--On Friday, February 08, 2008 08:19:32 PM +0000 A.L.M.Buxey@lboro.ac.uk wrote:
you MAY need to set "Auth-Type = krb5" for the required user or NAS setting depending on your config!
You will almost certainly have to do something -- there is no way for the rlm_krb5 module to know that you want to use it for veryifying passwords; that's not something that can be inferred from the request. If all of your clients will be using plain passwords which you want to verify against Kerberos, and you won't be supporting EAP clients, then you can probably get away with something simple like adding the following to the users file: DEFAULT Auth-Type := krb5 Fall-Through = No Note that this violates the general advice of never setting Auth-Type, explicitly; this is necessary because rlm_krb5 does not provide any authorize handling and will not set Auth-Type automatically like many other modules do. If you are trying to support EAP or do something else complicated, then setting Auth-Type explicitly like this will probably break it, unless you are very careful to do so only under circumstances where it is the right thing to do. I'm afraid I can't provide help with that; it's rather complex and really the right thing to do is update rlm_krb5 so it works automatically like everything else. Perhaps someday I'll do that; I doubt the original author of that module cares any longer. -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu> Carnegie Mellon University - Pittsburgh, PA