Cannot get the return code of rlm_krb5
Hello, I am using FreeRADIUS v3.0.4 on Red Hat Enterprise Linux Server release 7.2 (Maipo), the authenticate section is below; authenticate { Auth-Type Kerberos { krb5 update control { Reason := "%{Module-Return-Code}" } } } The attribute gets the correct value except (at least) for the "fail" and the "invalid" return codes. According to the document; http://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf Table 4.3.3.2 Action table for the Authenticate section. Code Action default reject reject return fail continue ok return handled return invalid continue userlock return notfound return noop continue updated continue The "fail" should be taken into account but it looks like the action table is as the authorize one below; Code Action default noop reject return fail return ok continue handled return invalid return userlock return notfound continue noop continue updated continue I have tried to override as shown on this page with no success; https://wiki.freeradius.org/config/Fail-over Any idea of how I could get the actual result from rlm_krb5 module? Thank you in advance, Regards, Olivier LAUDREN. Ce message contient des informations confidentielles à l'intention exclusive du destinataire. Il ne peut être utilisé, divulgué ou copié de quelconque façon que ce soit par une personne autre que le destinataire désigné. Si vous n'êtes pas le destinataire désigné, merci de contacter l'expéditeur et d'effacer ce message. L'expéditeur de ce message n'est pas mandaté à représenter le Parlement européen. Dès lors, ce message ne constitue pas nécessairement le point de vue officiel du Parlement européen, ni un engagement juridique opposable à ce dernier. This message contains confidential information intended solely for the attention of the named addressee. It may not be used, disclosed or copied in any way whatsoever by anyone else than the intended addressee. If you are not the intended addressee, please contact the sender and delete this message. The sender of this message is not authorized to represent the European Parliament and therefore this message does not necessarily reflect the official position of the European Parliament and is not legally binding upon it.
On Mar 30, 2017, at 4:07 AM, LAUDREN Olivier <olivier.laudren@ext.europarl.europa.eu> wrote:
I am using FreeRADIUS v3.0.4
You should really upgrade.
on Red Hat Enterprise Linux Server release 7.2 (Maipo), the authenticate section is below; authenticate { Auth-Type Kerberos { krb5 update control { Reason := "%{Module-Return-Code}" } } }
The attribute gets the correct value except (at least) for the "fail" and the "invalid" return codes. According to the document; ... The "fail" should be taken into account but it looks like the action table is as the authorize one below;
Yes, that is used for sub-sections in authenticate, i.e. blocks wishing "Auth-Type" section.
I have tried to override as shown on this page with no success;
What does that mean?
Any idea of how I could get the actual result from rlm_krb5 module?
The result is returned and handled as with anything else. Alan DeKok.
Sent: 30 March 2017 14:18 On Mar 30, 2017, at 4:07 AM, LAUDREN Olivier <olivier.laudren@ext.europarl.europa.eu> wrote:
I am using FreeRADIUS v3.0.4
You should really upgrade.
I would love to but it will not be possible for now.
on Red Hat Enterprise Linux Server release 7.2 (Maipo), the authenticate section is below; authenticate { Auth-Type Kerberos { krb5 update control { Reason := "%{Module-Return-Code}" } } }
The attribute gets the correct value except (at least) for the "fail" and the "invalid" return codes. According to the document; ... The "fail" should be taken into account but it looks like the action table is as the authorize one below;
Yes, that is used for sub-sections in authenticate, i.e. blocks wishing "Auth-Type" section.
OK.
I have tried to override as shown on this page with no success;
What does that mean?
From what I understood, setting a 'fail = 1' should change the behavior...
Any idea of how I could get the actual result from rlm_krb5 module?
The result is returned and handled as with anything else.
Alan DeKok.
Thanks. Actually, the return code will not be enough; I need to get the KRB5_REALM_UNKNOWN and KRB5_KDC_UNREACH codes from Kerberos which are going to "default:" in the switch condition of rlm_krb5.c, indeed. I guess the only way would to be compile a custom rlm_krb5 version, am I right? Or maybe there is special attribute I can read to get the exact code? Thank you in advance,
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ce message contient des informations confidentielles à l'intention exclusive du destinataire. Il ne peut être utilisé, divulgué ou copié de quelconque façon que ce soit par une personne autre que le destinataire désigné. Si vous n'êtes pas le destinataire désigné, merci de contacter l'expéditeur et d'effacer ce message. L'expéditeur de ce message n'est pas mandaté à représenter le Parlement européen. Dès lors, ce message ne constitue pas nécessairement le point de vue officiel du Parlement européen, ni un engagement juridique opposable à ce dernier. This message contains confidential information intended solely for the attention of the named addressee. It may not be used, disclosed or copied in any way whatsoever by anyone else than the intended addressee. If you are not the intended addressee, please contact the sender and delete this message. The sender of this message is not authorized to represent the European Parliament and therefore this message does not necessarily reflect the official position of the European Parliament and is not legally binding upon it.
Thanks. Actually, the return code will not be enough; I need to get the KRB5_REALM_UNKNOWN and KRB5_KDC_UNREACH codes from Kerberos which are going to "default:" in the switch condition of rlm_krb5.c, indeed. I guess the only way would to be compile a custom rlm_krb5 version, am I right?
But, but, but... If you use custom code RedHat won't love you anymore....
Or maybe there is special attribute I can read to get the exact code? Thank you in advance
If they appear in error messages (the big red ones), you may find they're contained in the latest instance of request:Module-Failure-Message. -Arran Arran Cudbard-Bell FreeRADIUS Core Developer FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Thank you Arran, Using the Module-Failure-Message in "post-auth" section works! -----Original Message----- Sent: 30 March 2017 17:30
Thanks. Actually, the return code will not be enough; I need to get the KRB5_REALM_UNKNOWN and KRB5_KDC_UNREACH codes from Kerberos which are going to "default:" in the switch condition of rlm_krb5.c, indeed. I guess the only way would to be compile a custom rlm_krb5 version, am I right?
But, but, but... If you use custom code RedHat won't love you anymore....
Or maybe there is special attribute I can read to get the exact code? Thank you in advance
If they appear in error messages (the big red ones), you may find they're contained in the latest instance of request:Module-Failure-Message. -Arran Arran Cudbard-Bell FreeRADIUS Core Developer FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 Ce message contient des informations confidentielles à l'intention exclusive du destinataire. Il ne peut être utilisé, divulgué ou copié de quelconque façon que ce soit par une personne autre que le destinataire désigné. Si vous n'êtes pas le destinataire désigné, merci de contacter l'expéditeur et d'effacer ce message. L'expéditeur de ce message n'est pas mandaté à représenter le Parlement européen. Dès lors, ce message ne constitue pas nécessairement le point de vue officiel du Parlement européen, ni un engagement juridique opposable à ce dernier. This message contains confidential information intended solely for the attention of the named addressee. It may not be used, disclosed or copied in any way whatsoever by anyone else than the intended addressee. If you are not the intended addressee, please contact the sender and delete this message. The sender of this message is not authorized to represent the European Parliament and therefore this message does not necessarily reflect the official position of the European Parliament and is not legally binding upon it.
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
LAUDREN Olivier