Re: Kerberos module config
On Tue, 2007-03-13 at 17:31 +0100, Alan DeKok wrote:
> John T. Guthrie wrote:
> > Well, when all else fails, read the documentation. I just checked the
> > wiki on the website, and it says that the answer to my question is yes.
> > However, I went ahead and wrote a patch to the radiusd.conf.in file in
> > the source code to add in ome documentation for configuring Kerberos.
> > Where would be the best place to post that patch.
>
> This list is OK for small patches.
>
> Alan DeKok.
Alan,
Here is the patch that I mentioned. This is a patch against the
radiusd.conf.in file in 1.1.5.
Thanks.
--
John Guthrie
guthrie@counterexample.org
--- radiusd.conf.in.orig 2007-02-04 10:28:46.000000000 -0500
+++ radiusd.conf.in 2007-03-13 23:49:31.000000000 -0400
@@ -660,6 +660,20 @@
radwtmp = ${logdir}/radwtmp
}
+ # Kerberos 5
+ # The documentation doesn't give us much.
+ # See www.mail-archive.com/freeradius-users@lists.cistron.nl/msg21439.html
+ #
+ # You will also need to uncomment the "Auth-Type Kerberos" in the
+ # 'authenticate' section below.
+ #krb5 {
+ # keytab containing the key used by rlm_krb5
+ #keytab = /path/to/keytab
+
+ # principal that is used by rlm_krb5
+ #service_principal = radius/some.host.com
+ #}
+
# Extensible Authentication Protocol
#
# For all EAP related authentications.
@@ -1954,6 +1968,19 @@
# ldap
# }
+ # Uncomment this if you want to use Kerberos 5 for authentication.
+ # You will also need to uncomment the 'krb5' module above.
+ # Note that use of Kerberos requires that the User-Name and
+ # User-Password attributes be set in the request packet. This means
+ # that a client that is trying to authenticate using a digest-like
+ # scheme will not be able be authenticated using this mechanism.
+ #
+ # You will need to use an Auth-Type of "Kerberos", not "krb5" to
+ # reference this in the users file.
+# Auth-Type Kerberos {
+# krb5
+# }
+
#
# Allow EAP authentication.
eap
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.