Isaac Boukris iboukris at
Wed Oct 19 16:39:49 CEST 2016

On Wed, Oct 19, 2016 at 5:12 PM, Brian Candler <b.candler at> wrote:
> However if I "kinit admin" so that I have an existing Kerberos ticket, and
> then start radiusd, it uses the existing ticket. And this means that user
> lookups fail:
> The solution is to override the credentials cache type:
> KRB5CCNAME=MEMORY: KRB5_CLIENT_KTNAME=/etc/radiusd.keytab radiusd -X

Note, when using KRB5_CLIENT_KTNAME you should never acquire with
'kinit' (not even 'kinit -k).
Otherwise even if the credentials were acquired for the same
principal, the ticket won't get renewed when it expires.
So having a distinct ccache is a good idea indeed.

More information about the Freeradius-Users mailing list