Alan, Thanks for your quick response. I put several more hours of testing in after I made this posting and determined it is almost certainly not a radius issue, but probably a PAM or Kerberos issue, so I am starting to dig deeper in those areas. The LDAP information is interesting and may prove to be the option I need to take if I can't get the Kerberos working soon.
Thanks for your assistance. --Bill On Sun, May 09, 2004 at 08:34:48AM -0400, Alan DeKok wrote: > Bill Shaver <[EMAIL PROTECTED]> wrote: > > I need to add at least one more Kerberos realm (read MS Windows forest/AD) > > back-end authentication store. (These MS Windows forests do not trust > > each other.) On the radius server (computer), I can manually perform kinit > > requests against each krb5 realm just fine. My problem is how do I get > > freeradius (or PAM) to take the authentication request and direct it to > > the correct Kerberos server/realm. It seems this should not be that hard, > > I am probably missing something very basic. > > That would depend on pam_krb5. If it doesn't describe how to do > this, it probably can't. > > > -- I have looked into the rlm_krb, but have gotten nowhere (I can't > > find it in the RPMs, and I can't get it to compile). > > If it's not in the RPM's, it's probably because the Kerberos on RH > is different than the one in the module. > > You might try the latest CVS snapshot. The kerberos module may have > been updated. > > > -- I have looked at (although not experimented with) LDAP authentication, > > but it looks like I would have the same problem. > > I'm not sure why. You can have multiple instances of the LDAP > module, each pointing to a different back-end. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html