Cannot get the return code of rlm_krb5

LAUDREN Olivier olivier.laudren at ext.europarl.europa.eu
Thu Mar 30 10:07:20 CEST 2017 

Hello,

I am using FreeRADIUS v3.0.4 on Red Hat Enterprise Linux Server release 7.2 (Maipo), the authenticate section is below;
	authenticate {
		Auth-Type Kerberos {
			krb5
			update control {
				Reason := "%{Module-Return-Code}"
			}
		}
	}

The attribute gets the correct value except (at least) for the "fail" and the "invalid" return codes.
According to the document;
	http://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf
	Table 4.3.3.2 Action table for the Authenticate section.
		Code		Action
		default		reject
		reject		return
		fail		continue
		ok		return
		handled	return
		invalid		continue
		userlock	return
		notfound	return
		noop		continue
		updated	continue
The "fail" should be taken into account but it looks like the action table is as the authorize one below;
		Code		Action
		default		noop
		reject		return
		fail		return
		ok		continue
		handled	return
		invalid		return
		userlock	return
		notfound	continue
		noop		continue
		updated	continue
I have tried to override as shown on this page with no success;
	https://wiki.freeradius.org/config/Fail-over


Any idea of how I could get the actual result from rlm_krb5 module?
Thank you in advance,

Regards,

Olivier LAUDREN.





Ce message contient des informations confidentielles à l'intention exclusive du destinataire. Il ne peut être utilisé, divulgué ou copié de quelconque façon que ce soit par une personne autre que le destinataire désigné. Si vous n'êtes pas le destinataire désigné, merci de contacter l'expéditeur et d'effacer ce message. L'expéditeur de ce message n'est pas mandaté à représenter le Parlement européen. Dès lors, ce message ne constitue pas nécessairement le point de vue officiel du Parlement européen, ni un engagement juridique opposable à ce dernier.
This message contains confidential information intended solely for the attention of the named addressee. It may not be used, disclosed or copied in any way whatsoever by anyone else than the intended addressee. If you are not the intended addressee, please contact the sender and delete this message. The sender of this message is not authorized to represent the European Parliament and therefore this message does not necessarily reflect the official position of the European Parliament and is not legally binding upon it.

More information about the Freeradius-Users mailing list