I'm trying to get FreeRadius2 to authenicate with MIT Kerberos. When radius enters kerberos, it dies with no message. Any suggestions on where to look for clues? OS: FreeBSD 9 Radius: FreeRadius 2.1.12 Kerberos: MIT Kbr5 1.9.2 I'm not seeing obvious errors in Debug output. [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Kerberos # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group Kerberos {...} I have experience configuring FreeRadius the original but was hoping to move to 2. LB
Lisa, Search in the manual "It doesn't work." and what did you **do** ? Timmy
I'm trying to get FreeRadius2 to authenicate with MIT Kerberos. When radius enters kerberos, it dies with no message. Any suggestions on where to look for clues?
OS: FreeBSD 9 Radius: FreeRadius 2.1.12 Kerberos: MIT Kbr5 1.9.2
I'm not seeing obvious errors in Debug output.
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Kerberos # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group Kerberos {...}
I have experience configuring FreeRadius the original but was hoping to move to 2.
LB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
First I was able to authenticate with kinit so I'm pretty sure krb is working. Second yes I did do several things that were suggested for enabling krb and I did back up the original files and it works for the radtest if I add a user to the users file with a plain text password. Unfortunately that's not what I need. I added my client and my secret to clients.conf I added my realm to proxy.conf I added my keytab and service principle to modules/krb5 I added DEFAULT Auth-Type = Kerberos to the top of my users file I added #Kerberos Auth-Type Kerberos { krb5 } Right after the pap entry in my sites-enabled/inner-tunnel file and in my default file. I also made sure that my service key tab is readable by freeradius and root. I fear I have missed something and I'm sure it is something I did not do correctly but I'm having a hell of a time figuring out what and was hoping the debug output would help. If you know of something I missed or would like to point me to better documentation that covers getting FreeRadius 2 to work with Kerberos I'd be thrilled but so for my digging at the wiki site and various other locations has came up empty. And I already looked in the manual under "it doesn't work". I'm actually kind of concerned about it dying when I try to authenticate. Radius comes up just fine and runs an waits for request, and then dies when it goes to kerberos, that can't be good. LB On 6/8/2012 12:06 PM, Timmy wrote:
Lisa, Search in the manual "It doesn't work."
and what did you **do** ?
Timmy
I'm trying to get FreeRadius2 to authenicate with MIT Kerberos. When radius enters kerberos, it dies with no message. Any suggestions on where to look for clues?
OS: FreeBSD 9 Radius: FreeRadius 2.1.12 Kerberos: MIT Kbr5 1.9.2
I'm not seeing obvious errors in Debug output.
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Kerberos # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group Kerberos {...}
I have experience configuring FreeRadius the original but was hoping to move to 2.
LB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Lisa Besko IT Services Wireless Team Michigan State University 517-432-7317 besko@msu.edu
On 2012-06-09 12:00 AM, Lisa Besko wrote:
I'm trying to get FreeRadius2 to authenicate with MIT Kerberos. When radius enters kerberos, it dies with no message. Any suggestions on where to look for clues?
OS: FreeBSD 9 Radius: FreeRadius 2.1.12 Kerberos: MIT Kbr5 1.9.2
I'm not seeing obvious errors in Debug output.
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Kerberos # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group Kerberos {...}
I have experience configuring FreeRadius the original but was hoping to move to 2.
Lisa, Here is the **Clue**: No "known good" password found for the user. It should be a Password problem. Timmy
I've seen that on my radius servers before right before it goes into krb and get's my token from our kerberos server. I'm quite sure I've missed something in the config but I'm not finding it and the doc's I've found are lacking in the krb area. Believe me asking for help here is a last resort. LB On 6/8/2012 12:13 PM, Timmy wrote:
On 2012-06-09 12:00 AM, Lisa Besko wrote:
I'm trying to get FreeRadius2 to authenicate with MIT Kerberos. When radius enters kerberos, it dies with no message. Any suggestions on where to look for clues?
OS: FreeBSD 9 Radius: FreeRadius 2.1.12 Kerberos: MIT Kbr5 1.9.2
I'm not seeing obvious errors in Debug output.
