Re: Auth-Type krb5 not recognized by v2.1.12
On Wed, Mar 27, 2013 at 07:06:09PM +0100, Jaap Winius wrote:
> >That's interesting, but without a copy of the debug output from
> >radiusd -X, nobody will know where to start.
>
> I included what I thought was the most relevant output from
> 'freeradius -X', because the entire exchanges were about 12 times
> longer. But, if you think it would make a difference, I'll be sure
> to include all of it next time.
Lots of people do that, and mean well. Most of them are
subsequently asked to post the rest of the debug output. It often
contains things that you don't realise are important.
In your case, I wonder if either the order of module instantiation
has meant that files is being loaded before kerberos, or something
in a dictionary has changed. It's hard to tell without other
information. I wouldn't expect this to break between 2.1.10 and
2.1.12.
>
> >You could also put the following in your inner-tunnel, rather than
> >the line in your users file, which is probably the tidier way:
> >
> >update control {
> > Auth-Type := krb5
> >}
>
> That's it -- it works!!
Cool.
> I no longer have "DEFAULT Auth-Type = krb5"
Possibly using
DEFAULT Auth-Type := krb5
may have fixed it, too. Auth-Type might have been being set by
something else beforehand, and needed the := to force it.
But unlang is probably tidier than files here.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
Quoting Matthew Newton :
For what it's worth, rolling your own FreeRADIUS packages for
Debian is trivial.
http://wiki.freeradius.org/building/Build#Building-Debian-packages
Right you are! Very good indeed. Sure beats installing directly from
source. Now I've got the latest version and it's a Debian package! :-)
That's interesting, but without a copy of the debug output from
radiusd -X, nobody will know where to start.
I included what I thought was the most relevant output from
'freeradius -X', because the entire exchanges were about 12 times
longer. But, if you think it would make a difference, I'll be sure to
include all of it next time.
You could also put the following in your inner-tunnel, rather than
the line in your users file, which is probably the tidier way:
update control {
Auth-Type := krb5
}
That's it -- it works!! I no longer have "DEFAULT Auth-Type = krb5" in
the users file, and instead added the above lines to the 'authorize'
section of ./sites-enabled/inner-tunnel. So, that seems to be the
solution. However, if anyone has any more questions, I'll be happy to
answer.
Thanks so much!
Cheers,
Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
Quoting Iliya Peregoudov : From http://wiki.freeradius.org/modules/Rlm_krb5: "Make sure the keytab is readable by the user that is used to run radiusd..." On 27.03.2013 7:09, Jaap Winius wrote: rlm_krb5: verify_krb_v5_tgt: host key not found : Permission denied You're right about that! My mistake. The Freeradius keytab had permissions 600, but with owner/group root.freerad. I've now changed its permissions to 640 with owner/group freerad.freerad and that error has now disappeared. Yet, strangely it seems to make no difference to the final outcome with either 2.1.10 or 2.1.12. That must be because Freeradius was/is actually reading the keytab as root. Cheers, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
On 27/03/13 13:55, Jaap Winius wrote:
Quoting Alan Buxey :
... I wonder if your server has been built with kerberos support?
Indeed it has. The machine in question not only runs Freeradius, but
also the Kerberos KDC, kadmin server and Kerberos client software. That
all works, and it still works with Freeradius as long as I use 2.1.10
instead of 2.1.12.
That's not what Alan meant.
Perhaps the FreeRADIUS rlm_krb5 didn't build properly?
Anyway - rlm_krb5 doesn't register "krb5" or any other value as a valid
Auth-Type.
You need:
authenticate {
Auth-Type krb5 {
krb5
}
}
...for this:
DEFAULT Auth-Type := krb5
...to work. Do you have it? Are you sure the rlm_krb5 is building and
loading properly?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
Quoting Alan Buxey : ... I wonder if your server has been built with kerberos support? Indeed it has. The machine in question not only runs Freeradius, but also the Kerberos KDC, kadmin server and Kerberos client software. That all works, and it still works with Freeradius as long as I use 2.1.10 instead of 2.1.12. Cheers, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
On Wed, Mar 27, 2013 at 04:09:09AM +0100, Jaap Winius wrote:
> Quoting Phil Mayers :
>
> >... you should be using 2.2.0 or 2.2.1 when it's release, as the
> >2.1.10/11/12 releasea have a known security issue.
>
> I'll be sure to install 2.2.x as soon as a Debian package becomes
> available for it, but for now I'm going to stick with 2.1.x.
For what it's worth, rolling your own FreeRADIUS packages for
Debian is trivial.
http://wiki.freeradius.org/building/Build#Building-Debian-packages
> After upgrading to 2.1.12, what kills my setup is that Freeradius
> will no longer start up if I leave 'DEFAULT Auth-Type = krb5'
> enabled in the users file.
