FreeRADIUS and Kerberos

When I use freeradius-1.1.3-1.2.el5 on SL5(RHEL5) to authenticate with Kerberos, it always displayed “Segmentation fault”. The error messages like below:

modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type Kerberos
auth: type “Kerberos”
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
Segmentation fault

I searched google for while. It turned out nothing. Those results are helpless for me. Finally, I gave up. Then, I went to the FreeRADIUS web site to look for answers. I downloaded FreeRADIUS version 2.1.4 to build it on SL5(RHEL5). Wow~ It works!! I would like to share with you how to build FreeRADIUS 2.1.4 on SL5(RHEL5).

Step 1 : Download freeradius-server-2.1.4.tar.gz. Please visit http://freeradius.org/download.html to download the latest version. Normally, I put the file at /usr/local/src directory.

Step 2 : Extract the freeradius-server-2.1.4.tar.gz file.

# tar zxvf freeradius-server-2.1.4.tar.gz

Step 3: Build the freeradius-server rpm. Copy the freeradius-server-2.1.4.tar.gz file at /usr/src/redhat/SOURCES/ directory.

# cp freeradius-server-2.1.4.tar.gz /usr/src/redhat/SOURCES/

Change directory into “freeradius-server-2.1.4/redhat/” :

# cd freeradius-server-2.1.4/redhat/

Start to build the freeradius rpm :

# rpmbuild -bb freeradius.spec

If you see the messages like below, just install the libtool-ltdl-devel packages.

error: Failed build dependencies:
libtool-ltdl-devel is needed by freeradius-server-2.1.4-0.x86_64

Follow command to install libtool-ltdl-devel :

# yum install libtool-ltdl-devel

After installed libtool-ltdl-devel packages, please rebuild the freeradius rpm. It will take couple of mins.

Step 4 : Installing freeradius-server-2.1.4-0.x86_64.rpm. Switch directoy into “/usr/src/redhat/RPMS/x86_64”. Using following command to install freeradius-server rpm.

# rpm -ivh freeradius-server-2.1.4-0.x86_64.rpm

Step 5 : configure your FreeRADIUS to authenticate with Kerberos. You’ll need to have a radius/hostname.domain key in your keytab. In my case, I have radius/host1.liho.tw key in /etc/krb5.keytab file. So, following are my configuration.

# vi /etc/raddb/modules/krb5

krb5 {
keytab = /etc/krb5.keytab
service_principal = radius/host1.liho.tw
}

# vi /etc/raddb/users

DEFAULT Auth-Type = Kerberos

# vi /etc/raddb/proxy.conf

realm LOCAL {
# If we do not specify a server pool, the realm is LOCAL, and
# requests are not proxied to it.
}

realm LIHO.TW {
authhost = host1.liho.tw:1812
accthost = host1.liho.tw:1813
secret = testing123
}

Step 6 : Starting FreeRADIUS services by following command :

# service radiusd start

If you want to start the FreeRADIUS services when you turn on the server, you need to use following command :

# chkconfig radiusd on

Step 7 : Testing your FreeRADIUS authenticating with Kerberos. Please replace the “USERNAME” to your username and the “PASSWORD” to your password. Because, I configured the LIHO.TW realm with “testing123” secret at /etc/raddb/proxy.conf file. So, the following command I use “testing123”. You should create your own secret.

# radtest USERNAME PASSWORD localhost 0 testing123

Sending Access-Request of id 170 to 127.0.0.1 port 1812
User-Name = “USERNAME”
User-Password = “PASSWORD”
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=170, length=20

If you see “Access-Accept packet” message, congregation! your configuration of FreeRADIUS and Kerberos without having any problem. If you see “(Shared secret is incorrect.)”, please check /etc/raddb/proxy.conf file to find out your secret. If you see “Access-Reject”, it means you input the wrong password or your configuration is incorrect. You can stop your freeradius services. Using “radiusd -X” command to see more debug messages.