I've had the rlm_krb5 module running for a while now, with the line in the users file :
----- DEFAULT Auth-Type = Kerberos ----- I found that was the only way to get the rlm_krb5 module to actually fire, otherwise the krb5 module would never try to authenticate anyone. I'm now trying to add authentication from an SQL database. So, I have an appropriate tested setup for SQL, and the following in the radreply table : mysql> select * from radreply; +----+----------+--------------+----+------------+ | id | username | attribute | op | value | +----+----------+--------------+----+------------+ | 1 | mowglidb | Service-Type | := | Login-User | | 2 | mowglidb | Fall-Through | = | No | | 3 | mowglidb | Auth-Type | := | Accept | | 4 | mowglidb | Hint | := | SQL | +----+----------+--------------+----+------------+ 4 rows in set (0.00 sec) I've verified that both authentication types work properly, but what happens is that the Kerberos result is the only one ever used, despite the fact that the SQL result appears valid. So when you lookup an ID in the SQL table which is valid, the Kerberos lookup executes, doesn't find the ID, and sends a REJECT. Here's partial radiusd -X output showing the results of a query . . . ----- Ready to process requests. rad_recv: Access-Request packet from host 128.146.XXX.XXX port 1166, id=12, length=48 User-Name = "mowglidb" User-Password = "1234abcd" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/128.146.XXX.XXX/auth-detail-20100401 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/128.146.XXX.XXX/auth-detail-20100401 [auth_log] expand: %t -> Thu Apr 1 00:38:53 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [IPASS] No '/' in User-Name = "mowglidb", looking up realm NULL [IPASS] No such realm "NULL" ++[IPASS] returns noop [suffix] No '@' in User-Name = "mowglidb", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 210 ++[files] returns ok [sql] expand: %{User-Name} -> mowglidb [sql] sql_set_user escaped user --> 'mowglidb' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FRO M radcheck WHERE username = 'mowglidb' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mowglidb' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FRO M radreply WHERE username = 'mowglidb' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'mowglidb' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'mowglidb' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'mowglidb' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Kerberos +- entering group Kerberos {...} rlm_krb5: [mowglidb] krb5_g_i_t_w_p failed: Client not found in Kerberos database ++[krb5] returns reject Failed to authenticate the user. Login incorrect: [mowglidb] (from client test port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> mowglidb attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 12 to 128.146.XXX.XXX port 1166 Finished request 1. Going to the next request ----- I've tried varying what is in the users file, but so far my only results are either the SQL result is squashed by the Kerberos result, or the Kerberos section never attempts a lookup. In reading the attributes description, it implies that if I put the "Auth-Type = Kerberos" in the check section for the DEFAULT entry, it should only add this if there is no Auth-Type, but I'm not clear on when the items from the radreply table are added to the reply. Explicitly setting the Auth-Type in the SQL reply doesn't appear to affect anything - the Kerberos DEFAULT entry seems to simply override it. I've tried swapping the order of the sql & files attributes in the authenticate section, but that didn't work either : ----- ++[sql] returns ok [files] users: Matched entry DEFAULT at line 210 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Kerberos +- entering group Kerberos {...} rlm_krb5: [mowglidb] krb5_g_i_t_w_p failed: Client not found in Kerberos database ++[krb5] returns reject Failed to authenticate the user. Login incorrect: [mowglidb] (from client test port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} ----- And modifying the users file so that the entry reads : ----- DEFAULT Auth-Type = Kerberos ----- resulted in the krb5 module failing to fire at all, even though the files result did match the DEFAULT rule : ----- ++[chap] returns noop ++[mschap] returns noop [IPASS] No '/' in User-Name = "assor.3", looking up realm NULL [IPASS] No such realm "NULL" ++[IPASS] returns noop [suffix] No '@' in User-Name = "assor.3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 210 ++[files] returns ok [sql] expand: %{User-Name} -> assor.3 [sql] sql_set_user escaped user --> 'assor.3' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FRO M radcheck WHERE username = 'assor.3' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'assor.3' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'assor.3' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'assor.3' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User assor.3 not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ----- The users file really only has the single DEFAULT rule in it, but let me know if seeing any of the other configuration files would help. Otherwise, I'd appreciate any help on getting the krb5 module to work with other authentication types. One other thing, it might be useful to add an "extended debugging" flag to the -X option, which shows you the reply table entries after each module, to allow tracking what sets what values. I haven't seen that mentioned in any documentation, but in my case that would at least allow me to answer the question of what reply entries get set where when. Thanks, <Mowgli> -- The Ohio State University Network Security Group | Mowgli Assor ---------------------------------------------------+-------------------------- E-mail : secur...@osu.edu | Network Security Engineer Web : http://www.infosec.ohio-state.edu | Office : (Use E-mail) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html