Freeradius, Kerberos and Openldap GSSAPI-SASL service principal issue

L.P.H. van Belle belle at bazuin.nl
Fri Sep 18 12:29:22 CEST 2020


Hai Marco, 

As far i know .. 
Error: rlm_ldap (ldap): Bind with (anonymous) to ldap://ex.ample.com:389 failed: Local error 
Thats the problem, your not allowed to anonymous bind to the AD. 
Use ldaps and use a valid user from AD. 

Add the SPN/UPN to the keytab file, i see you already dont that, but its it also known in the AD? 

If not, use: ( on a member server ) 

net ads keytab add_update_ads radius/$(hostname -f) -U Administrator

Greetz, 

Louis  
;-) 


> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users 
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Dario García Díaz-Miguel
> Verzonden: vrijdag 18 september 2020 11:54
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: Freeradius, Kerberos and Openldap GSSAPI-SASL 
> service principal issue
> 
> Hi there,
> 
> I'm writing to this mailing list looking for some help in 
> order to configure Freeradius on a Kerberos and OpenLDAP 
> GSSAPI-SASL infrastructure.
> We have everything working flawlessly. Freeradius service and 
> server is working fine with krb5 and ldap modules enabled. 
> The problem is when we need to start the freeradius service.
> The service only starts if you manually issue a ticket for 
> the service kerberos principal or the host principal.
> This is such a strange behavior I can't understand.
> 
> Krb5 module:
> krb5 {
>                 keytab = /etc/radius.keytab
>                 service_principal = radius/ex.ample.com
>                 pool {
>                                start = ${thread[pool].start_servers}
>                                min = ${thread[pool].min_spare_servers}
>                                max = ${thread[pool].max_servers}
>                                spare = 
> ${thread[pool].max_spare_servers}
>                                uses = 0
>                                lifetime = 0
>                                idle_timeout = 0
> }
> }
> 
> The keytab /etc/radius.keytab contains the keys for the 
> service principal radius/ex.ample.com.
> The service should be able to access to the keytab to asks 
> automatically for a ticket for radius/ex.ample.com. But it 
> doesn't. Instead, the service fails until we issue for a new ticket:
> 
> kinit -k -t /etc/radius.keytab radius/ex.ample.com
> 
> The ownership of this keytab is radiusd:radiusd and it has  
> reading permissions 440. But I've also tried with 777 with no luck
> 
> The reason because it does not understand is that ldap has 
> anon bind disallowed and the freeradius service tries an 
> anonymous bind.
> I know that according to the rules I should have posted the 
> full output debug log but I'm afraid that since it's a 
> totally isolated environment, I can't extract the whole log.
> Error: rlm_ldap (ldap): Bind with (anonymous) to 
> ldap://ex.ample.com:389 failed: Local error
> Error: rlm_ldap (ldap): Opening connection failed (0)
> Error: rlm_ldap (ldap): Error: /etc/raddb/mods-enabled/ldap 
> [8]: Instantiation failed for module "ldap"
> 
> This is how the ldap module SASL section looks:
> 
> sasl {
>                 mech = 'GSSAPI'
>                 realm ='EX.AMPLE.COM'
> }
> 
> The most weird behavior is that If we issue a host ticket 
> (kinit -k) it starts and bind correctly using the 
> host/ex.ample.com service principal. No matter that the 
> service principal configured on krb5 module is radius/ex.ample.com
> 
> Any ideas about how to proceed and the reasons why this happens?
> 
> We are running the 3.0.15-2.11.2 freeradius version on SuSE12 SP3.
> 
> Thank you so much.
> Kind Regards.
> 
> 
> Dario Garcia
> Díaz-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> España
> +34 918 07 21 00
> +34 918 07 21 99
> www.gmv.com
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> P Please consider the environment before printing this e-mail.
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list