 18:07:14 2008 : Auth: rlm_nibs (rlm_nibs_postauth): User `alex' login OK [255.255.255.255:1812]
Sat Apr 5 18:07:42 2008 : Auth: Login OK: [alex/<no User-Password attribute>] (from client localhost port 0 cli 192.168.104.5)
Sat Apr 5 18:07:42 2008 : Auth: rlm_nibs (rlm_nibs_postauth): User `alex' login OK [127.0.0.1:0] |192.168.104.5|
Sat Apr 5 18:07:59 2008 : Auth: Login OK: [alex/<no User-Password attribute>] (from client localhost port 0 cli 192.168.104.5)
Sat Apr 5 18:07:59 2008 : Auth: rlm_nibs (rlm_nibs_postauth): User `alex' login OK [127.0.0.1:0] |192.168.104.5|
хм, логи в которых всё хорошо - ничего не могут сказать о проблеме, возможно что нужно дать конфиги.
Можно включить debug в радиусе ( -X ) и посмотреть, что происходит в момент соединения.Еще можно включить debug в /etc/ppp/options.pptpd (это пойдет в фасилити daemon), и опять же посмотреть что происходит в момент соединения.
>Apr 5 18:07:59 localhost pppd[3294]: rc_avpair_gen: received unknown attribute 85 of
>length 4: 0x0000003Cпопробуй добавить в "/etc/radiusclient/dictionary" строчку "ATTRIBUTE Acct-Interim-Interval 85 integer"
>>Apr 5 18:07:59 localhost pppd[3294]: rc_avpair_gen: received unknown attribute 85 of
>>length 4: 0x0000003C
>
>попробуй добавить в "/etc/radiusclient/dictionary" строчку "ATTRIBUTE
>Acct-Interim-Interval 85 integer"Ошибка:
Apr 5 18:07:59 localhost pppd[3294]: rc_avpair_gen: received unknown attribute 85 of length 4: 0x0000003C
из логов ушла, но авторизация по прежнему не проходит.
Появились следующие ошибки в логах:Sun Apr 6 12:28:09 2008 : Auth: rlm_nibs (rlm_nibs_authenticate): Zero length password not permitted for user `chernobaev' [127.0.0.1:0] |192.168.104.5|
Sun Apr 6 12:28:09 2008 : Auth: Login incorrect: [chernobaev/<no User-Password attribute>] (from client localhost port 0 cli 192.168.104.5)
Apr 6 12:28:09 localhost pppd[2959]: Plugin radius.so loaded.
Apr 6 12:28:09 localhost pppd[2959]: RADIUS plugin initialized.
Apr 6 12:28:09 localhost pppd[2959]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Apr 6 12:28:09 localhost pppd[2959]: pppd 2.4.4 started by root, uid 0
Apr 6 12:28:09 localhost pppd[2959]: Using interface ppp0
Apr 6 12:28:09 localhost pppd[2959]: Connect: ppp0 <--> /dev/pts/2
Apr 6 12:28:19 localhost pppd[2959]: Peer chernobaev failed CHAP authentication
Apr 6 12:28:19 localhost pppd[2959]: Connection terminated.
Apr 6 12:28:19 localhost pppd[2959]: Exit.
Выкладываю конфиги
//===========================================================================
pptpd:
#ppp /usr/sbin/pppd
speed 115200
option /etc/ppp/pptpd-optionsdebug
# stimeout 10
#noipparam
logwtmp
bcrelay eth1
localip 192.168.104.1
remoteip 192.168.20.10-23
//============================================================================
PPTPD-OPTIONS:ppptp-options:
name pptpd
plugin radius.so
plugin radattr.so
#chapms-strip-domain
#require-pap
#refuse-chap
require-mschap
require-mschap-v2
require-mppe-128
# }}}
ms-dns 192.168.104.1
#ms-dns 10.0.0.2#ms-wins 10.0.0.3
#ms-wins 10.0.0.4proxyarp
nodefaultroute
# Logging#debug
#dump
# Miscellaneouslock
# Disable BSD-Compress compression
nobsdcomp
nodeflate
novj
novjccomp
//==================================================================================
radiusd.conf:prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacctconfdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
ldap {
server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmapldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
# NiBS Support
$INCLUDE ${confdir}/nibs.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
#packet_type = Access-Accept
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}instantiate {
exec
expr
# daily
}
authorize {
preprocess
# auth_log
nibs
# attr_filter
# chap
mschap
# digest
# IPASS
# suffix
# ntdomain
# eap
# files
# sql
# etc_smbpasswd
# ldap
# daily
# checkval
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type NIBS {
nibs
}
}
preacct {
preprocess
acct_unique
# IPASS
# suffix
# ntdomain
# files
}accounting {
acct_unique
detail
# daily
# unix
radutmp
# sradutmp
# main_pool
# sql
nibs
# pgsql-voip
}
session {
# radutmp
# sql
# NiBS zap
nibs
}
post-auth {
# main_pool
# reply_log
# sql
nibs
# Post-Auth-Type REJECT {
# insert-module-name-here
# }}
pre-proxy {
}
post-proxy {
eap
}
>Sun Apr 6 12:28:09 2008 : Auth: rlm_nibs (rlm_nibs_authenticate): Zero length
>password not permitted for user `chernobaev' [127.0.0.1:0] |192.168.104.5|
>Sun Apr 6 12:28:09 2008 : Auth: Login incorrect: [chernobaev/<no User-Password attribute>] (from client localhost port 0 cli 192.168.104.5)Похоже что авторизация mschap не происходит, поэтому нет атрибута User-Password. Попробуй поставить mschap до nibs, а не после, в модуле authorize.
