Freeradius, Kerberos and Openldap GSSAPI-SASL service principal issue
L.P.H. van Belle
belle at bazuin.nl
Fri Sep 18 12:29:22 CEST 2020
Hai Marco,
As far i know ..
Error: rlm_ldap (ldap): Bind with (anonymous) to ldap://ex.ample.com:389 failed: Local error
Thats the problem, your not allowed to anonymous bind to the AD.
Use ldaps and use a valid user from AD.
Add the SPN/UPN to the keytab file, i see you already dont that, but its it also known in the AD?
If not, use: ( on a member server )
net ads keytab add_update_ads radius/$(hostname -f) -U Administrator
Greetz,
Louis
;-)
> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Dario García Díaz-Miguel
> Verzonden: vrijdag 18 september 2020 11:54
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: Freeradius, Kerberos and Openldap GSSAPI-SASL
> service principal issue
>
> Hi there,
>
> I'm writing to this mailing list looking for some help in
> order to configure Freeradius on a Kerberos and OpenLDAP
> GSSAPI-SASL infrastructure.
> We have everything working flawlessly. Freeradius service and
> server is working fine with krb5 and ldap modules enabled.
> The problem is when we need to start the freeradius service.
> The service only starts if you manually issue a ticket for
> the service kerberos principal or the host principal.
> This is such a strange behavior I can't understand.
>
> Krb5 module:
> krb5 {
> keytab = /etc/radius.keytab
> service_principal = radius/ex.ample.com
> pool {
> start = ${thread[pool].start_servers}
> min = ${thread[pool].min_spare_servers}
> max = ${thread[pool].max_servers}
> spare =
> ${thread[pool].max_spare_servers}
> uses = 0
> lifetime = 0
> idle_timeout = 0
> }
> }
>
> The keytab /etc/radius.keytab contains the keys for the
> service principal radius/ex.ample.com.
> The service should be able to access to the keytab to asks
> automatically for a ticket for radius/ex.ample.com. But it
> doesn't. Instead, the service fails until we issue for a new ticket:
>
> kinit -k -t /etc/radius.keytab radius/ex.ample.com
>
> The ownership of this keytab is radiusd:radiusd and it has
> reading permissions 440. But I've also tried with 777 with no luck
>
> The reason because it does not understand is that ldap has
> anon bind disallowed and the freeradius service tries an
> anonymous bind.
> I know that according to the rules I should have posted the
> full output debug log but I'm afraid that since it's a
> totally isolated environment, I can't extract the whole log.
> Error: rlm_ldap (ldap): Bind with (anonymous) to
> ldap://ex.ample.com:389 failed: Local error
> Error: rlm_ldap (ldap): Opening connection failed (0)
> Error: rlm_ldap (ldap): Error: /etc/raddb/mods-enabled/ldap
> [8]: Instantiation failed for module "ldap"
>
> This is how the ldap module SASL section looks:
>
> sasl {
> mech = 'GSSAPI'
> realm ='EX.AMPLE.COM'
> }
>
> The most weird behavior is that If we issue a host ticket
> (kinit -k) it starts and bind correctly using the
> host/ex.ample.com service principal. No matter that the
> service principal configured on krb5 module is radius/ex.ample.com
>
> Any ideas about how to proceed and the reasons why this happens?
>
> We are running the 3.0.15-2.11.2 freeradius version on SuSE12 SP3.
>
> Thank you so much.
> Kind Regards.
>
>
> Dario Garcia
> Díaz-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> España
> +34 918 07 21 00
> +34 918 07 21 99
> www.gmv.com
>
>
>
>
>
>
>
>
>
>
>
> P Please consider the environment before printing this e-mail.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list