Kerberos (krb5) Module Overrides Other Authentication Types . . .
jdennis at redhat.com
Sat Apr 3 16:13:09 CEST 2010
On 04/03/2010 08:30 AM, Alan DeKok wrote:
> Mowgli Assor wrote:
>> OK, but is there any way to do that without setting a DEFAULT entry? I
>> really want Kerberos to be just another in the long list of things it
>> tries for authentication, and when one of them succeeds, it stops and
>> returns ACCEPT (unless of course Fall-Through is set, but in what
>> I'm setting up it would not be).
> That's not really how authentication works. You need to decide which
> users get what kind of authentication. Then, configure it.
rlm_krb5 does not have an authorize callback therefore it's can't say
"I'm available for authentication if there is a cleartext password" like
any other pap style method. Why does rlm_krb5 have behavior seemingly at
odds with the other types of modules in it's family (e.g. those which
can authenticate given a cleartext password).
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
More information about the Freeradius-Users