И еще все-таки стоит посмотреть дебаг-вывод.
>>Sun Apr 6 12:28:09 2008 : Auth: rlm_nibs (rlm_nibs_authenticate): Zero length
>>password not permitted for user `chernobaev' [127.0.0.1:0] |192.168.104.5|
>>Sun Apr 6 12:28:09 2008 : Auth: Login incorrect: [chernobaev/<no User-Password attribute>] (from client localhost port 0 cli 192.168.104.5)
>
>Похоже что авторизация mschap не происходит, поэтому нет атрибута User-Password. Попробуй поставить
>mschap до nibs, а не после, в модуле authorize.
>
>И еще все-таки стоит посмотреть дебаг-вывод.Извините за тупой вопрос, а где его искать этот вывод?
>Извините за тупой вопрос, а где его искать этот вывод?radiusd -X
вывод пойдет в stderrИ мне кажется, все-таки может помочь махнуть местами nibs и mschap в секции authorize, попробуйте.
>И мне кажется, все-таки может помочь махнуть местами nibs и mschap в
>секции authorize, попробуйте.Попробовал... Вот что выдал радиус при отладке:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32771, id=123, length=71
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "chernobaev"
Calling-Station-Id = "192.168.104.5"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
radius_xlat: 'chernobaev'
rlm_nibs (sql_set_user): sql_set_user escaped user --> 'chernobaev'
rlm_nibs (nibs_fill_user): begin for user `chernobaev' ------------
radius_xlat: 'SELECT user, password, crypt_method, uid, gid, deposit, credit, unix_timestamp(add_date), blocked, activated, unix_timestamp(expired), total_time, total_traffic, total_money, unix_timestamp(last_connection), framed_ip, framed_mask, callback_number FROM users WHERE user = 'chernobaev''
sql_als->sql_get_socket (nibs): Reserving sql socket id: 12
sql_als->sql_release_socket: Released sql socket id: 12
radius_xlat: 'SELECT tos, do_with_tos, direction, fixed, fixed_cost, activation_time, total_time_limit, month_time_limit, week_time_limit, day_time_limit, total_traffic_limit, month_traffic_limit, week_traffic_limit, day_traffic_limit, total_money_limit, month_money_limit, week_money_limit, day_money_limit, login_time, huntgroup_name, simultaneous_use, port_limit, session_timeout, idle_timeout, allowed_prefixes, no_pass, no_acct, allow_callback, other_params, allowed_servers FROM users WHERE user = 'chernobaev''
rlm_nibs (nibs_fill_user): ----- prof mode begin for user `chernobaev' -----
sql_als->sql_get_socket (nibs): Reserving sql socket id: 11
sql_als->sql_release_socket: Released sql socket id: 11
rlm_nibs (nibs_fill_user): ----- prof mode end for user `chernobaev' -----
rlm_nibs (nibs_fill_user): end for user `chernobaev' ------------
rlm_nibs (nibs_add_attrs): begin for user `chernobaev' ------------
rlm_nibs (nibs_add_attrs): add PW_FRAMED_IP_ADDRESS
rlm_nibs (nibs_add_attrs): add PW_FRAMED_IP_NETMASK
rlm_nibs (nibs_add_attrs): add PW_SIMULTANEOUS_USE
rlm_nibs (nibs_add_attrs): add PW_SESSION_TIMEOUT
rlm_nibs (nibs_add_attrs): add all other params
rlm_nibs (nibs_add_attrs): end for user `chernobaev' ------------
modcall[authorize]: module "nibs" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Nibs
auth: type "NIBS"
Processing the authenticate section of radiusd.conf
modcall: entering group NIBS for request 0
radius_xlat: 'chernobaev'
rlm_nibs (sql_set_user): sql_set_user escaped user --> 'chernobaev'
radius_xlat: 'SELECT user, password, gid, crypt_method FROM users WHERE user = 'chernobaev''
sql_als->sql_get_socket (nibs): Reserving sql socket id: 10
radius_xlat: 'rlm_nibs (rlm_nibs_authenticate): Zero length password not permitted for user `chernobaev' [127.0.0.1:0]%s%s%s'
rlm_nibs (rlm_nibs_authenticate): Zero length password not permitted for user `chernobaev' [127.0.0.1:0] |192.168.104.5|
sql_als->sql_release_socket: Released sql socket id: 10
modcall[authenticate]: module "nibs" returns invalid for request 0
modcall: leaving group NIBS (returns invalid) for request 0
auth: Failed to validate the user.
