Debugmode together with Kerberos
Hi everybody, I have configured freeradius to use gssapi for authentication while searching the LDAP for users or hosts. Now I can't start the debugmode anymore. Everytime I try I'm getting: ---------- rlm_ldap (ldap): Connecting to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 rlm_ldap (ldap): Starting SASL mech(s): gssapi SASL/GSSAPI authentication started rlm_ldap (ldap): Bind with (anonymous) to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 failed: Local error rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module "ldap" ---------- The log from the LDAP-server is showing: ---------- Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 ACCEPT from IP=192.168.56.47:34490 (IP=0.0.0.0:636) Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 op=0 UNBIND Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 closed ---------- Running freeradius normal I can search for a user end check authentication with username and password -------------------- root@radius-r01:~# radtest u1-verw geheim 192.168.56.47 1812 Passw0rd Sent Access-Request Id 143 from 0.0.0.0:34828 to 192.168.56.47:1812 length 77 User-Name = "u1-verw" User-Password = "geheim" NAS-IP-Address = 192.168.56.47 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "geheim" Received Access-Accept Id 143 from 192.168.56.47:1812 to 192.168.56.47:34828 length 20 -------------------- The logfile for m my LDAP-Server is showing: ---------- Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1031 op=2 BIND dn="" method=163 Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1031 op=2 BIND authcid="radius/radius-r01.example.net" authzid="radius/radius-r01.example.net" Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1031 op=2 BIND dn="uid=radius/radius-r01.example.net,cn=gssapi,cn=auth" mech=GSSAPI bind_ssf=56 ssf=256 Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1031 op=2 RESULT tag=97 err=0 qtime=0.000006 etime=0.000187 text= Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1026 op=3 BIND anonymous mech=implicit bind_ssf=0 ssf=256 Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1026 op=3 BIND dn="cn=u1 Verw,ou=users,ou=Verwaltung,dc=example,dc=net" method=128 Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1026 op=3 BIND dn="cn=u1 Verw,ou=users,ou=Verwaltung,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1026 op=3 RESULT tag=97 err=0 qtime=0.000007 etime=0.006275 text= ---------- So as you can see, authentication via Kerberos for the search and authentication of users is working. To do the next step, switch to user-authentication via certificate, I want to start the debugmode, but I could not figure out how to get the debugmode running with Kerberos authentication :-( Is there a way to get it running? Stefan
On Oct 29, 2023, at 10:36 AM, Stefan Kania <stefan@kania-online.de> wrote:
I have configured freeradius to use gssapi for authentication while searching the LDAP for users or hosts. Now I can't start the debugmode anymore. Everytime I try I'm getting: ---------- rlm_ldap (ldap): Connecting to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 rlm_ldap (ldap): Starting SASL mech(s): gssapi SASL/GSSAPI authentication started rlm_ldap (ldap): Bind with (anonymous) to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 failed: Local error
The "Local error" message is coming from libldap. So there's some libldap issue which is causing the problem. If you're using kerberos, it's likely some kerberos setup issue. i.e. kerberos is set up for the "radiusd" user, but not for the UID you're using when running the server in debug mode, So either run the server as the "radiusd" user in debug mode via su / sudo / etc., or allow that UID to use kerberos and connect to ldap.
The log from the LDAP-server is showing: ---------- Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 ACCEPT from IP=192.168.56.47:34490 (IP=0.0.0.0:636) Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 op=0 UNBIND Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 closed
That's unhelpful.
Running freeradius normal I can search for a user end check authentication with username and password ... So as you can see, authentication via Kerberos for the search and authentication of users is working.
When running as the UID which has permission to talk to ldap.
To do the next step, switch to user-authentication via certificate, I want to start the debugmode, but I could not figure out how to get the debugmode running with Kerberos authentication :-( Is there a way to get it running?
Changing UIDs should work. Alan DeKok.
