George C. Kaplan wrote:
I don't think I understand your examples. A NAS is sending a User-Name and User-Password, and somehow I have to tell radiusd, "Use Kerberos to authenticate these users." I don't see how I can do that except by setting 'Auth-Type = Kerberos' *somewhere*.
I am suggesting that in some sense (and obviously, it's only my opinion, and as I say it's only doable to an extent with newer FR versions) the following is better: authenticate { Auth-Type PAP { krb5 } } That is, that the Auth-Type be set to reflect the algorithm in the radius request, and not the backend processing that request.
Out of interest, are you finding rlm_krb5 stable? Under high concurrency?
Yes, except (and it's a big "except") for signals. I posted something about this a little while ago: when radiusd gets a HUP or TERM signal, it sometimes becomes unresponsive, using 98% CPU. A 'kill -9' is
Ah. I'll stick with LDAP to the AD controllers.