Auth: rlm_krb5: [test1 at CSP-BACK] krb5_rd_req() failed: Permission denied in replay cache code

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 15 09:50:30 CEST 2011


On 06/14/2011 09:44 PM, Jimmy wrote:
> I have Kerberos 1.6 configured to use OpenLDAP 2.3.43 as a back end. I
> am trying to configure Freeradius 2.1.7 to authenticate to Kerberos.

My advice would be to investigate having FreeRADIUS pull the user info 
(secrets etc.) direct from LDAP. It'll save your sanity in the long run 
(provided the secrets in LDAP are ones FreeRADIUS can make use of)

But...

>
> I am having problems getting Freeradiusto authenticate while started
> in daemon mode. When the process is started in debug mode it seems to
> funciton, but authentications while in daemon mode return the error:
>
>> Auth: rlm_krb5: [test1 at CSP-BACK] krb5_rd_req() failed: Permission denied in replay cache code

So, in debug mode it's fine, but in daemon mode it's giving permission 
denied errors as above? That error sounds like it's coming out of the 
kerberos libraries, rather than FreeRADIUS.

Try this: start it up in daemon mode, then use "strace" to record syscalls:

strace -o log -p <the pid>

...do a test authentication, then hunt through the log for open() and 
write() calls that fail i.e. return -1. That should tell you what file 
it's trying to use as a replay cache. Then, fix the permissions so that 
the daemon can access that file.

Also, if you're running an LSM (SELinux, AppArmor) check their logs 
(audit.log in the case of SELinux; no idea for AppArmor) to see if it's 
a MAC policy, rather than uid/gid-based perms, that's denying it.

Alternatively, you might be able to disable the replay cache using 
entries in /etc/krb5.conf, but you'd have to do a bit of digging.



More information about the Freeradius-Users mailing list