Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos
> I tried this and was not illuminated. Maybe you can read more from
> the debug output than I can. This is my first bash at radius.
Well, we can try to guess a little. From what Matt Holdrege and others
have said, Access Control is based on a new version of Merit RADIUS.
If you check the last public version of Merit RADIUS (2.23c), you can see
the Kerberos support in rad.kerberos.c and krb_get_in_tkt.c. You have to
get the afs_stringtokey.c source from somewhere else.
The radius.debug line that seems to be reporting the problem is:
> krb_pass: principle (crawdad) in realm (FNAL.GOV) has bad pw
This is probably a new, more detailed error message from the rad.kerberos.c:
if (strcmp (authreq->direct_aatv->id, "AKERB") == 0)
{
krbval = krb_get_in_tkt (userid, "", realm, "krbtgt", realm,
DEFAULT_TKT_LIFE, afs_passwd_to_key,
NULL, passwd);
}
...
switch (krbval)
{
...
case INTK_BADPW: /* Tell client to give up on bad pw */
krbreturn = EV_NAK;
break;
}
...
krb_get_in_tkt returns INTK_BADPW "to indicate bad password (if decrypted
ticket didn't make sense" (see krb_get_in_tkt.c). In your last message,
you said "a non-error KDC reply come back", this means that for some reason
after using decrypt_tkt, the attempt to extract information from the
ticket failed. It is going to be mighty tough to figure out the problem
since the data is encrypted and Merit RADIUS is pretty careful to destroy
the secret information as soon as possible to help reduce the risks of
someone stealing it from a core file or running image.
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
Follow-Ups: