Debugmode together with Kerberos

Sun Oct 29 21:49:49 UTC 2023

On 10/29/23 11:27 AM, Alan DeKok wrote:
> On Oct 29, 2023, at 10:36 AM, Stefan Kania <stefan at kania-online.de> wrote:
>> I have configured freeradius to use gssapi for authentication while searching the LDAP for users or hosts. Now I can't start the debugmode anymore. Everytime I try I'm getting:
>> ----------
>> rlm_ldap (ldap): Connecting to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636
>> rlm_ldap (ldap): Starting SASL mech(s): gssapi
>> SASL/GSSAPI authentication started
>> rlm_ldap (ldap): Bind with (anonymous) to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 failed: Local error
>    The "Local error" message is coming from libldap.  So there's some libldap issue which is causing the problem.
>
>    If you're using kerberos, it's likely some kerberos setup issue.
>
>    i.e. kerberos is set up for the "radiusd" user, but not for the UID you're using when running the server in debug mode,
>
>    So either run the server as the "radiusd" user in debug mode via su / sudo / etc., or allow that UID to use kerberos and connect to ldap.
>
>> The log from the LDAP-server is showing:
>> ----------
>> Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 ACCEPT from IP=192.168.56.47:34490 (IP=0.0.0.0:636)
>> Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
>> Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 op=0 UNBIND
>> Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 closed
>   That's unhelpful.
>
>> Running freeradius normal I can search for a user end check authentication with username and password
>> ...
>> So as you can see, authentication via Kerberos for the search and authentication of users is working.
>    When running as the UID which has permission to talk to ldap.
>
>> To do the next step, switch to user-authentication via certificate, I want to start the debugmode, but I could not figure out how to get the debugmode running with Kerberos authentication :-(
>> Is there a way to get it running?
>    Changing UIDs should work.
>
>    Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

I have a script that exports an env variable with the keytab specified 
and then runs raduisd -X.  this necessary for radius to pick up the 
kerberos creds in the keytab and be able to bind to the directory.

#!/bin/bash

export KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
radiusd -X
export KRB5_CLIENT_KTNAME=

this requires that the principal in the keytab, 
radius/host.domain.tld at REALM, be mapped to an identity and be able to 
query the directory.