On Thu, 7 Nov 2002, Allister Maguire wrote:
> Hello,
>
> This is what you need in radius.conf:
Thanks Allister! I added the bits you mentioned in radiusd.conf and it
made things happen differently. Unfortunately it's still not working, but
we're getting closer :)
After including the relevent parts for krb5 in radiusd.conf, I got this
from the server (-xx):
<snip>
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded Kerberos
rlm_krb5: krb5_init ok
Module: Instantiated krb5 (krb5)
Module: Loaded PAP
<snip>
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 152.16.0.183:1031, id=234,
length=58
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
User-Name = "mbjohn"
User-Password = "[password]"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "mbjohn", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 4
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Kerberos
auth: type "Kerberos"
modcall: entering group authenticate
rlm_krb5: krb5 server princ name: hythloth.netcom.duke.edu
rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or
directory
rad_recv: Access-Request packet from host 152.16.0.183:1031, id=234,
length=58
Discarding new request from client brianhome:1031 - ID: 234 due to live
request
0
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 152.16.0.183:1031, id=234,
length=58
Discarding new request from client brianhome:1031 - ID: 234 due to live
request
0
--- Walking the entire request list ---
Waking up in 5 seconds...
So I'm now no longer seeing a Reject packet, but I'm not getting
authenticated either. What I did notice in the debugging information was:
rlm_krb5: krb5 server princ name: hythloth.netcom.duke.edu
rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or
directory
Just a quick note: I have /etc/krb* files in place and AFAICT configured
correctly for my environment....
hythloth is the machine the radius server is on (my workstation), so the
kerberos server is located elsewhere. Is it looking at my machine for the
kerberos server?
On the client, I just keep getting 'Sending Access-Request...' 'Re-sending
Access-Request...' messages, so there's nothing new there....
Thanks again for all the help.
Brian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
