Re: Auth-Type krb5 not recognized by v2.1.12
On Wed, Mar 27, 2013 at 07:06:09PM +0100, Jaap Winius wrote: > >That's interesting, but without a copy of the debug output from > >radiusd -X, nobody will know where to start. > > I included what I thought was the most relevant output from > 'freeradius -X', because the entire exchanges were about 12 times > longer. But, if you think it would make a difference, I'll be sure > to include all of it next time. Lots of people do that, and mean well. Most of them are subsequently asked to post the rest of the debug output. It often contains things that you don't realise are important. In your case, I wonder if either the order of module instantiation has meant that files is being loaded before kerberos, or something in a dictionary has changed. It's hard to tell without other information. I wouldn't expect this to break between 2.1.10 and 2.1.12. > > >You could also put the following in your inner-tunnel, rather than > >the line in your users file, which is probably the tidier way: > > > >update control { > > Auth-Type := krb5 > >} > > That's it -- it works!! Cool. > I no longer have "DEFAULT Auth-Type = krb5" Possibly using DEFAULT Auth-Type := krb5 may have fixed it, too. Auth-Type might have been being set by something else beforehand, and needed the := to force it. But unlang is probably tidier than files here. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
Quoting Matthew Newton : For what it's worth, rolling your own FreeRADIUS packages for Debian is trivial. http://wiki.freeradius.org/building/Build#Building-Debian-packages Right you are! Very good indeed. Sure beats installing directly from source. Now I've got the latest version and it's a Debian package! :-) That's interesting, but without a copy of the debug output from radiusd -X, nobody will know where to start. I included what I thought was the most relevant output from 'freeradius -X', because the entire exchanges were about 12 times longer. But, if you think it would make a difference, I'll be sure to include all of it next time. You could also put the following in your inner-tunnel, rather than the line in your users file, which is probably the tidier way: update control { Auth-Type := krb5 } That's it -- it works!! I no longer have "DEFAULT Auth-Type = krb5" in the users file, and instead added the above lines to the 'authorize' section of ./sites-enabled/inner-tunnel. So, that seems to be the solution. However, if anyone has any more questions, I'll be happy to answer. Thanks so much! Cheers, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
Quoting Iliya Peregoudov : From http://wiki.freeradius.org/modules/Rlm_krb5: "Make sure the keytab is readable by the user that is used to run radiusd..." On 27.03.2013 7:09, Jaap Winius wrote: rlm_krb5: verify_krb_v5_tgt: host key not found : Permission denied You're right about that! My mistake. The Freeradius keytab had permissions 600, but with owner/group root.freerad. I've now changed its permissions to 640 with owner/group freerad.freerad and that error has now disappeared. Yet, strangely it seems to make no difference to the final outcome with either 2.1.10 or 2.1.12. That must be because Freeradius was/is actually reading the keytab as root. Cheers, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
On 27/03/13 13:55, Jaap Winius wrote: Quoting Alan Buxey : ... I wonder if your server has been built with kerberos support? Indeed it has. The machine in question not only runs Freeradius, but also the Kerberos KDC, kadmin server and Kerberos client software. That all works, and it still works with Freeradius as long as I use 2.1.10 instead of 2.1.12. That's not what Alan meant. Perhaps the FreeRADIUS rlm_krb5 didn't build properly? Anyway - rlm_krb5 doesn't register "krb5" or any other value as a valid Auth-Type. You need: authenticate { Auth-Type krb5 { krb5 } } ...for this: DEFAULT Auth-Type := krb5 ...to work. Do you have it? Are you sure the rlm_krb5 is building and loading properly? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
Quoting Alan Buxey : ... I wonder if your server has been built with kerberos support? Indeed it has. The machine in question not only runs Freeradius, but also the Kerberos KDC, kadmin server and Kerberos client software. That all works, and it still works with Freeradius as long as I use 2.1.10 instead of 2.1.12. Cheers, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
On Wed, Mar 27, 2013 at 04:09:09AM +0100, Jaap Winius wrote: > Quoting Phil Mayers : > > >... you should be using 2.2.0 or 2.2.1 when it's release, as the > >2.1.10/11/12 releasea have a known security issue. > > I'll be sure to install 2.2.x as soon as a Debian package becomes > available for it, but for now I'm going to stick with 2.1.x. For what it's worth, rolling your own FreeRADIUS packages for Debian is trivial. http://wiki.freeradius.org/building/Build#Building-Debian-packages > After upgrading to 2.1.12, what kills my setup is that Freeradius > will no longer start up if I leave 'DEFAULT Auth-Type = krb5' > enabled in the users file. That's interesting, but without a copy of the debug output from radiusd -X, nobody will know where to start. You could also put the following in your inner-tunnel, rather than the line in your users file, which is probably the tidier way: update control { Auth-Type := krb5 } but both should work. We need full debug output. > But if I disable it, I get exactly the same failure output as I > do from 2.1.10 when I disable that line in the users file. Understandable; that's not the issue here. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
