Kerberos (krb5) Module Overrides Other Authentication Types . . .

Mowgli Assor mowgli at net.ohio-state.edu
Fri Apr 2 00:33:36 CEST 2010


I've had the rlm_krb5 module running for a while now, with the line
in the users file :

-----
DEFAULT         Auth-Type = Kerberos
-----

I found that was the only way to get the rlm_krb5 module to
actually fire, otherwise the krb5 module would never try
to authenticate anyone.

I'm now trying to add authentication from an SQL database. So, I have
an appropriate tested setup for SQL, and the following in the radreply
table :

mysql> select * from radreply;
+----+----------+--------------+----+------------+
| id | username | attribute    | op | value      |
+----+----------+--------------+----+------------+
|  1 | mowglidb | Service-Type | := | Login-User | 
|  2 | mowglidb | Fall-Through | =  | No         | 
|  3 | mowglidb | Auth-Type    | := | Accept     | 
|  4 | mowglidb | Hint         | := | SQL        | 
+----+----------+--------------+----+------------+
4 rows in set (0.00 sec)

I've verified that both authentication types work properly, but what
happens is that the Kerberos result is the only one ever used, despite
the fact that the SQL result appears valid. So when you lookup an ID
in the SQL table which is valid, the Kerberos lookup executes, doesn't
find the ID, and sends a REJECT.

Here's partial radiusd -X output showing the results of a query . . .
-----
Ready to process requests.
rad_recv: Access-Request packet from host 128.146.XXX.XXX port 1166, id=12, length=48
        User-Name = "mowglidb"
        User-Password = "1234abcd"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/128.146.XXX.XXX/auth-detail-20100401
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/128.146.XXX.XXX/auth-detail-20100401
[auth_log]      expand: %t -> Thu Apr  1 00:38:53 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[IPASS] No '/' in User-Name = "mowglidb", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "mowglidb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 210
++[files] returns ok
[sql]   expand: %{User-Name} -> mowglidb
[sql] sql_set_user escaped user --> 'mowglidb'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FRO
M radcheck           WHERE username = 'mowglidb'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'mowglidb'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FRO
M radreply           WHERE username = 'mowglidb'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'mowglidb'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username 
= 'mowglidb'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = 'mowglidb'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Kerberos
+- entering group Kerberos {...}
rlm_krb5: [mowglidb] krb5_g_i_t_w_p failed: Client not found in Kerberos database
++[krb5] returns reject
Failed to authenticate the user.
Login incorrect: [mowglidb] (from client test port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> mowglidb
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 12 to 128.146.XXX.XXX port 1166
Finished request 1.
Going to the next request
-----

I've tried varying what is in the users file, but so far my only results
are either the SQL result is squashed by the Kerberos result, or the
Kerberos section never attempts a lookup.

In reading the attributes description, it implies that if I put the
"Auth-Type = Kerberos" in the check section for the DEFAULT entry,
it should only add this if there is no Auth-Type, but I'm not clear
on when the items from the radreply table are added to the reply.

Explicitly setting the Auth-Type in the SQL reply doesn't
appear to affect anything - the Kerberos DEFAULT entry seems to
simply override it.

I've tried swapping the order of the sql & files attributes in the
authenticate section, but that didn't work either :

-----
++[sql] returns ok
[files] users: Matched entry DEFAULT at line 210
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Kerberos
+- entering group Kerberos {...}
rlm_krb5: [mowglidb] krb5_g_i_t_w_p failed: Client not found in Kerberos database
++[krb5] returns reject
Failed to authenticate the user.
Login incorrect: [mowglidb] (from client test port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
-----

And modifying the users file so that the entry reads :

-----
DEFAULT
	Auth-Type = Kerberos
-----

resulted in the krb5 module failing to fire at all, even though
the files result did match the DEFAULT rule :

-----
++[chap] returns noop
++[mschap] returns noop
[IPASS] No '/' in User-Name = "assor.3", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "assor.3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 210
++[files] returns ok
[sql]   expand: %{User-Name} -> assor.3
[sql] sql_set_user escaped user --> 'assor.3'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FRO
M radcheck           WHERE username = 'assor.3'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'assor.3'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username 
= 'assor.3'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = 'assor.3'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User assor.3 not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
-----

The users file really only has the single DEFAULT rule in it, but let me
know if seeing any of the other configuration files would help. Otherwise,
I'd appreciate any help on getting the krb5 module to work with other
authentication types.

One other thing, it might be useful to add an "extended debugging" flag
to the -X option, which shows you the reply table entries after each
module, to allow tracking what sets what values. I haven't seen that
mentioned in any documentation, but in my case that would at least allow
me to answer the question of what reply entries get set where when.

				Thanks, <Mowgli>
-- 
The Ohio State University Network Security Group   |  Mowgli Assor
---------------------------------------------------+--------------------------
E-mail : security at osu.edu                          | Network Security Engineer
   Web : http://www.infosec.ohio-state.edu         | Office : (Use E-mail)



More information about the Freeradius-Users mailing list