Matt Garretson <[EMAIL PROTECTED]> wrote: > My problem is for cases when a user is to be authenticated by > rlm_krb5 as determined by huntgroup, but also happens to exist in > the passwd file. In this case, the user's password is checked > against the passwd file entry before rlm_krb gets called. This > behavior is not what i was hoping for.
Yes, it's a bug. The server currently looks for a plain-text, or crypt'd password found from a DB. If it sees that, and a PAP password in the request, it does the authentication itself, and ignores any Auth-Type. It's fixed in the CVS head. You can fix this in src/main/auth.c in an older version, by checking out the latest CVS snapshot, and then doing: $ cvs diff -u -r1.130 -r1.131 src/main/auth.c That will spit out a patch which may be applied to an older version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html