Auth: rlm_krb5: [test1 at CSP-BACK] krb5_rd_req() failed: Permission denied in replay cache code
g17jimmy
g17jimmy at gmail.com
Wed Jun 15 16:49:47 CEST 2011
d'oh! it was SElinux. I had disabled it temporarily, but didn't set it as
disabled in /etc/selinux/config so it was blocking the authentication.
Phil Mayers wrote:
>
> On 06/14/2011 09:44 PM, Jimmy wrote:
>> I have Kerberos 1.6 configured to use OpenLDAP 2.3.43 as a back end. I
>> am trying to configure Freeradius 2.1.7 to authenticate to Kerberos.
>
> My advice would be to investigate having FreeRADIUS pull the user info
> (secrets etc.) direct from LDAP. It'll save your sanity in the long run
> (provided the secrets in LDAP are ones FreeRADIUS can make use of)
>
> But...
>
>>
>> I am having problems getting Freeradiusto authenticate while started
>> in daemon mode. When the process is started in debug mode it seems to
>> funciton, but authentications while in daemon mode return the error:
>>
>>> Auth: rlm_krb5: [test1 at CSP-BACK] krb5_rd_req() failed: Permission denied
>>> in replay cache code
>
> So, in debug mode it's fine, but in daemon mode it's giving permission
> denied errors as above? That error sounds like it's coming out of the
> kerberos libraries, rather than FreeRADIUS.
>
> Try this: start it up in daemon mode, then use "strace" to record
> syscalls:
>
> strace -o log -p <the pid>
>
> ...do a test authentication, then hunt through the log for open() and
> write() calls that fail i.e. return -1. That should tell you what file
> it's trying to use as a replay cache. Then, fix the permissions so that
> the daemon can access that file.
>
> Also, if you're running an LSM (SELinux, AppArmor) check their logs
> (audit.log in the case of SELinux; no idea for AppArmor) to see if it's
> a MAC policy, rather than uid/gid-based perms, that's denying it.
>
> Alternatively, you might be able to disable the replay cache using
> entries in /etc/krb5.conf, but you'd have to do a bit of digging.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Auth-rlm-krb5-test1-CSP-BACK-krb5-rd-req-failed-Permission-denied-in-replay-cache-code-tp4489262p4491473.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list