Kerberos and FR 3.0.1 (fedora)

Brendan Kearney bpk678 at gmail.com
Fri May 16 03:13:21 CEST 2014 

On Thu, 2014-05-15 at 23:03 +0100, Arran Cudbard-Bell wrote:
> On 15 May 2014, at 22:26, Brendan Kearney <bpk678 at gmail.com> wrote:
> 
> > On Thu, 2014-05-15 at 11:19 +0100, Arran Cudbard-Bell wrote:
> >> On 15 May 2014, at 11:12, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> >> 
> >>> 
> >>> On 15 May 2014, at 01:24, Brendan Kearney <bpk678 at gmail.com> wrote:
> >>> 
> >>>> i am evaluating FR 3.0.1 with kerberos/ldap for authN/authZ,
> >>>> respectively.  for some reason, the kerberos piece is not authenticating
> >>>> me.  the keytab is freshly minted and the kvno in it matches what is in
> >>>> kadmin.  the keytab is owned by radiusd:radiusd.  kinit
> >>>> -kt /etc/raddb/radius.keytab radius/test.bpk2.com results in a ticket
> >>>> being granted.  not sure what the issue is.  can anyone offer a pointer?
> >>> 
> >>> Try 3.0.3, there have been some fixes since 3.0.1.
> >> 
> >> Though you also need to make sure there's a keytab entry for your service
> >> principle.
> >> 
> >> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> >> FreeRADIUS Development Team
> >> 
> >> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> >> 
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > 
> > 3.0.3 is not available from the repos just yet.  when it does come down,
> > i will be updating to it.
> > 
> > the keytab is valid.  i did check it with kinit.  the keytab contains:
> > [root at test raddb]# klist -Kket radius.keytab 
> > Keytab name: FILE:radius.keytab
> > KVNO Timestamp           Principal
> > ---- -------------------
> > ------------------------------------------------------
> >   4 05/13/2014 21:00:49 radius/test.bpk2.com at BPK2.COM
> > (aes256-cts-hmac-sha1-96)  (blahthisisalongstringblah)
> > 
> > the keytab is freshly minted and created out of kadmin.  is there
> > something else you think i am missing?
> > 
> 
> Using MIT Kerberos library
> rlm_krb5 (krb5): Using service principal "radius/test.bpk2.com
> \@bpk2.com@"
> rlm_krb5 (krb5): Using keytab "FILE:/etc/raddb/radius.keytab"
> rlm_krb5 (krb5): Initialising connection pool
>   pool {
> 
> That doesn't look like a healthy service principal string to me.
> 
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
> 
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

i agree, but the extra @ is not coming from the keytab.

[root at test raddb]# klist -Kket radius.keytab 
Keytab name: FILE:radius.keytab
KVNO Timestamp           Principal
---- -------------------
------------------------------------------------------
   4 05/13/2014 21:00:49 radius/test.bpk2.com at BPK2.COM
(aes256-cts-hmac-sha1-96)  (longStringHere...)

having checked my 2.x versions that are working, i noticed that the krb5
module file only has "radius/host.domain.tld", and not
"radius/host.domain.tld at REALM.TLD".  changing that line corrected the
issue.

More information about the Freeradius-Users mailing list