radius & kerberos interaction

Fri, 06 Feb 2004 10:28:17 -0800

I've managed to successfully compile and install freeradius v 0.9.3
on a redhat v. 7.1 machine. ( Thanks for all the help on that ) I also have kerberos 5 verificaiton running. The configuration and compilation of freeradius appeared to go without a hitch but when I actually try to authenticate a user against the server ( running in debug mode ) I get the followging
messages output :

rad_recv: Access-Request packet from host ***.***.***.***:1645, id=0, length=46
User-Name = ********"
User-Password = "***********"
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/129.186.250.32/auth-detail-20040206'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/***.***.***.***/auth-detail-20040206
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "********", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 8
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Kerberos
auth: type "Kerberos"
modcall: entering group authenticate for request 0
rlm_krb5: krb5 server princ name: XXX.XXX.XXX.XXX
rlm_krb5: verify_krb_v5_tgt: host key not found : Key table entry not found

My search path for the user running radiusd includes /etc where
the krb5.conf and krb5.keytab files are found. So, my first question is, is there some --with arugment I need to specify at configuration time that will instruct the rlm_krb5 modules where to look for the keytab file ? My second question involves how to specify the server princ name (X'd out for security reasons ). Currently it is displaying the name of the server that radiusd is running on, but shouldn't it be displaying the actual kerberos ticket granting server name instead & how does one specify that ?
Dave Schrader

--
Chaos reigns within.
Reflect, repent and reboot.
Order shall return.


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to