Cannot get the return code of rlm_krb5

Thu Mar 30 16:02:15 CEST 2017

> Sent: 30 March 2017 14:18
> On Mar 30, 2017, at 4:07 AM, LAUDREN Olivier <olivier.laudren at ext.europarl.europa.eu> wrote:
> > 
> > I am using FreeRADIUS v3.0.4
> 
>   You should really upgrade.

I would love to but it will not be possible for now.

> 
> > on Red Hat Enterprise Linux Server release 7.2 (Maipo), the authenticate section is below;
> > 	authenticate {
> > 		Auth-Type Kerberos {
> > 			krb5
> > 			update control {
> > 				Reason := "%{Module-Return-Code}"
> > 			}
> > 		}
> > 	}
> > 
> > The attribute gets the correct value except (at least) for the "fail" and the "invalid" return codes.
> > According to the document;
> ...
> > The "fail" should be taken into account but it looks like the action table is as the authorize one below;
> 
>   Yes, that is used for sub-sections in authenticate, i.e. blocks wishing "Auth-Type" section.

OK.

> > I have tried to override as shown on this page with no success;
> 
>   What does that mean?

>From what I understood, setting a 'fail = 1' should change the behavior...

> > Any idea of how I could get the actual result from rlm_krb5 module?
> 
>   The result is returned and handled as with anything else.
> 
>   Alan DeKok.
> 

Thanks.
Actually, the return code will not be enough; I need to get the KRB5_REALM_UNKNOWN and KRB5_KDC_UNREACH codes from Kerberos which are going to "default:" in the switch condition of rlm_krb5.c, indeed.
I guess the only way would to be compile a custom rlm_krb5 version, am I right?
Or maybe there is special attribute I can read to get the exact code?
Thank you in advance,

> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ce message contient des informations confidentielles à l'intention exclusive du destinataire. Il ne peut être utilisé, divulgué ou copié de quelconque façon que ce soit par une personne autre que le destinataire désigné. Si vous n'êtes pas le destinataire désigné, merci de contacter l'expéditeur et d'effacer ce message. L'expéditeur de ce message n'est pas mandaté à représenter le Parlement européen. Dès lors, ce message ne constitue pas nécessairement le point de vue officiel du Parlement européen, ni un engagement juridique opposable à ce dernier.
This message contains confidential information intended solely for the attention of the named addressee. It may not be used, disclosed or copied in any way whatsoever by anyone else than the intended addressee. If you are not the intended addressee, please contact the sender and delete this message. The sender of this message is not authorized to represent the European Parliament and therefore this message does not necessarily reflect the official position of the European Parliament and is not legally binding upon it.