On Tue, 2007-03-13 at 17:31 +0100, Alan DeKok wrote: > John T. Guthrie wrote: > > Well, when all else fails, read the documentation. I just checked the > > wiki on the website, and it says that the answer to my question is yes. > > However, I went ahead and wrote a patch to the radiusd.conf.in file in > > the source code to add in ome documentation for configuring Kerberos. > > Where would be the best place to post that patch. > > This list is OK for small patches. > > Alan DeKok.
Alan, Here is the patch that I mentioned. This is a patch against the radiusd.conf.in file in 1.1.5. Thanks. -- John Guthrie [EMAIL PROTECTED]
--- radiusd.conf.in.orig 2007-02-04 10:28:46.000000000 -0500 +++ radiusd.conf.in 2007-03-13 23:49:31.000000000 -0400 @@ -660,6 +660,20 @@ radwtmp = ${logdir}/radwtmp } + # Kerberos 5 + # The documentation doesn't give us much. + # See www.mail-archive.com/freeradius-users@lists.cistron.nl/msg21439.html + # + # You will also need to uncomment the "Auth-Type Kerberos" in the + # 'authenticate' section below. + #krb5 { + # keytab containing the key used by rlm_krb5 + #keytab = /path/to/keytab + + # principal that is used by rlm_krb5 + #service_principal = radius/some.host.com + #} + # Extensible Authentication Protocol # # For all EAP related authentications. @@ -1954,6 +1968,19 @@ # ldap # } + # Uncomment this if you want to use Kerberos 5 for authentication. + # You will also need to uncomment the 'krb5' module above. + # Note that use of Kerberos requires that the User-Name and + # User-Password attributes be set in the request packet. This means + # that a client that is trying to authenticate using a digest-like + # scheme will not be able be authenticated using this mechanism. + # + # You will need to use an Auth-Type of "Kerberos", not "krb5" to + # reference this in the users file. +# Auth-Type Kerberos { +# krb5 +# } + # # Allow EAP authentication. eap
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html