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Kerberos # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group Kerberos {...}
I have experience configuring FreeRadius the original but was hoping to move to 2.
Lisa, Here is the **Clue**: No "known good" password found for the user.
It should be a Password problem.
On 06/08/2012 12:40 PM, Lisa Besko wrote:
I've seen that on my radius servers before right before it goes into krb and get's my token from our kerberos server.
I'm quite sure I've missed something in the config but I'm not finding it and the doc's I've found are lacking in the krb area.
Believe me asking for help here is a last resort.
If you're migrating from 1.x to 2.x you're probably using the wrong password attribute, it changed from user-password to cleartext-password. It's correct in the new 2.x configurations but if you just copied 1.x config over to 2.x you probably copied the old attribute name. FWIW the recommended procedure when migrating from 1.x to 2.x is to start with the 2.x vanilla config, put it under source code control so you manage changes in the config, then *incrementally* add your site local needs using the *2.x* methodology (i.e. virtual servers, unlang, etc.) and test every change. If something breaks along the way, don't worry, it's all under source code control so just roll the change back to a known working point. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hello Lisa, You need to get radiusd core dump. Set 'allow_core_dumps = yes' in radiusd.conf. Run 'uname -c unlimited' before running radiusd. After you get core dump you'll need to take a stack trace from it using gdb: gdb radiusd core thread apply all bt Lisa Besko wrote:
I'm trying to get FreeRadius2 to authenicate with MIT Kerberos. When radius enters kerberos, it dies with no message. Any suggestions on where to look for clues?
OS: FreeBSD 9 Radius: FreeRadius 2.1.12 Kerberos: MIT Kbr5 1.9.2
I'm not seeing obvious errors in Debug output.
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Kerberos # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group Kerberos {...}
I have experience configuring FreeRadius the original but was hoping to move to 2.
LB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'll give that a try when I get back to work. Thank you for helping. LB Sent from my iPhone On Jun 9, 2012, at 3:21 AM, Iliya Peregoudov <iperegudov@cboss.ru> wrote:
Hello Lisa,
You need to get radiusd core dump. Set 'allow_core_dumps = yes' in radiusd.conf. Run 'uname -c unlimited' before running radiusd.
After you get core dump you'll need to take a stack trace from it using gdb:
gdb radiusd core thread apply all bt
Lisa Besko wrote:
I'm trying to get FreeRadius2 to authenicate with MIT Kerberos. When radius enters kerberos, it dies with no message. Any suggestions on where to look for clues? OS: FreeBSD 9 Radius: FreeRadius 2.1.12 Kerberos: MIT Kbr5 1.9.2 I'm not seeing obvious errors in Debug output. [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Kerberos # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group Kerberos {...} I have experience configuring FreeRadius the original but was hoping to move to 2. LB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Just and FYI.
I moved to CentOS from FreeBSD, installed FreeRadius2 and krb5, put my
config in place and it worked just fine. I'm suspecting a library issue
on FreeBSD but just thought I would post my results incase someone else
runs into the issue of radius dying when it goes to kerberos authentication.
I wish I had time to dig in and get more information but at the moment I
just need it to work.
LB
On 6/9/2012 10:40 AM, Lisa Besko wrote:
>> Lisa Besko wrote:
>>> I'm trying to get FreeRadius2 to authenicate with MIT Kerberos. When radius enters kerberos, it dies with no message. Any suggestions on where to look for clues?
>>> OS: FreeBSD 9
>>> Radius: FreeRadius 2.1.12
>>> Kerberos: MIT Kbr5 1.9.2
>>> I'm not seeing obvious errors in Debug output.
>>> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
>>> ++[pap] returns noop
>>> Found Auth-Type = Kerberos
>>> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
>>> +- entering group Kerberos {...}
>>> I have experience configuring FreeRadius the original but was hoping to move to 2.
>>> LB
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Lisa Besko
IT Services
Wireless Team
Michigan State University
participants (4)
-
Iliya Peregoudov -
John Dennis -
Lisa Besko -
Timmy