On Thu, 7 Nov 2002, Steve Langasek wrote: > The Kerberos module was recently fixed to require a Kerberos host > principal on the RADIUS server to ensure that responses from the KDC are > properly verified. It seems freeradius is not finding your host key. > > You say that you have /etc/krb* files in place. Is /etc/krb5.keytab > among these files? Is /etc/krb5.keytab set up with a service principal > called host/hythloth.netcom.duke.edu? If you do not, you should consult > your Kerberos administrator about getting this set up. If you are the > Kerberos admin, you should consult the documentation for your version of > Kerberos. :)
It appears I mispoke :) /etc/krb5.keytab is unfortunately non-existant. Thanks for the pointer, Steve. I'll get in touch with the kind Kerberos folks for the University and remedy it ASAP. > > Normally, /etc/krb5.keytab is only readable by root, which is highly > advisable. This means that your radius server must also run as root to > read the keytab. I have an uncommitted (AFAIK) patch that will let > freeradius look in an arbitrary keytab for an arbitrary service > principal, removing this restriction. On our systems, we're using > service principals named radius/<fqdn>, which is working well. Thanks also for this hint. We'll be running radiusd as root, so I think this shouldn't be a problem, but it's definitely good to know! Looks like I get to go bug some Kerberos folks now and give you peoples a break. Thank you Steve, Alan, and Allister for all of your help! You've been great! Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
