On 06/14/2011 09:44 PM, Jimmy wrote:
I have Kerberos 1.6 configured to use OpenLDAP 2.3.43 as a back end. I
am trying to configure Freeradius 2.1.7 to authenticate to Kerberos.
My advice would be to investigate having FreeRADIUS pull the user info
(secrets etc.) direct from LDAP. It'll save your sanity in the long run
(provided the secrets in LDAP are ones FreeRADIUS can make use of)
But...
I am having problems getting Freeradiusto authenticate while started
in daemon mode. When the process is started in debug mode it seems to
funciton, but authentications while in daemon mode return the error:
Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied in
replay cache code
So, in debug mode it's fine, but in daemon mode it's giving permission
denied errors as above? That error sounds like it's coming out of the
kerberos libraries, rather than FreeRADIUS.
Try this: start it up in daemon mode, then use "strace" to record syscalls:
strace -o log -p <the pid>
...do a test authentication, then hunt through the log for open() and
write() calls that fail i.e. return -1. That should tell you what file
it's trying to use as a replay cache. Then, fix the permissions so that
the daemon can access that file.
Also, if you're running an LSM (SELinux, AppArmor) check their logs
(audit.log in the case of SELinux; no idea for AppArmor) to see if it's
a MAC policy, rather than uid/gid-based perms, that's denying it.
Alternatively, you might be able to disable the replay cache using
entries in /etc/krb5.conf, but you'd have to do a bit of digging.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
