document default_realm appdefault

[mech_eap.orig] / README

diff --git a/README b/README
index 4a0dbf9..44b6e5b 100644 (file)
--- a/README
+++ b/README
@@ -39,16 +39,18 @@ These instructions apply to FreeRADIUS only, which is downloadable
 from http://freeradius.org/. After configure, make, install, do the
 following:
 
-On the RADIUS server side, you need to install dictionary.ukerna and
-include it from the main dictionary file. Do this by adding:
+On the RADIUS server side, you need to install dictionary.ukerna to
+$prefix/etc/raddb and include it from the main dictionary file, by
+adding:
 
     $INCLUDE dictionary.ukerna
 
-to $prefix/share/freeradius/dictionary.
+to $prefix/etc/raddb/dictionary. Make sure these files are world-
+readable; they weren't in my installation.
 
 Edit $prefix/etc/raddb/users to add your test user and password:
 
-    bob@PROJECT-MOONSHOT.ORG Cleartext-Password := secret 
+    bob@PROJECT-MOONSHOT.ORG Cleartext-Password := secret
 
 Add an entry for your acceptor to $prefix/etc/raddb/clients.conf:
 
@@ -110,7 +112,8 @@ appropriately (<host> is the name of the host running the server,
 not the RADIUS server).
 
 % gss-client -port 5555 -spnego -mech "{1 3 6 1 4 1 5322 22 1 18}" \
-  -user <user> -pass <pass> <host> host@<host> "Testing GSS EAP"
+  -user <user>@<realm> -pass <pass> <host> host@<host> \
+  "Testing GSS EAP"
 % gss-server -port 5555 -export host@<host>
 
 Note: for SASL you will be prompted for a username and password.
@@ -129,3 +132,7 @@ To test fast reauthentication support, add the following to
 This will store a Kerberos ticket for a GSS-EAP authenticated user
 in a credentials cache, which can then be used for re-authentication
 to the same acceptor. You must have a valid keytab configured.
+
+You can also set a default realm in [appdefaults]; the Kerberos
+default realm is never used by mech_eap (or at least, that is the
+intention), so if unspecified you must always qualify names.