FreeRadius2 & Krb

Fri Jun 8 18:44:18 CEST 2012

First I was able to authenticate with kinit so I'm pretty sure krb is 
working.

Second yes I did do several things that were suggested for enabling krb 
and I did back up the original files and it works for the radtest if I 
add a user to the users file with a plain text password.  Unfortunately 
that's not what I need.

I added my client and my secret to clients.conf
I added my realm to proxy.conf
I added my keytab and service principle to  modules/krb5
I added
	DEFAULT Auth-Type = Kerberos
	to the top of my users file
I added

#Kerberos
         Auth-Type Kerberos {
           krb5
         }

Right after the pap entry in my sites-enabled/inner-tunnel file and in 
my default file.

I also made sure that my service key tab is readable by freeradius and root.

I fear I have missed something and I'm sure it is something I did not do 
correctly but I'm having a hell of a time figuring out what and was 
hoping the debug output would help.  If you know of something I missed 
or would like to point me to better documentation that covers getting 
FreeRadius 2 to work with Kerberos I'd be thrilled but so for my digging 
at the wiki site and various other locations has came up empty.

And I already looked in the manual under "it doesn't work".  I'm 
actually kind of concerned about it dying when I try to authenticate. 
Radius comes up just fine and runs an waits for request, and then dies 
when it goes to kerberos, that can't be good.

LB

On 6/8/2012 12:06 PM, Timmy wrote:
> Lisa,
> Search in the manual "It doesn't work."
>
> and what did you **do** ?
>
> Timmy
>
>> I'm trying to get FreeRadius2 to authenicate with MIT Kerberos. When
>> radius enters kerberos, it dies with no message. Any suggestions on
>> where to look for clues?
>>
>> OS: FreeBSD 9
>> Radius: FreeRadius 2.1.12
>> Kerberos: MIT Kbr5 1.9.2
>>
>> I'm not seeing obvious errors in Debug output.
>>
>> [pap] WARNING! No "known good" password found for the user.
>> Authentication may fail because of this.
>> ++[pap] returns noop
>> Found Auth-Type = Kerberos
>> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
>> +- entering group Kerberos {...}
>>
>>
>> I have experience configuring FreeRadius the original but was hoping
>> to move to 2.
>>
>> LB
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Lisa Besko
IT Services
Wireless Team
Michigan State University
517-432-7317
besko at msu.edu