Debugmode together with Kerberos

Alan DeKok aland at deployingradius.com
Sun Oct 29 15:27:14 UTC 2023 

On Oct 29, 2023, at 10:36 AM, Stefan Kania <stefan at kania-online.de> wrote:
> I have configured freeradius to use gssapi for authentication while searching the LDAP for users or hosts. Now I can't start the debugmode anymore. Everytime I try I'm getting:
> ----------
> rlm_ldap (ldap): Connecting to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636
> rlm_ldap (ldap): Starting SASL mech(s): gssapi
> SASL/GSSAPI authentication started
> rlm_ldap (ldap): Bind with (anonymous) to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 failed: Local error

  The "Local error" message is coming from libldap.  So there's some libldap issue which is causing the problem.

  If you're using kerberos, it's likely some kerberos setup issue.

  i.e. kerberos is set up for the "radiusd" user, but not for the UID you're using when running the server in debug mode,

  So either run the server as the "radiusd" user in debug mode via su / sudo / etc., or allow that UID to use kerberos and connect to ldap.

> The log from the LDAP-server is showing:
> ----------
> Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 ACCEPT from IP=192.168.56.47:34490 (IP=0.0.0.0:636)
> Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
> Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 op=0 UNBIND
> Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 closed

 That's unhelpful.

> Running freeradius normal I can search for a user end check authentication with username and password
> ...
> So as you can see, authentication via Kerberos for the search and authentication of users is working.

  When running as the UID which has permission to talk to ldap.

> To do the next step, switch to user-authentication via certificate, I want to start the debugmode, but I could not figure out how to get the debugmode running with Kerberos authentication :-(
> Is there a way to get it running?

  Changing UIDs should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list