That's interesting, but without a copy of the debug output from
radiusd -X, nobody will know where to start.
You could also put the following in your inner-tunnel, rather than
the line in your users file, which is probably the tidier way:
update control {
Auth-Type := krb5
}
but both should work. We need full debug output.
> But if I disable it, I get exactly the same failure output as I
> do from 2.1.10 when I disable that line in the users file.
Understandable; that's not the issue here.
Cheers,
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
From http://wiki.freeradius.org/modules/Rlm_krb5: "Make sure the keytab is readable by the user that is used to run radiusd..." On 27.03.2013 7:09, Jaap Winius wrote: rlm_krb5: verify_krb_v5_tgt: host key not found : Permission denied - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
What you are doing is actually okay (its one of those exceptions where auth-type needs to be present as the server has no idea to use krb5). I wonder if your server has been built with kerberos support? alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
Quoting Phil Mayers :
... you should be using 2.2.0 or 2.2.1 when it's release, as the
2.1.10/11/12 releasea have a known security issue.
I'll be sure to install 2.2.x as soon as a Debian package becomes
available for it, but for now I'm going to stick with 2.1.x.
I see from the (limited) debug output you've given that you're
forcing Auth-Type in a "users" file. This is usually a mistake, and
can cause confusing errors.
If I leave it out, 2.1.10 doesn't work for me.
What follows is a description of how I modified my Freeradius server's
default configuration in order to get it working for me on Debian
squeeze with Kerberos support. After installing the freeradius and
freeradius-krb5 packages along with some dependencies, this is what I
did:
1.) Added to the end of /etc/freeradius/clients.conf:
client 192.168.2.2 {
secret=
shortname =
}
2.) Modified attribute in /etc/freeradius/eap.conf, section 'eap':
default_eap_type = ttls
Modified attribute in subsection 'tls':
private_key_password =
3.) Added this line to the end of /etc/freeradius/users:
DEFAULT Auth-Type = krb5
4.) Changed these two lines in /etc/freeradius/modules/krb5:
keytab = /etc/freeradius/freeradius.keytab
service_principal = radius/
5.) In /etc/freeradius/sites-enabled/inner-tunnel, added an extra line
with 'krb5' below the line 'pam' (which is commented out) in section
'authenticate'.
6.) Installed and configured a Kerberos client on the Freeradius host.
Of course, this included using kadmin to create a host principal,
host/, as well as a matching keytab (/etc/krb5.keytab) on
the Freeradius host.
7.) Used the kadmin console again on the Freeradius host to create a
radius service principal: radius/
8.) Created a keytab for the radius service principal:
/etc/freeradius/freeradius.keytab
9.) Generated a set of self-signed certificates that I copied to the
/etc/freeradius/certs directory.
When all of this works, 'freeradius -X' shows the following output:
=== Begin 2.1.10 success
[eap] EAP packet type response id 6 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "jwinius"
User-Password = ""
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "jwinius"
User-Password = ""
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 207
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = krb5
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
rlm_krb5: verify_krb_v5_tgt: host key not found : Permission denied
++[krb5] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 0 to 192.168.2.2 port 1025
MS-MPPE-Recv-Key =
0xab083ff864d0156503438d3bac157120ac64723522901d27a41564a100bb42a8
MS-MPPE-Send-Key =
0xb31e8a4a4cfe891d652a209aa8e14e5eaa460d3becda0c6cb7d23f5e181c159c
EAP-Message = 0x03060004
Message-Authenticator = 0x
User-Name = "jwinius"
=== End 2.1.10 success ==
On the other hand, it doesn't work if I remove the 'DEFAULT Auth-Type
= krb5' in the users file. Without that line I get this result:
=== Begin 2.1.10 fail ===
[eap] EAP packet type response id 6 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[tt
Re: Auth-Type krb5 not recognized by v2.1.12
On 03/25/2013 11:42 PM, Jaap Winius wrote: Is this new behavior intentional, or is it simply a bug? In either case, is there a workaround or a code fix for this, or should I continue to use 2.1.10? Actually neither - you should be using 2.2.0 or 2.2.1 when it's release, as the 2.1.10/11/12 releasea have a known security issue. As to the Auth-Type, it is likely a misconfiguraton that either accidentally worked in older versions of the server and doesn't any more, or broke when you upgraded and the package overwrote something. I see from the (limited) debug output you've given that you're forcing Auth-Type in a "users" file. This is usually a mistake, and can cause confusing errors. But in any event, to debug the problem please run: radiusd -X | tee log ...and examine the output. If the cause isn't clear post the debug output here, and people will be able to comment. At the moment, there's too little info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
