Brian Candler b.candler at
Wed Oct 19 12:57:51 CEST 2016

On 18/10/2016 15:55, Brian Candler wrote:
> So the way I got it to work was to set the environment variable in 
> /etc/default/freeradius [for Ubuntu, when running as a service], or 
> directly when running from the command line:
> KRB5CCNAME=... freeradius -X 

As an aside, I wonder if someone can answer this question. Can 
freeradius itself fetch and refresh its own kerberos tickets using a 
keytab? Or does this have to be done externally?

The way I have it working right now is to use an hourly crontab to fetch 

===>  /etc/cron.hourly/freeradius-krb5 <===
kinit -t /root/radiusd.keytab -k radius/ -c 
chown freerad:freerad /var/tmp/radius.krb5

Then I start freeradius pointing to the ticket *cache* file:

# KRB5CCNAME=/var/tmp/radius.krb5 freeradius -X

And this works. However, the documentation for the ldap module says:

         #  At a minimum you probably want to set KRB5_CLIENT_KTNAME.

This implies that maybe I just have to refer to the keytab, and 
freeradius/sasl will fetch its own tickets as required. But I've not 
been able to get this to work:

# KRB5_CLIENT_KTNAME=/root/radiusd.keytab freeradius -X


rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending 
slots used
rlm_ldap (ldap): Connecting to ldap://
rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
SASL/GSSAPI authentication started
rlm_ldap (ldap): Bind with (anonymous) to 
ldap:// failed: Local error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/freeradius/mods-enabled/ldap[1]: Instantiation failed for module "ldap"

Same result with KRB5_KTNAME.

It seems that at very least I would need to specify (somewhere) which 
principal name to use (i.e. the '-k' argument to kinit in my cronjob). 
But I can't find an environment variable for this:

Nor any setting in the rlm_ldap config. I see that the sasl.c code can 
use this->identity (and also this->password), but I imagine these are 
for simple binds, and the config says *not* to use them for Kerberos:

         #  Administrator account for searching and possibly modifying.
         #  If using SASL + KRB5 these should be commented out.
#       identity = 'cn=admin,dc=example,dc=org'
#       password = mypass

So in summary, my questions are:

1. Is there a way to use just the keytab, rather than 
externally-generated tickets?

2. Under what circumstances would you ever use KRB5_CLIENT_KTNAME as 
recommended in the sample config?

Specifically, this works (using a ticket cache):
KRB5CCNAME=/var/tmp/radius.krb5 freeradius -X

But these doesn't, whether I point to ticket cache or the keytab:
KRB5_CLIENT_KTNAME=/var/tmp/radius.krb5 freeradius -X
KRB5_CLIENT_KTNAME=/root/radiusd.keytab freeradius -X



More information about the Freeradius-Users mailing list