Kerberos - Radius does not get password
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jan 7 18:41:29 CET 2013
On 07/01/13 16:49, Khapare Joshi wrote:
> Hello
>
> I been having problem as listed in this bug list:
>
> https://bugzilla.samba.org/show_bug.cgi?id=6563#c59
>
> I know at least few university having similar issue and ended up with
> restarting winbind - that resolve the issue. I am not sure which version
> of samba+winbind are you using?
We are on RHEL5 using samba3x-3.3.8-0.52.el5_5.2. Our domain is Windows
2008R2, domain functional level is 2008R2 native.
>
> Also, I am just thinking, is there a way to configure both kerberos
> (which works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is
> possible I can support both TTLS via kerberos and PEAP - MCHAP with
> Active directory (winbind and samba). This way I can continue support
> older $$$client xp, win7 and for rest those are supported I can enforce
> to use TTLS-PAP with kerberos. It would be great if you direct me in
> right road.
Yes you can do this. I'm not sure what you're asking. You just configure
each component correct and let it work.
This is only very slightly tricky because rlm_krb5 doesn't contain any
Auth-Type handling; you need to run krb5 if it's a PAP request, see
below. But you must already be doing this if you're using Kerberos, so
just... keep doing it.
sites-enabled/inner-tunnel:
authorize {
...
eap
mschap
pap
...
}
authenticate {
Auth-Type PAP {
krb5
}
Auth-Type MSCHAP {
mschap
}
eap
}
...then configure "eap {}" appropriately for TTLS and PEAP.
More information about the Freeradius-Users
mailing list