Kerberos authentication fails, "Configuration file does not specify default realm"

John Calder picture John Calder · Feb 11, 2019 · Viewed 16.1k times · Source

I am attempting to set up Kerberos authentication with Freeradius. At the moment when I run radtest the authentication fails and I get the following error in my logs

(0) Login incorrect (krb5: Failed parsing username as principal: Configuration file does not specify default realm): [user/Password123] (from client localhost port 1812)

In my krb5 configuration file I have specified a service principal so I am unsure why I am getting this error. Here is a snippet for context (sensitive values modified)

krb5 {
        #
        #  The keytab file MUST be owned by the UID/GID used by the server.
        #  The keytab file MUST be writable by the server.
        #  The keytab file MUST NOT be readable by other users on the system.
        #  The keytab file MUST exist before the server is started.
        #
        keytab = /etc/raddb/mykeytab.keytab
        service_principal = http/[email protected]

Is there anything wrong with this configuration? Or am I looking in the wrong place?

Answer

John B picture John B · Feb 14, 2019

You need to either include the realm with the principal you're logging in as, or set a default realm in krb5.conf (should be in /etc/, but it might be distro-specific).

See here:

default_realm Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as kinit.