George C. Kaplan wrote:
I don't think I understand your examples. A NAS is sending a User-Name
and User-Password, and somehow I have to tell radiusd, "Use Kerberos to
authenticate these users." I don't see how I can do that except by
setting 'Auth-Type = Kerberos' *somewhere*.
I am suggesting that in some sense (and obviously, it's only my opinion,
and as I say it's only doable to an extent with newer FR versions) the
following is better:
authenticate {
Auth-Type PAP {
krb5
}
}
That is, that the Auth-Type be set to reflect the algorithm in the
radius request, and not the backend processing that request.
Out of interest, are you finding rlm_krb5 stable? Under high concurrency?
Yes, except (and it's a big "except") for signals. I posted something
about this a little while ago: when radiusd gets a HUP or TERM signal,
it sometimes becomes unresponsive, using 98% CPU. A 'kill -9' is
Ah. I'll stick with LDAP to the AD controllers.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html