d'oh! it was SElinux. I had disabled it temporarily, but didn't set it as disabled in /etc/selinux/config so it was blocking the authentication.
Phil Mayers wrote: > > On 06/14/2011 09:44 PM, Jimmy wrote: >> I have Kerberos 1.6 configured to use OpenLDAP 2.3.43 as a back end. I >> am trying to configure Freeradius 2.1.7 to authenticate to Kerberos. > > My advice would be to investigate having FreeRADIUS pull the user info > (secrets etc.) direct from LDAP. It'll save your sanity in the long run > (provided the secrets in LDAP are ones FreeRADIUS can make use of) > > But... > >> >> I am having problems getting Freeradiusto authenticate while started >> in daemon mode. When the process is started in debug mode it seems to >> funciton, but authentications while in daemon mode return the error: >> >>> Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied >>> in replay cache code > > So, in debug mode it's fine, but in daemon mode it's giving permission > denied errors as above? That error sounds like it's coming out of the > kerberos libraries, rather than FreeRADIUS. > > Try this: start it up in daemon mode, then use "strace" to record > syscalls: > > strace -o log -p <the pid> > > ...do a test authentication, then hunt through the log for open() and > write() calls that fail i.e. return -1. That should tell you what file > it's trying to use as a replay cache. Then, fix the permissions so that > the daemon can access that file. > > Also, if you're running an LSM (SELinux, AppArmor) check their logs > (audit.log in the case of SELinux; no idea for AppArmor) to see if it's > a MAC policy, rather than uid/gid-based perms, that's denying it. > > Alternatively, you might be able to disable the replay cache using > entries in /etc/krb5.conf, but you'd have to do a bit of digging. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- View this message in context: http://freeradius.1045715.n5.nabble.com/Auth-rlm-krb5-test1-CSP-BACK-krb5-rd-req-failed-Permission-denied-in-replay-cache-code-tp4489262p4491473.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
