Kerberos (krb5) Module Overrides Other Authentication Types . . .

Sat Apr 3 14:30:01 CEST 2010

Mowgli Assor wrote:
> OK, but is there any way to do that without setting a DEFAULT entry? I
> really want Kerberos to be just another in the long list of things it
> tries for authentication, and when one of them succeeds, it stops and
> returns ACCEPT (unless of course Fall-Through is set, but in what
> I'm setting up it would not be).

  That's not really how authentication works.  You need to decide which
users get what kind of authentication.  Then, configure it.

  Trying multiple kinds of authentication won't work.

> It works for any valid Kerberos set. The only entry in the SQL table
> right now is the mowglidb entry, mainly for testing. But basically I
> can't seem to get it to choose Kerberos *or* SQL - if Kerberos is in
> the loop, it'll always use the Kerberos return value, so even though
> SQL authentication succeeds, the reply is REJECT.

  There is no "SQL authentication"

> -----
> [sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'mowglidb'           ORDER BY id
> rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'mowglidb'           ORDER BY id
> -----
> 
> This doesn't actually show me anything about what the reply looks like.

  Yes.  You can run the query manually (as you did) to see the reply.
There's no need to print it in debug mode.

> I
> can infer it searched the table, and presume it added entries, but I'd
> prefer to see what those entries (and any others that are there) are, so
> that I can figure out if among other things I've used the correct operator,
> and haven't mistyped something.

  Then edit the source code to add that functionality.

> I have Kerberos, SQL, & (for fun let's say) specifically hardcoded users
> in the /etc/raddb/users file, and I wish to have the radius server return
> ACCEPT anytime any *one* of those sources authenticates properly.
> 
> How would I accomplish this?

  With great difficulty.  The phrasing of the problem statement is wrong.

> My thinking was, that I'd have the SQL module run first, and include a
> set Auth-Type in the reply.

  As you were told, the Auth-Type does NOT go in the reply.

> Then, the check statement
> "Auth-Type = Kerberos" should NOT do Kerberos if Auth-Type is already set.
> That's clearly not working.

  Because you're not following the documentation and the messages on
this list.

  That's a big part of the problem... you need to understand how it
works before trying to configure it.  Instead, you keep trying things
you were told are wrong.

> Yet, if I put anything other than "Auth-Type = Kerberos" in the check line
> for the DEFAULT entry, the Kerberos module never attempts authentication.
> 
> My other idea, and the whole reason for the "Hint = SQL" in radreply idea
> was that I could then put a check line in the DEFAULT entry :
> 
> 	DEFAULT		"Hint != SQL"
> 		Auth-Type = Kerberos
> 
> But with that the Kerberos authentication is never attempted, regardless of
> whether the SQL module succeeds or not.

  Exactly.  You were told Auth-Type does not go in the reply.  Yet here
you do it again.

  Why?  Do you think I was joking?  Or maybe you didn't understand my reply?

> Presumably this is because as you mentioned above, the Auth-Type belongs
> only in the check section?

  Perhaps reading my messages would answer that question.

> So the question I guess is how does one integrate the Kerberos module in
> so that, like the SQL, PAP, CHAP, and other modules it's simply one of
> several authentication methods, and have the server return ACCEPT when
> any one of them succeeds?

  You don't.  You decide which users get Kerberos, and you configure that.

  Alan DeKok.