Hello again,
Thanks again to the folks who helped me get kerberos compiled in my
freeradius. Unfortunately, the fun didn't stop there...
I've been trying to find some information on how I need to configure the
server to authenticate with kerberos. I found a few others asking the
question, and I found Alan's answer that "DEFAULT Auth-Type = Kerberos"
should do it. So, in my /usr/local/etc/raddb/users file, I have:
DEFAULT Auth-Type = Kerberos
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
Unfortunately, this doesn't appear to work for me (I'm not sure if it's
'Auth-Type = ' or 'Auth-Type := ', I've tried both). I've uncommented
some lines in radiusd.conf that startup choked on (specifically
/etc/shadow being commented out under the 'unix' module part), but other
than that I've left it untouched. I noticed that there doesn't seem to be
any entry in it for rlm_krb5. Does there need to be something in there?
Also, in one of the mails Alan answered he mentioned that the kerberos
daemon does all the work. Does this mean that kerberos server must be
running on the same machine as the radius server? There is a main campus
kerberos server and I'm trying to run the radius server on my workstation,
so unfortunately I won't be able to run the kerberos server on my machine,
unless I can tell the server to pass on authentication to the real kerb
server.
Unfortunately, when we try to authenticate, nothing is coming up in
radius.log, so I can't find out anything there. Doing a tcpdump on the
radius server, I get:
15:16:44.747466 $SOMEIPADDRESS.1059 > hythloth.netcom.duke.edu.datametrics:
rad-access-req 71 [id 67] Attr[ User{username} Pass [|radius]
15:16:48.741356 $SOMEIPADDRESS.1059 > hythloth.netcom.duke.edu.datametrics:
rad-access-req 71 [id 67] Attr[ User{username} Pass [|radius]
15:16:48.741556 hythloth.netcom.duke.edu.datametrics > $SOMEIPADDRESS.1059:
rad-access-reject 20 [id 67] (DF)
This is the latest stable version (0.7.1) of freeradius and Red Hat 8.0.
I've tried to find the answer and have had little luck, so any help that
someone in a similar predicament (or those fortunate enough not to be but
know the answers) can give me will be greatly appreciated.
Many Thanks!
Brian Johnson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
