STOP USING MY NAME! ;) JK
Brian J. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:freeradius-users-admin@;lists.cistron.nl] On Behalf Of > Brian Johnson > Sent: Thursday, November 07, 2002 1:12 PM > To: [EMAIL PROTECTED] > Subject: Re: more Kerberos fun > > > On Thu, 7 Nov 2002, Steve Langasek wrote: > > > The Kerberos module was recently fixed to require a Kerberos host > > principal on the RADIUS server to ensure that responses > from the KDC are > > properly verified. It seems freeradius is not finding your > host key. > > > > You say that you have /etc/krb* files in place. Is /etc/krb5.keytab > > among these files? Is /etc/krb5.keytab set up with a > service principal > > called host/hythloth.netcom.duke.edu? If you do not, you > should consult > > your Kerberos administrator about getting this set up. If > you are the > > Kerberos admin, you should consult the documentation for > your version of > > Kerberos. :) > > It appears I mispoke :) /etc/krb5.keytab is unfortunately > non-existant. Thanks for the pointer, Steve. I'll get in > touch with the > kind Kerberos folks for the University and remedy it ASAP. > > > > > Normally, /etc/krb5.keytab is only readable by root, which is highly > > advisable. This means that your radius server must also > run as root to > > read the keytab. I have an uncommitted (AFAIK) patch that will let > > freeradius look in an arbitrary keytab for an arbitrary service > > principal, removing this restriction. On our systems, we're using > > service principals named radius/<fqdn>, which is working well. > > Thanks also for this hint. We'll be running radiusd as root, > so I think > this shouldn't be a problem, but it's definitely good to know! > > Looks like I get to go bug some Kerberos folks now and give > you peoples a > break. Thank you Steve, Alan, and Allister for all of your > help! You've > been great! > > Brian > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
