On Thu, Nov 07, 2002 at 11:47:03AM -0500, Brian Johnson wrote: > auth: type "Kerberos" > modcall: entering group authenticate > rlm_krb5: krb5 server princ name: hythloth.netcom.duke.edu > rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or > directory
> So I'm now no longer seeing a Reject packet, but I'm not getting > authenticated either. What I did notice in the debugging information was: > rlm_krb5: krb5 server princ name: hythloth.netcom.duke.edu > rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or > directory > Just a quick note: I have /etc/krb* files in place and AFAICT configured > correctly for my environment.... > hythloth is the machine the radius server is on (my workstation), so the > kerberos server is located elsewhere. Is it looking at my machine for the > kerberos server? The Kerberos module was recently fixed to require a Kerberos host principal on the RADIUS server to ensure that responses from the KDC are properly verified. It seems freeradius is not finding your host key. You say that you have /etc/krb* files in place. Is /etc/krb5.keytab among these files? Is /etc/krb5.keytab set up with a service principal called host/hythloth.netcom.duke.edu? If you do not, you should consult your Kerberos administrator about getting this set up. If you are the Kerberos admin, you should consult the documentation for your version of Kerberos. :) Normally, /etc/krb5.keytab is only readable by root, which is highly advisable. This means that your radius server must also run as root to read the keytab. I have an uncommitted (AFAIK) patch that will let freeradius look in an arbitrary keytab for an arbitrary service principal, removing this restriction. On our systems, we're using service principals named radius/<fqdn>, which is working well. -- Steve Langasek postmodern programmer
msg10793/pgp00000.pgp
Description: PGP signature
