[RADIATOR] krb5 authentication

James jtp at nc.rr.com
Wed Feb 16 20:13:00 CST 2011 

Folks,

Would like some help setting up krb5 authentication, if possible. I'm
working from the base krb5.conf file found in the goodies directory.

Log says the following:
Wed Feb 16 12:03:27 2011: DEBUG: Handling request with Handler
'Client-Identifier=test-radius', Identifier ''
Wed Feb 16 12:03:27 2011: DEBUG: Rewrote user name to testuser
Wed Feb 16 12:03:27 2011: DEBUG: Handling with Radius::AuthKRB5: AD
Wed Feb 16 12:03:27 2011: DEBUG: Radius::AuthKRB5 looks for match with
testuser [testuser]
Wed Feb 16 12:03:27 2011: DEBUG: Building Kerberos principal:
testuser at AD.DOMAIN.COM
Wed Feb 16 12:03:27 2011: DEBUG: Radius::AuthKRB5 REJECT: Kinit
failed: Client not found in Kerberos database: testuser [testuser]
Wed Feb 16 12:03:27 2011: DEBUG: AuthBy KRB5 result: REJECT, Kinit
failed: Client not found in Kerberos database
Wed Feb 16 12:03:27 2011: INFO: Access rejected for testuser: Kinit
failed: Client not found in Kerberos database
Wed Feb 16 12:03:27 2011: DEBUG: Packet dump:

<snip>

Here's a snippet of the /etc/krb5.conf configuration (not sure if this
is sourced, read, etc.):

[realms]

 AD.DOMAIN.COM = {
  kdc = server1.domain.com:88
  kdc = server2.domain.com:88
  kdc = server3.domain.com:88
  default_domain = domain.com
 }


And the Radiator configs:

Trace   4
Foreground
LogStdout
AuthPort 1645
AcctPort 1646
PidFile  %L/infoblox.pid
LogFile  %L/%d.%v.%Y/infoblox.log <-- use logfile directive below instead
FarmSize 15
<Client DEFAULT>
    Identifier test-radius
    Secret test12345
    DupInterval 0
    NoIgnoreDuplicates Accounting-Request
    PacketTrace
</Client>
<SessionDatabase NULL>
        Identifier sessionDB
</SessionDatabase>
<AuthBy KRB5>
    Identifier AD
    IgnoreAccounting
    KrbRealm AD.DOMAIN.COM
</AuthBy>
<AuthLog FILE>
    Identifier authLogger
    Filename %L/%d.%v.%Y/test-radius.auth
    LogSuccess 1
    LogFailure 1
</AuthLog>
<Handler Client-Identifier=test-radius>
    AuthBy AD
    RewriteUsername s/^([^@]+).*/$1/
    SessionDatabase sessionDB
</Handler>

Thoughts on what's going on would be appreciated.

Thanks!
-james

More information about the radiator mailing list