Active Directory authenticated VPN
pischta at gmail.com
Thu May 6 11:57:53 CEST 2021
Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org>
ezt írta (időpont: 2021. máj. 6., Cs, 10:47):
> You're using mixed citation from two different authors. Please cite
> On 5/6/21 10:28 AM, Pisch Tamás wrote:
> > Michael Ströder wrote:
> >> People who are really eager to use Kerberos could probably just set SASL
> >> mech GSSAPI and let libkrb5 do the work.
> >> Configuration can be done outside of FreeRADIUS with some env vars:
> > I've already read it. I know that I should set environmental variables. I
> > tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius
> > output.
> Because as Alan already said FreeRADIUS does not know anything about
> FYI: SASL and GSSAPI are two authentication abstraction layers.
> Mainly FreeRADIUS passes the SASL mech string as-is to libldap which
> invokes libsasl with the correct parameters. For SASL mech GSSAPI
> libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work.
Great, thanks. I feel myself lost in a jungle. This is why I wrote to the
list, and the read the documentation answer doesn't help me. Surely I could
find these somewhere in the documentation someday, but concrete helps me a
> You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start
freeradius, nothing new appears in the log with
start_tls = no
mech = 'GSSAPI'
realm = 'ad.ourdomain.hu'
I tried with start_tls again, with
But it didn't help. I still get "Strong(er) authentication required"
More information about the Freeradius-Users