SASL AuthN to LDAP
Isaac Boukris
iboukris at gmail.com
Wed Oct 19 16:39:49 CEST 2016
On Wed, Oct 19, 2016 at 5:12 PM, Brian Candler <b.candler at pobox.com> wrote:
> However if I "kinit admin" so that I have an existing Kerberos ticket, and
> then start radiusd, it uses the existing ticket. And this means that user
> lookups fail:
...
> The solution is to override the credentials cache type:
>
> KRB5CCNAME=MEMORY: KRB5_CLIENT_KTNAME=/etc/radiusd.keytab radiusd -X
Note, when using KRB5_CLIENT_KTNAME you should never acquire with
'kinit' (not even 'kinit -k).
Otherwise even if the credentials were acquired for the same
principal, the ticket won't get renewed when it expires.
So having a distinct ccache is a good idea indeed.
More information about the Freeradius-Users
mailing list