Michael Ströder via Freeradius-Users <freeradius-users@lists.freeradius.org> ezt írta (időpont: 2021. máj. 6., Cs, 10:47):
You're using mixed citation from two different authors. Please cite correctly.
Ok, sorry.
On 5/6/21 10:28 AM, Pisch Tamás wrote:
Michael Ströder wrote:
People who are really eager to use Kerberos could probably just set SASL mech GSSAPI and let libkrb5 do the work. Configuration can be done outside of FreeRADIUS with some env vars:
https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/kerberos.html#e...
I've already read it. I know that I should set environmental variables. I tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius debug output.
Because as Alan already said FreeRADIUS does not know anything about Kerberos.
FYI: SASL and GSSAPI are two authentication abstraction layers.
Mainly FreeRADIUS passes the SASL mech string as-is to libldap which invokes libsasl with the correct parameters. For SASL mech GSSAPI libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work.
Great, thanks. I feel myself lost in a jungle. This is why I wrote to the list, and the read the documentation answer doesn't help me. Surely I could find these somewhere in the documentation someday, but concrete helps me a lot.
You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start freeradius, nothing new appears in the log with tls { start_tls = no } sasl { mech = 'GSSAPI' realm = 'ad.ourdomain.hu' } I tried with start_tls again, with require_cert<-->= 'allow' But it didn't help. I still get "Strong(er) authentication required" message. Thanks, Tamás.