From http://wiki.freeradius.org/modules/Rlm_krb5: "Make sure the keytab is readable by the user that is used to run radiusd..." On 27.03.2013 7:09, Jaap Winius wrote: rlm_krb5: verify_krb_v5_tgt: host key not found : Permission denied - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
What you are doing is actually okay (its one of those exceptions where auth-type needs to be present as the server has no idea to use krb5). I wonder if your server has been built with kerberos support? alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
Quoting Phil Mayers : ... you should be using 2.2.0 or 2.2.1 when it's release, as the 2.1.10/11/12 releasea have a known security issue. I'll be sure to install 2.2.x as soon as a Debian package becomes available for it, but for now I'm going to stick with 2.1.x. I see from the (limited) debug output you've given that you're forcing Auth-Type in a "users" file. This is usually a mistake, and can cause confusing errors. If I leave it out, 2.1.10 doesn't work for me. What follows is a description of how I modified my Freeradius server's default configuration in order to get it working for me on Debian squeeze with Kerberos support. After installing the freeradius and freeradius-krb5 packages along with some dependencies, this is what I did: 1.) Added to the end of /etc/freeradius/clients.conf: client 192.168.2.2 { secret= shortname = } 2.) Modified attribute in /etc/freeradius/eap.conf, section 'eap': default_eap_type = ttls Modified attribute in subsection 'tls': private_key_password = 3.) Added this line to the end of /etc/freeradius/users: DEFAULT Auth-Type = krb5 4.) Changed these two lines in /etc/freeradius/modules/krb5: keytab = /etc/freeradius/freeradius.keytab service_principal = radius/ 5.) In /etc/freeradius/sites-enabled/inner-tunnel, added an extra line with 'krb5' below the line 'pam' (which is commented out) in section 'authenticate'. 6.) Installed and configured a Kerberos client on the Freeradius host. Of course, this included using kadmin to create a host principal, host/, as well as a matching keytab (/etc/krb5.keytab) on the Freeradius host. 7.) Used the kadmin console again on the Freeradius host to create a radius service principal: radius/ 8.) Created a keytab for the radius service principal: /etc/freeradius/freeradius.keytab 9.) Generated a set of self-signed certificates that I copied to the /etc/freeradius/certs directory. When all of this works, 'freeradius -X' shows the following output: === Begin 2.1.10 success [eap] EAP packet type response id 6 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "jwinius" User-Password = "" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "jwinius" User-Password = "" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 207 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = krb5 # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} rlm_krb5: verify_krb_v5_tgt: host key not found : Permission denied ++[krb5] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [ttls] Got tunneled reply code 2 [ttls] Got tunneled Access-Accept [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.2.2 port 1025 MS-MPPE-Recv-Key = 0xab083ff864d0156503438d3bac157120ac64723522901d27a41564a100bb42a8 MS-MPPE-Send-Key = 0xb31e8a4a4cfe891d652a209aa8e14e5eaa460d3becda0c6cb7d23f5e181c159c EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = "jwinius" === End 2.1.10 success == On the other hand, it doesn't work if I remove the 'DEFAULT Auth-Type = krb5' in the users file. Without that line I get this result: === Begin 2.1.10 fail === [eap] EAP packet type response id 6 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [tt
Re: Auth-Type krb5 not recognized by v2.1.12
On 03/25/2013 11:42 PM, Jaap Winius wrote: Is this new behavior intentional, or is it simply a bug? In either case, is there a workaround or a code fix for this, or should I continue to use 2.1.10? Actually neither - you should be using 2.2.0 or 2.2.1 when it's release, as the 2.1.10/11/12 releasea have a known security issue. As to the Auth-Type, it is likely a misconfiguraton that either accidentally worked in older versions of the server and doesn't any more, or broke when you upgraded and the package overwrote something. I see from the (limited) debug output you've given that you're forcing Auth-Type in a "users" file. This is usually a mistake, and can cause confusing errors. But in any event, to debug the problem please run: radiusd -X | tee log ...and examine the output. If the cause isn't clear post the debug output here, and people will be able to comment. At the moment, there's too little info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html