Freeradius, Kerberos and Openldap GSSAPI-SASL service principal issue

Dario García Díaz-Miguel dgdiaz at gmv.com
Fri Sep 18 11:53:43 CEST 2020 

Hi there,

I'm writing to this mailing list looking for some help in order to configure Freeradius on a Kerberos and OpenLDAP GSSAPI-SASL infrastructure.
We have everything working flawlessly. Freeradius service and server is working fine with krb5 and ldap modules enabled. The problem is when we need to start the freeradius service.
The service only starts if you manually issue a ticket for the service kerberos principal or the host principal.
This is such a strange behavior I can't understand.

Krb5 module:
krb5 {
                keytab = /etc/radius.keytab
                service_principal = radius/ex.ample.com
                pool {
                               start = ${thread[pool].start_servers}
                               min = ${thread[pool].min_spare_servers}
                               max = ${thread[pool].max_servers}
                               spare = ${thread[pool].max_spare_servers}
                               uses = 0
                               lifetime = 0
                               idle_timeout = 0
}
}

The keytab /etc/radius.keytab contains the keys for the service principal radius/ex.ample.com.
The service should be able to access to the keytab to asks automatically for a ticket for radius/ex.ample.com. But it doesn't. Instead, the service fails until we issue for a new ticket:

kinit -k -t /etc/radius.keytab radius/ex.ample.com

The ownership of this keytab is radiusd:radiusd and it has  reading permissions 440. But I've also tried with 777 with no luck

The reason because it does not understand is that ldap has anon bind disallowed and the freeradius service tries an anonymous bind.
I know that according to the rules I should have posted the full output debug log but I'm afraid that since it's a totally isolated environment, I can't extract the whole log.
Error: rlm_ldap (ldap): Bind with (anonymous) to ldap://ex.ample.com:389 failed: Local error
Error: rlm_ldap (ldap): Opening connection failed (0)
Error: rlm_ldap (ldap): Error: /etc/raddb/mods-enabled/ldap [8]: Instantiation failed for module "ldap"

This is how the ldap module SASL section looks:

sasl {
                mech = 'GSSAPI'
                realm ='EX.AMPLE.COM'
}

The most weird behavior is that If we issue a host ticket (kinit -k) it starts and bind correctly using the host/ex.ample.com service principal. No matter that the service principal configured on krb5 module is radius/ex.ample.com

Any ideas about how to proceed and the reasons why this happens?

We are running the 3.0.15-2.11.2 freeradius version on SuSE12 SP3.

Thank you so much.
Kind Regards.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











P Please consider the environment before printing this e-mail.

More information about the Freeradius-Users mailing list