Login incorrect: [chernobaev/<no User-Password attribute>] (from client localhost port 0 cli 192.168.104.5)Возникает вопрос, почему возвращается пароль нулевой длины?
>Возникает вопрос, почему возвращается пароль нулевой длины?вот поэтому:
modcall[authorize]: module "mschap" returns noop for request 0должно быть что-то вроде
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module "mschap" returns ok for request 0Можно попробовать добавить в секции authenticate в Auth-Type NIBS { } еще mschap перед nibs, но это грубоватый хак, даже если и заработает, что вряд ли.
Похоже, что проблема со словарями так просто не решилась, и радиус-клиент не передает радиусу атрибуты MS-CHAP.
1) Попробуйте добавить debug в options.pptpd, настроить фасилити daemon.* в syslog.conf и посмотреть на дебаг вывод pppd. Может быть там будет что-то полезное.
2) Убедитесь, что у вашего радиус-клиента есть майкрософтовский словарь, необходимый для ms-chap (dictionary.microsoft).
я давно ушел с freenibs - утечки памяти под большой нагрузкой, низкая маштабируемость, ну и кривость движка - запихивать щиталку в радиус это дыбилизм, развитие = 0. У каждого приложения должны быть свои задачи, а делать из велосипеда тактор, не наш метод. Поробуйте лучше http://abills.net.ua/wiki/doku.php
>я давно ушел с freenibs - утечки памяти под большой нагрузкой, низкая
>маштабируемость, ну и кривость движка - запихивать щиталку в радиус это
>дыбилизм, развитие = 0. У каждого приложения должны быть свои задачи,
>а делать из велосипеда тактор, не наш метод. Поробуйте лучше http://abills.net.ua/wiki/doku.php
>Если не секрет, с какой нагрузкой у вас справляется abills, и начиная с какой начинались проблемы с freenibs (и какая версия freenibs использовалась)?
>я давно ушел с freenibs - утечки памяти под большой нагрузкой, низкая
>маштабируемость, ну и кривость движка - запихивать щиталку в радиус это
>дыбилизм, развитие = 0. У каждого приложения должны быть свои задачи,
>а делать из велосипеда тактор, не наш метод. Поробуйте лучше http://abills.net.ua/wiki/doku.php
>Можно конечно долго посмеяться но у Abills та же самая ошибка - не воспринимает авторризацию по VPN. Вот вывод радиуса при авторизации:
rad_recv: Access-Request packet from host 127.0.0.1:32771, id=25, length=84
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "qwerty"
User-Password = "qwerty"
Calling-Station-Id = "192.168.2.13"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/usr/abills/libexec/rauth.pl pre_auth'
Exec-Program: /usr/abills/libexec/rauth.pl pre_auth
Exec-Program output: Auth-Type := Accept
Exec-Program-Wait: value-pairs: Auth-Type := Accept
Exec-Program: returned: 0
modcall[authorize]: module "pre_auth" returns ok for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "qwerty", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched entry DEFAULT at line 155
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
radius_xlat: '/usr/abills/libexec/rauth.pl'
Exec-Program: /usr/abills/libexec/rauth.pl
Exec-Program output: Reply-Message = "Unknow server '127.0.0.1'"
Exec-Program-Wait: value-pairs: Reply-Message = "Unknow server '127.0.0.1'"
Exec-Program: returned: 1
Found Post-Auth-Type
Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 0
radius_xlat: '/usr/abills/libexec/rauth.pl post_auth'
Exec-Program: /usr/abills/libexec/rauth.pl post_auth
Exec-Program output:
Exec-Program: returned: 0
modcall[post-auth]: module "post_auth" returns ok for request 0
modcall: leaving group REJECT (returns ok) for request 0