Kerberos authentication fails, "Configuration file does not specify default realm"

Question

I am attempting to set up Kerberos authentication with Freeradius. At the moment when I run radtest the authentication fails and I get the following error in my logs

(0) Login incorrect (krb5: Failed parsing username as principal: Configuration file does not specify default realm): [user/Password123] (from client localhost port 1812)

In my krb5 configuration file I have specified a service principal so I am unsure why I am getting this error. Here is a snippet for context (sensitive values modified)

krb5 {
        #
        #  The keytab file MUST be owned by the UID/GID used by the server.
        #  The keytab file MUST be writable by the server.
        #  The keytab file MUST NOT be readable by other users on the system.
        #  The keytab file MUST exist before the server is started.
        #
        keytab = /etc/raddb/mykeytab.keytab
        service_principal = http/princ@example.com

Is there anything wrong with this configuration? Or am I looking in the wrong place?

score 4 · Accepted Answer · answered Feb 14 '19 at 14:37

You need to either include the realm with the principal you're logging in as, or set a default realm in krb5.conf (should be in /etc/, but it might be distro-specific).

See here:

default_realm Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as kinit.

Kerberos authentication fails, "Configuration file does not specify default realm"

1 Answers1