Active Directory authenticated VPN
Michael Ströder
michael at stroeder.com
Thu May 6 10:46:55 CEST 2021
You're using mixed citation from two different authors. Please cite
correctly.
On 5/6/21 10:28 AM, Pisch Tamás wrote:
> Michael Ströder wrote:
>> People who are really eager to use Kerberos could probably just set SASL
>> mech GSSAPI and let libkrb5 do the work.
>> Configuration can be done outside of FreeRADIUS with some env vars:
>>
>> https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/kerberos.html#environment-variables
>
> I've already read it. I know that I should set environmental variables. I
> tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius debug
> output.
Because as Alan already said FreeRADIUS does not know anything about
Kerberos.
FYI: SASL and GSSAPI are two authentication abstraction layers.
Mainly FreeRADIUS passes the SASL mech string as-is to libldap which
invokes libsasl with the correct parameters. For SASL mech GSSAPI
libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work.
You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ciao, Michael.
More information about the Freeradius-Users
mailing list