c我正在使用rlm_krb5在RHEL7上设置3.x半径 但是,我似乎在使用密钥表时遇到麻烦。
也许有可能涉及池的配置步骤? 可能需要以特定方式创建密钥表吗?
我有:
RHEL6
RHEL7
调试输出:
>radiusd -X
FreeRADIUS Version 3.0.13
...
# Loaded module rlm_krb5
# Loading module "krb5" from file /etc/raddb/mods-enabled/krb5
krb5 {
keytab = "/etc/raddb/kerb/radius.keytab"
service_principal = "radius/myhost.mydomain"
}
...
Using MIT Kerberos library
rlm_krb5 (krb5): Using service principal "radius/myhost.mydomain@MYDOMAIN"
rlm_krb5 (krb5): Using keytab "FILE:/etc/raddb/kerb/radius.keytab"
rlm_krb5 (krb5): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 0
retry_delay = 1
spread = no
}
rlm_krb5 (krb5): Opening additional connection (0), 1 of 32 pending slots used
rlm_krb5 (krb5): Opening additional connection (1), 1 of 31 pending slots used
rlm_krb5 (krb5): Opening additional connection (2), 1 of 30 pending slots used
rlm_krb5 (krb5): Opening additional connection (3), 1 of 29 pending slots used
rlm_krb5 (krb5): Opening additional connection (4), 1 of 28 pending slots used
...
Ready to process requests
(0) Received Access-Request Id 205 from MYIP1:60506 to MYIP2:1812 length >78
...
(0) Found Auth-Type = Kerberos
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type Kerberos {
rlm_krb5 (krb5): Reserved connection (0)
(0) krb5: Using client principal "myuser@MYDOMAIN"
(0) krb5: Retrieving and decrypting TGT
(0) krb5: Attempting to authenticate against service principal
(0) krb5: ERROR: Error verifying credentials (-1765328339): No key table entry found for radius/myhost.mydomain@MYDOMAIN
rlm_krb5 (krb5): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_krb5 (krb5): Opening additional connection (5), 1 of 27 pending slots used
(0) [krb5] = fail
(0) } # Auth-Type Kerberos = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
...
Ready to process requests
^C
service_principal = radius/myhost.mydomain@MYDOMAIN
(0) krb5: ERROR: Error verifying credentials (-1765328203): No key table entry found for radius/myhost.mydomain\@mydomain@MYDOMAIN
service_principal =错误的名称_of_principle
(0) krb5: ERROR: Error verifying credentials (-1765328203): No key table entry found for wrong_name_of_principle/myhost.mydomain@MYDOMAIN
service_principal =半径
(0) krb5: ERROR: Error verifying credentials (-1765328339): No key table entry found for radius/myhost.mydomain@MYDOMAIN
(0) krb5: ERROR: Error verifying credentials (-1765328203): No key table entry found for radius/myhost.mydomain@MYDOMAIN
kinit -V -k -t ./radius.keytab radius/myhost.mydomain
Using default cache: /tmp/krb_mycache
Using principal: radius/myhost.mydomain@MYDOMAIN
Using keytab: ./radius.keytab
Authenticated to Kerberos v5
klist -k ./radius.keytab
Keytab name: FILE:./radius.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 radius/myhost.mydomain@MYDOMAIN
失败状态表明连接到kdc时出现问题。 rlm_krb5
fail The module was unable to connect to the Kerberos DC.
Appendix - Kerberos (krb5) Error Messages Kerberos v5 Status Codes
-1765328339 KRB5KRB_AP_ERR_NOKEY Service key not available
Kerberos Error Messages and Troubleshooting
Service key not available
Cause: The service ticket in the credentials cache may be incorrect.
Solution: Destroy current credential cache and rerun kinit before trying to use this service.