Kerberos (krb5) Module Overrides Other Authentication Types . . .

John Dennis jdennis at
Sat Apr 3 16:13:09 CEST 2010

On 04/03/2010 08:30 AM, Alan DeKok wrote:
> Mowgli Assor wrote:
>> OK, but is there any way to do that without setting a DEFAULT entry? I
>> really want Kerberos to be just another in the long list of things it
>> tries for authentication, and when one of them succeeds, it stops and
>> returns ACCEPT (unless of course Fall-Through is set, but in what
>> I'm setting up it would not be).
>    That's not really how authentication works.  You need to decide which
> users get what kind of authentication.  Then, configure it.

rlm_krb5 does not have an authorize callback therefore it's can't say 
"I'm available for authentication if there is a cleartext password" like 
any other pap style method. Why does rlm_krb5 have behavior seemingly at 
odds with the other types of modules in it's family (e.g. those which 
can authenticate given a cleartext password).

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list