Intermittent failures of mod_krb5
Brian Candler
b.candler at pobox.com
Fri Feb 23 13:51:11 CET 2018
Sorry, hit send too early by accident.
Relevant bits of config:
[radiusd.conf]
max_request_time = 10
thread pool {
start_servers = 3
min_spare_servers = 2
max_spare_servers = 5
max_requests_per_server = 0
}
[sites-available/default]
authorize {
...
ldap
...
# NOTE: ldap module does not set a Cleartext-Password so "pap"
# is not enabled automatically. But we are fine to use PAP+krb5
update control {
Auth-Type = PAP
}
}
authenticate {
Auth-Type PAP {
krb5
}
}
[mods-available/krb5]
krb5 {
keytab = /etc/krb5.keytab
service_principal = 'host/ix-radius1.ad.example.net' #
different for each radius server
pool { ... everything as defaults ... }
}
I wonder if there is some sort of leak and I should set "uses" or
"lifetime" to limit how long each krb5 instance is used for?
I also have these environment variables set in systemd:
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/radius.keytab
Environment=KRB5CCNAME=MEMORY:
Restart=always
RestartSec=5
This is so that freeradius can authenticate to the LDAP server for LDAP
queries. But I don't think the problem is to do with LDAP queries from
freeradius, since the log messages are specifically about rlm_krb5, not
rlm_ldap.
Cheers,
Brian.
More information about the Freeradius-Users
mailing list