On 5/6/21 11:57 AM, Pisch Tamás wrote:
Michael Ströder via Freeradius-Users <freeradius-users@lists.freeradius.org>
Because as Alan already said FreeRADIUS does not know anything about Kerberos.
FYI: SASL and GSSAPI are two authentication abstraction layers.
Mainly FreeRADIUS passes the SASL mech string as-is to libldap which invokes libsasl with the correct parameters. For SASL mech GSSAPI libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work.
I feel myself lost in a jungle.
That's understandable. It also took me a while to sort out all this years ago and I'm still learning every day.
You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start freeradius, nothing new appears in the log with tls { start_tls = no } sasl { mech = 'GSSAPI' realm = 'ad.ourdomain.hu' }
Maybe that's a dead-end. I currently don't have the time to locally test something like this. And I'm rather reluctant to recommend Kerberos anyway.
I tried with start_tls again, with require_cert<-->= 'allow' But it didn't help. I still get "Strong(er) authentication required"
With former MS AD versions it was not possible to combine SASL/GSSAPI with TLS (either StartTLS or LDAPS). Not sure about the current state. In your former message you wrote that you've added LDAP settings to ldap.conf. Don't do that. I would highly recommend to add all LDAP settings in FreeRADIUS config (file raddb/mods-available/ldap) and nowhere else. Then you have one place where to look for config errors and the relevant settings will appear in the radiusd output. Furthermore I'd even recommend to start radiusd with env var LDAPNOINIT=1 to prevent libldap to automagically read ldap.conf. Here's a example config to be used for my Æ-DIR: https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.simp... It should not be too difficult to change the parameters for MS AD. And then starting radiusd with option -X is your friend during testing. Ciao, Michael.