Kerberos - Radius does not get password

Khapare Joshi khapare77 at gmail.com
Tue Jan 8 11:31:55 CET 2013


HI,

Thanks,

On Mon, Jan 7, 2013 at 5:41 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 07/01/13 16:49, Khapare Joshi wrote:
>
>> Hello
>>
>> I been having problem as listed in this bug list:
>>
>> https://bugzilla.samba.org/**show_bug.cgi?id=6563#c59<https://bugzilla.samba.org/show_bug.cgi?id=6563#c59>
>>
>> I know at least few university having similar issue and ended up with
>> restarting winbind - that resolve the issue. I am not sure which version
>> of samba+winbind are you using?
>>
>
> We are on RHEL5 using samba3x-3.3.8-0.52.el5_5.2. Our domain is Windows
> 2008R2, domain functional level is 2008R2 native.
>
>
> I am running on:
CENTOS6
samba-winbind-3.5.10-125.el6.x86_64
samba-3.5.10-125.el6.x86_64
samba-common-3.5.10-125.el6.x86_64



>> Also, I am just thinking, is there a way to configure both kerberos
>> (which works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is
>> possible I can support both TTLS via kerberos and PEAP - MCHAP with
>> Active directory (winbind and samba). This way I can continue support
>> older $$$client xp, win7 and for rest those are supported I can enforce
>> to use TTLS-PAP with kerberos. It would be great if you direct me in
>> right road.
>>
>
> Yes you can do this. I'm not sure what you're asking. You just configure
> each component correct and let it work.
>
> oh, I meant to support mschap as well.  At the moment in my development
environment I could not authenticate from windows 7 client because I can
only choose mschap option.


> This is only very slightly tricky because rlm_krb5 doesn't contain any
> Auth-Type handling; you need to run krb5 if it's a PAP request, see below.
> But you must already be doing this if you're using Kerberos, so just...
> keep doing it.
>
>
> Yes, Kerberos is working right now, What I did was :

Added /etc/raddb/site-enabled/inner-tunnel right after the Auth-Type PAP
Auth-Type kerberos {
                krb5
}

and DEFAULT AUTH-Type = kerberos in users file.


sites-enabled/inner-tunnel:
>
> authorize {
>   ...
>   eap
>   mschap
>   pap
>   ...
> }
>
> authenticate {
>   Auth-Type PAP {
>     krb5
>   }
>   Auth-Type MSCHAP {
>     mschap
>   }
>   eap
> }
>
> ...then configure "eap {}" appropriately for TTLS and PEAP.
>
>
To make this work, I still have to configure samba, join radius server to
AD and so on for the AD authentication right ?

but, kerberos only works with PAP, is there a security risk - what is your
view on this?


> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130108/4f823148/attachment.html>


More information about the Freeradius-Users mailing list