On 10/29/23 11:27 AM, Alan DeKok wrote:
On Oct 29, 2023, at 10:36 AM, Stefan Kania <stefan@kania-online.de> wrote:
I have configured freeradius to use gssapi for authentication while searching the LDAP for users or hosts. Now I can't start the debugmode anymore. Everytime I try I'm getting: ---------- rlm_ldap (ldap): Connecting to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 rlm_ldap (ldap): Starting SASL mech(s): gssapi SASL/GSSAPI authentication started rlm_ldap (ldap): Bind with (anonymous) to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 failed: Local error The "Local error" message is coming from libldap. So there's some libldap issue which is causing the problem.
If you're using kerberos, it's likely some kerberos setup issue.
i.e. kerberos is set up for the "radiusd" user, but not for the UID you're using when running the server in debug mode,
So either run the server as the "radiusd" user in debug mode via su / sudo / etc., or allow that UID to use kerberos and connect to ldap.
The log from the LDAP-server is showing: ---------- Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 ACCEPT from IP=192.168.56.47:34490 (IP=0.0.0.0:636) Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 op=0 UNBIND Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 closed That's unhelpful.
Running freeradius normal I can search for a user end check authentication with username and password ... So as you can see, authentication via Kerberos for the search and authentication of users is working. When running as the UID which has permission to talk to ldap.
To do the next step, switch to user-authentication via certificate, I want to start the debugmode, but I could not figure out how to get the debugmode running with Kerberos authentication :-( Is there a way to get it running? Changing UIDs should work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have a script that exports an env variable with the keytab specified and then runs raduisd -X. this necessary for radius to pick up the kerberos creds in the keytab and be able to bind to the directory. #!/bin/bash export KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab radiusd -X export KRB5_CLIENT_KTNAME= this requires that the principal in the keytab, radius/host.domain.tld@REALM, be mapped to an identity and be able to query the directory.
On 29/10/2023 21:49, Brendan Kearney wrote:
I have a script that exports an env variable with the keytab specified and then runs raduisd -X. this necessary for radius to pick up the kerberos creds in the keytab and be able to bind to the directory.
#!/bin/bash
export KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
Could you not just set that in the ENV section of radiusd.conf? That's there to avoid scripts like this. -- Matthew
On 10/29/23 6:23 PM, Matthew Newton via Freeradius-Users wrote:
On 29/10/2023 21:49, Brendan Kearney wrote:
I have a script that exports an env variable with the keytab specified and then runs raduisd -X. this necessary for radius to pick up the kerberos creds in the keytab and be able to bind to the directory.
#!/bin/bash
export KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
Could you not just set that in the ENV section of radiusd.conf? That's there to avoid scripts like this.
learned something new... thanks for the tip. now i dont have to modify/override the systemd init, too.
Thank's for your tips, I will tr it this evening. Am 30.10.23 um 12:51 schrieb Brendan Kearney:
On 10/29/23 6:23 PM, Matthew Newton via Freeradius-Users wrote:
On 29/10/2023 21:49, Brendan Kearney wrote:
I have a script that exports an env variable with the keytab specified and then runs raduisd -X. this necessary for radius to pick up the kerberos creds in the keytab and be able to bind to the directory.
#!/bin/bash
export KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
Could you not just set that in the ENV section of radiusd.conf? That's there to avoid scripts like this.
learned something new... thanks for the tip. now i dont have to modify/override the systemd init, too. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html Neuer GPG-Key der public key befindet sich im Anhang
On Oct 30, 2023, at 2:46 PM, Stefan Kania <stefan@kania-online.de> wrote:
Am 29.10.23 um 23:23 schrieb Matthew Newton via Freeradius-Users:
Could you not just set that in the ENV section of radiusd.conf? That's there to avoid scripts like this. That work's thank you for the help
I've put an example of this environment variable into radiusd.conf, along with an explanation as to when you would use it. Alan DeKok.
participants (4)
-
Alan DeKok -
Brendan Kearney -
Matthew Newton -
Stefan Kania