[RADIATOR] Issues with AuthbyNTLM (LONG)

Smith, Todd Todd.Smith at camc.org
Tue Sep 28 14:37:50 CDT 2010 

I have been researching this issue with the information that Hekki provided and it is accurate in every detail.  When I rebuilt my server with Ubuntu 8.04LTS using the same config file it worked without issue.  This clearly seems to be a Samba issue and one that fairly serious since it seems to affect any of the RADIUS software that uses ntlm_auth.

Todd Smith

-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
Sent: Wednesday, September 22, 2010 15:57
To: radiator at open.com.au
Subject: Re: [RADIATOR] Issues with AuthbyNTLM (LONG)


We had a working Debian 4.0 (etch) installation that was handling authentication about the same as described above. The usual case was Windows doing PEAP.

Since 4.0 is not supported anymore, it was upgraded to 5.0 and everything else worked as it should (plain password authentication etc.) but PEAP broke. The trace looked similar: ntlm_auth indicated success and the authentication almost finished.

After looking for help, I found out that others had also seen the problem:

http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg00289.html

The problem seems to be that ntlm_auth that comes with Debian 5.0 samba package does not return correct values. There is more about this towards the end where the trace file is.

The fix was to downgrade winbind and samba-common packages to Debian 4.0 packages.

In other words we have the following samba related packages from 4.0 installed on 5.0:

ii  samba-common                      3.0.24-6etch10           Samba
common files used by both the server a
ii  winbind                           3.0.24-6etch10           service
to resolve user and group informatio


A bit more about this solution: only samba-common and winbind were needed. The samba package itself is not installed since smbd and nmbd daemons are not needed for ntlm_auth to work.

% dpkg -s samba
Package: samba
Status: deinstall ok config-files

Samba in Debian 5.0 is 3.4.5 so the fix was in effect to downgrade from
3.4 series to 3.0 series. You may be able to fix your problem by uninstalling samba packages, not using purge because winbind needs samba's configuration file. and installing the latest samba-common and winbind from Ubuntu 8.04 branch. I have not tried the downgrade with Ubuntu, but it helped with Debian.

I just did a quick check to various Debian and Ubuntu versions and it looks like:

- Debian 4.0   has samba 3.0.24
- Debian 5.0   has samba 3.2.5
- Ubuntu 8.04  has samba 3.0.28a
- Unbutu 10.04 has samba 3.4.7

>From the above I have also used Ubuntu 8.04 successfully doing ntlm_auth.

There is more about ntlm_auth below near the end of included trace.

Everything looks good so far. ntlm_auth gets a success back from the Windows server and also the User-Session-Key it requested.

If I have understood correctly the User-Session-Key should be a MD4 hash of NTHash the the Windows server stores. In other words
md4(md4(asciitounicde(password))) which with plain 7bit ascii is simply
md4(md4(password))

The broken ntlm_auth does not return this double hash of password, but instead of some other value. This value causes incorrect "authenticator response" to be calculated and makes the client think that the server does not know the real password hash. In other words the server authentication to the client fails.

What happens is that client ends the authentication and no reply is ever received until a new try is initiated by the client. Just like below, the last message is the message to the client.

--
Heikki Vatiainen, Arch Red Oy
+358 44 087 6547
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Confidentiality Note: The information contained in this message 
may be privileged and confidential. If this e-mail contains 
protected health information, you are hereby notified that any 
dissemination, distribution or copying of this communication is 
strictly prohibited,except as permitted by law. If you have 
received this communication in error, please notify the sender 
immediately by replying to this message and deleting it from your 
computer.  Thank you.

More information about the radiator mailing list