Kerberos and FR 3.0.1 (fedora)

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri May 16 00:03:37 CEST 2014 

On 15 May 2014, at 22:26, Brendan Kearney <bpk678 at gmail.com> wrote:

> On Thu, 2014-05-15 at 11:19 +0100, Arran Cudbard-Bell wrote:
>> On 15 May 2014, at 11:12, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>> 
>>> 
>>> On 15 May 2014, at 01:24, Brendan Kearney <bpk678 at gmail.com> wrote:
>>> 
>>>> i am evaluating FR 3.0.1 with kerberos/ldap for authN/authZ,
>>>> respectively.  for some reason, the kerberos piece is not authenticating
>>>> me.  the keytab is freshly minted and the kvno in it matches what is in
>>>> kadmin.  the keytab is owned by radiusd:radiusd.  kinit
>>>> -kt /etc/raddb/radius.keytab radius/test.bpk2.com results in a ticket
>>>> being granted.  not sure what the issue is.  can anyone offer a pointer?
>>> 
>>> Try 3.0.3, there have been some fixes since 3.0.1.
>> 
>> Though you also need to make sure there's a keytab entry for your service
>> principle.
>> 
>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>> FreeRADIUS Development Team
>> 
>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 3.0.3 is not available from the repos just yet.  when it does come down,
> i will be updating to it.
> 
> the keytab is valid.  i did check it with kinit.  the keytab contains:
> [root at test raddb]# klist -Kket radius.keytab 
> Keytab name: FILE:radius.keytab
> KVNO Timestamp           Principal
> ---- -------------------
> ------------------------------------------------------
>   4 05/13/2014 21:00:49 radius/test.bpk2.com at BPK2.COM
> (aes256-cts-hmac-sha1-96)  (blahthisisalongstringblah)
> 
> the keytab is freshly minted and created out of kadmin.  is there
> something else you think i am missing?
> 

Using MIT Kerberos library
rlm_krb5 (krb5): Using service principal "radius/test.bpk2.com
\@bpk2.com@"
rlm_krb5 (krb5): Using keytab "FILE:/etc/raddb/radius.keytab"
rlm_krb5 (krb5): Initialising connection pool
  pool {

That doesn't look like a healthy service principal string to me.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140515/cd671717/attachment.pgp>

More information about the Freeradius-Users mailing list